diff --git a/manifests/modules/mod_ssl.pp b/manifests/modules/mod_ssl.pp index 317ac9a..9cf3ac5 100644 --- a/manifests/modules/mod_ssl.pp +++ b/manifests/modules/mod_ssl.pp @@ -35,6 +35,8 @@ $ipv6_addr = $::httpd::ipv6_addr, $interface = $::httpd::interface, $scl = $::httpd::scl, + $ssl_key_group = 'root', + $ssl_port = '443', $package = 'mod_ssl' ) { @@ -66,9 +68,9 @@ } file { 'ssl_inc': - path => "${config_dir}/conf.d/ssl-eth0.inc", - ensure => present, - content => template("httpd/conf.d/ssl-eth0.inc.erb"), + ensure => present, + path => "${config_dir}/conf.d/ssl-eth0.inc", + content => template('httpd/conf.d/ssl-eth0.inc.erb'), replace => $replace, require => Package[$package], notify => Class['::httpd::service'] @@ -81,20 +83,24 @@ } file { 'ssl_crt': - path => "/etc/pki/tls/certs/${ssl_keys}.crt", + path => "/etc/pki/tls/certs/${ssl_keys}.crt", require => Package[$package] } file { 'ssl_key': - path => "/etc/pki/tls/private/${ssl_keys}.key", - mode => '0600', - require =>Package[$package] + path => "/etc/pki/tls/private/${ssl_keys}.key", + mode => $ssl_key_group? { + 'root' => '0600', + default => '0640' + }, + group => $ssl_key_group, + require => Package[$package] } if $cachain_source { file { 'cachain': - path => "/etc/pki/tls/certs/cachain.pem", ensure => file, - source => "puppet:///modules/$cachain_source", + path => '/etc/pki/tls/certs/cachain.pem', + source => "puppet:///modules/${cachain_source}", require => Package[$package] } } diff --git a/templates/conf.d/22/ssl.conf.erb b/templates/conf.d/22/ssl.conf.erb index f0cd5a6..56d1ebe 100644 --- a/templates/conf.d/22/ssl.conf.erb +++ b/templates/conf.d/22/ssl.conf.erb @@ -1,21 +1,21 @@ # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to -# serve pages over an https connection. For detailing information about these +# serve pages over an https connection. For detailing information about these # directives see -# +# # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure -# consult the online docs. You have been warned. +# consult the online docs. You have been warned. # LoadModule ssl_module modules/mod_ssl.so # -# When we also provide SSL we have to listen to the +# When we also provide SSL we have to listen to the # the HTTPS port in addition. # -Listen 443 +Listen <%= @ssl_port %> ## ## SSL Global Context @@ -31,18 +31,18 @@ Listen 443 SSLPassPhraseDialog builtin # Inter-Process Session Cache: -# Configure the SSL Session Cache: First the mechanism +# Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the -# SSL engine uses internally for inter-process synchronization. +# SSL engine uses internally for inter-process synchronization. SSLMutex default # Pseudo Random Number Generator (PRNG): -# Configure one or more sources to seed the PRNG of the +# Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device @@ -62,7 +62,7 @@ SSLRandomSeed connect builtin # accelerators. Use "openssl engine -v" to list supported # engine names. NOTE: If you enable an accelerator and the # server does not start, consult the error logs and ensure -# your accelerator is functioning properly. +# your accelerator is functioning properly. # SSLCryptoDevice builtin #SSLCryptoDevice ubsec @@ -175,7 +175,7 @@ SSLCryptoDevice builtin # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. +# directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire # # SSLOptions +StdEnvVars @@ -201,7 +201,7 @@ SSLCryptoDevice builtin # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation -# works correctly. +# works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. @@ -218,5 +218,4 @@ SSLCryptoDevice builtin #CustomLog logs/ssl_request_log \ # "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" -# - +# diff --git a/templates/conf.d/24/ssl.conf.erb b/templates/conf.d/24/ssl.conf.erb index 98fac6e..b8d4f74 100644 --- a/templates/conf.d/24/ssl.conf.erb +++ b/templates/conf.d/24/ssl.conf.erb @@ -1,8 +1,8 @@ # -# When we also provide SSL we have to listen to the +# When we also provide SSL we have to listen to the # the HTTPS port in addition. # -Listen 443 https +Listen <%= @ssl_port %> https ## ## SSL Global Context @@ -22,13 +22,13 @@ SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog <% end -%> # Inter-Process Session Cache: -# Configure the SSL Session Cache: First the mechanism +# Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 # Pseudo Random Number Generator (PRNG): -# Configure one or more sources to seed the PRNG of the +# Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device @@ -48,7 +48,7 @@ SSLRandomSeed connect builtin # accelerators. Use "openssl engine -v" to list supported # engine names. NOTE: If you enable an accelerator and the # server does not start, consult the error logs and ensure -# your accelerator is functioning properly. +# your accelerator is functioning properly. # SSLCryptoDevice builtin #SSLCryptoDevice ubsec @@ -94,7 +94,7 @@ SSLCryptoDevice builtin # compromised, captures of past or future traffic must be # considered compromised, too. #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 -#SSLHonorCipherOrder on +#SSLHonorCipherOrder on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If @@ -174,7 +174,7 @@ SSLCryptoDevice builtin # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL -# directives are used in per-directory context. +# directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire # # SSLOptions +StdEnvVars @@ -200,7 +200,7 @@ SSLCryptoDevice builtin # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation -# works correctly. +# works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. @@ -217,5 +217,4 @@ BrowserMatch "MSIE [2-5]" \ #CustomLog logs/ssl_request_log \ # "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" -# - +#