From ad995d5f7ee6bc086a6f01674de121846f1af423 Mon Sep 17 00:00:00 2001 From: Stephan Eicher Date: Thu, 23 Apr 2020 01:34:08 +0200 Subject: [PATCH] Add ability to set ssl-settings globally - fixes #670 --- manifests/config.pp | 20 ++- manifests/init.pp | 17 ++- manifests/resource/server.pp | 18 +-- spec/acceptance/nginx_server_spec.rb | 3 + spec/classes/nginx_spec.rb | 156 +++++++++++++++++++++++ templates/conf.d/nginx.conf.erb | 55 ++++++++ templates/server/server_ssl_settings.erb | 10 ++ 7 files changed, 265 insertions(+), 14 deletions(-) diff --git a/manifests/config.pp b/manifests/config.pp index c305c2afd..c9315310d 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -119,15 +119,29 @@ $server_tokens = $nginx::server_tokens $spdy = $nginx::spdy $http2 = $nginx::http2 + $ssl_buffer_size = $nginx::ssl_buffer_size + $ssl_ciphers = $nginx::ssl_ciphers + $ssl_crl = $nginx::ssl_crl + $ssl_dhparam = $nginx::ssl_dhparam + $ssl_ecdh_curve = $nginx::ssl_ecdh_curve + $ssl_session_cache = $nginx::ssl_session_cache + $ssl_session_timeout = $nginx::ssl_session_timeout + $ssl_session_tickets = $nginx::ssl_session_tickets + $ssl_session_ticket_key = $nginx::ssl_session_ticket_key $ssl_stapling = $nginx::ssl_stapling + $ssl_stapling_file = $nginx::ssl_stapling_file + $ssl_stapling_responder = $nginx::ssl_stapling_responder + $ssl_stapling_verify = $nginx::ssl_stapling_verify + $ssl_trusted_certificate = $nginx::ssl_trusted_certificate + $ssl_password_file = $nginx::ssl_password_file + $ssl_prefer_server_ciphers = $nginx::ssl_prefer_server_ciphers + $ssl_protocols = $nginx::ssl_protocols + $ssl_verify_depth = $nginx::ssl_verify_depth $types_hash_bucket_size = $nginx::types_hash_bucket_size $types_hash_max_size = $nginx::types_hash_max_size $worker_connections = $nginx::worker_connections $worker_processes = $nginx::worker_processes $worker_rlimit_nofile = $nginx::worker_rlimit_nofile - $ssl_prefer_server_ciphers = $nginx::ssl_prefer_server_ciphers - $ssl_protocols = $nginx::ssl_protocols - $ssl_ciphers = $nginx::ssl_ciphers $include_modules_enabled = $nginx::include_modules_enabled # Non-configurable settings diff --git a/manifests/init.pp b/manifests/init.pp index 6f0a93cee..ca0fcc643 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -153,6 +153,7 @@ Enum['on', 'off'] $spdy = 'off', Enum['on', 'off'] $http2 = 'off', Enum['on', 'off'] $ssl_stapling = 'off', + Enum['on', 'off'] $ssl_stapling_verify = 'off', Stdlib::Absolutepath $snippets_dir = $nginx::params::snippets_dir, Boolean $manage_snippets_dir = true, $types_hash_bucket_size = '512', @@ -161,9 +162,21 @@ Enum['on', 'off'] $ssl_prefer_server_ciphers = 'on', Variant[Integer, Enum['auto']] $worker_processes = 'auto', Integer $worker_rlimit_nofile = 1024, - $ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2', - $ssl_ciphers = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS', # lint:ignore:140chars + String $ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2', + String $ssl_ciphers = 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS', # lint:ignore:140chars Optional[Stdlib::Unixpath] $ssl_dhparam = undef, + Optional[String] $ssl_ecdh_curve = undef, + String $ssl_session_cache = 'shared:SSL:10m', + String $ssl_session_timeout = '5m', + Optional[Enum['on', 'off']] $ssl_session_tickets = undef, + Optional[Stdlib::Absolutepath] $ssl_session_ticket_key = undef, + Optional[String] $ssl_buffer_size = undef, + Optional[Stdlib::Absolutepath] $ssl_crl = undef, + Optional[Stdlib::Absolutepath] $ssl_stapling_file = undef, + Optional[String] $ssl_stapling_responder = undef, + Optional[Stdlib::Absolutepath] $ssl_trusted_certificate = undef, + Optional[Integer] $ssl_verify_depth = undef, + Optional[Stdlib::Absolutepath] $ssl_password_file = undef, ### START Package Configuration ### $package_ensure = present, diff --git a/manifests/resource/server.pp b/manifests/resource/server.pp index 7a6c89abb..0d774b9f8 100755 --- a/manifests/resource/server.pp +++ b/manifests/resource/server.pp @@ -172,24 +172,24 @@ Optional[Variant[String, Boolean]] $ssl_cert = undef, Optional[String] $ssl_client_cert = undef, String $ssl_verify_client = 'on', - Optional[String] $ssl_dhparam = $nginx::ssl_dhparam, + Optional[String] $ssl_dhparam = undef, Optional[String] $ssl_ecdh_curve = undef, Boolean $ssl_redirect = false, Optional[Integer] $ssl_redirect_port = undef, Optional[Variant[String, Boolean]] $ssl_key = undef, Integer $ssl_port = 443, - Enum['on', 'off'] $ssl_prefer_server_ciphers = $nginx::ssl_prefer_server_ciphers, - String $ssl_protocols = $nginx::ssl_protocols, - $ssl_buffer_size = undef, - String $ssl_ciphers = $nginx::ssl_ciphers, - String $ssl_cache = 'shared:SSL:10m', + Optional[Enum['on', 'off']] $ssl_prefer_server_ciphers = undef, + Optional[String] $ssl_protocols = undef, + Optional[String] $ssl_buffer_size = undef, + Optional[String] $ssl_ciphers = undef, + Optional[String] $ssl_cache = undef, Optional[String] $ssl_crl = undef, Boolean $ssl_stapling = false, Optional[String] $ssl_stapling_file = undef, Optional[String] $ssl_stapling_responder = undef, Boolean $ssl_stapling_verify = false, - String $ssl_session_timeout = '5m', - Optional[String] $ssl_session_tickets = undef, + Optional[String] $ssl_session_timeout = undef, + Optional[Enum['on', 'off']] $ssl_session_tickets = undef, Optional[String] $ssl_session_ticket_key = undef, Optional[String] $ssl_trusted_cert = undef, Optional[Integer] $ssl_verify_depth = undef, @@ -197,7 +197,7 @@ Enum['on', 'off'] $spdy = $nginx::spdy, Enum['on', 'off'] $http2 = $nginx::http2, Optional[String] $proxy = undef, - Optional[String]$proxy_redirect = undef, + Optional[String] $proxy_redirect = undef, String $proxy_read_timeout = $nginx::proxy_read_timeout, String $proxy_send_timeout = $nginx::proxy_send_timeout, $proxy_connect_timeout = $nginx::proxy_connect_timeout, diff --git a/spec/acceptance/nginx_server_spec.rb b/spec/acceptance/nginx_server_spec.rb index 19b30cd85..d1d9c332f 100755 --- a/spec/acceptance/nginx_server_spec.rb +++ b/spec/acceptance/nginx_server_spec.rb @@ -71,6 +71,7 @@ class { 'nginx': } it { is_expected.to be_file } it { is_expected.not_to contain 'ssl on;' } # As of nginx 1.15 (1.16 stable), this will not be set. it { is_expected.to contain 'listen *:443 ssl;' } + it { is_expected.not_to contain 'shared:SSL:10m;' } end describe file('/etc/nginx/sites-enabled/www.puppetlabs.com.conf') do @@ -119,6 +120,7 @@ class { 'nginx': } nginx::resource::server { 'www.puppetlabs.com': ensure => present, ssl => true, + ssl_cache => 'shared:SSL:10m', ssl_cert => '/etc/pki/tls/certs/crypted.cert', ssl_key => '/etc/pki/tls/private/crypted.key', ssl_password_file => '/etc/pki/tls/private/crypted.pass', @@ -134,6 +136,7 @@ class { 'nginx': } describe file('/etc/nginx/sites-available/www.puppetlabs.com.conf') do it { is_expected.to be_file } + it { is_expected.to contain 'ssl_session_cache shared:SSL:10m;' } it { is_expected.to contain 'ssl_password_file /etc/pki/tls/private/crypted.pass;' } end diff --git a/spec/classes/nginx_spec.rb b/spec/classes/nginx_spec.rb index bc246967f..6d1b861f9 100644 --- a/spec/classes/nginx_spec.rb +++ b/spec/classes/nginx_spec.rb @@ -921,6 +921,162 @@ attr: 'proxy_busy_buffers_size', value: '16k', match: ' proxy_busy_buffers_size 16k;' + }, + { + title: 'should set ssl_stapling_verify', + attr: 'ssl_stapling_verify', + value: 'on', + match: ' ssl_stapling_verify on;' + }, + { + title: 'should set ssl_protocols', + attr: 'ssl_protocols', + value: 'TLSv1.2', + match: ' ssl_protocols TLSv1.2;' + }, + { + title: 'should set ssl_ciphers', + attr: 'ssl_ciphers', + value: 'ECDHE-ECDSA-CHACHA20-POLY1305', + match: ' ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305;' + }, + { + title: 'should set ssl_dhparam', + attr: 'ssl_dhparam', + value: '/path/to/dhparam', + match: ' ssl_dhparam /path/to/dhparam;' + }, + { + title: 'should not set ssl_ecdh_curve', + attr: 'ssl_ecdh_curve', + value: :undef, + notmatch: 'ssl_ecdh_curve' + }, + { + title: 'should set ssl_ecdh_curve', + attr: 'ssl_ecdh_curve', + value: 'prime256v1:secp384r1', + match: ' ssl_ecdh_curve prime256v1:secp384r1;' + }, + { + title: 'should set ssl_session_cache', + attr: 'ssl_session_cache', + value: 'shared:SSL:10m', + match: ' ssl_session_cache shared:SSL:10m;' + }, + { + title: 'should set ssl_session_timeout', + attr: 'ssl_session_timeout', + value: '5m', + match: ' ssl_session_timeout 5m;' + }, + { + title: 'should not set ssl_session_tickets', + attr: 'ssl_session_tickets', + value: :undef, + notmatch: 'ssl_session_tickets' + }, + { + title: 'should set ssl_session_tickets', + attr: 'ssl_session_tickets', + value: 'on', + match: ' ssl_session_tickets on;' + }, + { + title: 'should not set ssl_session_ticket_key', + attr: 'ssl_session_ticket_key', + value: :undef, + notmatch: 'ssl_session_ticket_key' + }, + { + title: 'should set ssl_session_ticket_key', + attr: 'ssl_session_ticket_key', + value: '/path/to/ticket_key', + match: ' ssl_session_ticket_key /path/to/ticket_key;' + }, + { + title: 'should not set ssl_buffer_size', + attr: 'ssl_buffer_size', + value: :undef, + notmatch: 'ssl_buffer_size' + }, + { + title: 'should set ssl_buffer_size', + attr: 'ssl_buffer_size', + value: '16k', + match: ' ssl_buffer_size 16k;' + }, + { + title: 'should not set ssl_crl', + attr: 'ssl_crl', + value: :undef, + notmatch: 'ssl_crl' + }, + { + title: 'should set ssl_crl', + attr: 'ssl_crl', + value: '/path/to/crl', + match: ' ssl_crl /path/to/crl;' + }, + { + title: 'should not set ssl_stapling_file', + attr: 'ssl_stapling_file', + value: :undef, + notmatch: 'ssl_stapling_file' + }, + { + title: 'should set ssl_stapling_file', + attr: 'ssl_stapling_file', + value: '/path/to/stapling_file', + match: ' ssl_stapling_file /path/to/stapling_file;' + }, + { + title: 'should not set ssl_stapling_responder', + attr: 'ssl_stapling_responder', + value: :undef, + notmatch: 'ssl_stapling_responder' + }, + { + title: 'should set ssl_stapling_responder', + attr: 'ssl_stapling_responder', + value: 'http://stapling.responder/', + match: ' ssl_stapling_responder http://stapling.responder/;' + }, + { + title: 'should not set ssl_trusted_certificate', + attr: 'ssl_trusted_certificate', + value: :undef, + notmatch: 'ssl_trusted_certificate' + }, + { + title: 'should set ssl_trusted_certificate', + attr: 'ssl_trusted_certificate', + value: '/path/to/trusted_cert', + match: ' ssl_trusted_certificate /path/to/trusted_cert;' + }, + { + title: 'should not set ssl_verify_depth', + attr: 'ssl_verify_depth', + value: :undef, + notmatch: 'ssl_verify_depth' + }, + { + title: 'should set ssl_verify_depth', + attr: 'ssl_verify_depth', + value: 5, + match: ' ssl_verify_depth 5;' + }, + { + title: 'should not set ssl_password_file', + attr: 'ssl_password_file', + value: :undef, + notmatch: 'ssl_password_file' + }, + { + title: 'should set ssl_password_file', + attr: 'ssl_password_file', + value: '/path/to/password_file', + match: ' ssl_password_file /path/to/password_file;' } ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do diff --git a/templates/conf.d/nginx.conf.erb b/templates/conf.d/nginx.conf.erb index 9583580b6..4609f6cdd 100644 --- a/templates/conf.d/nginx.conf.erb +++ b/templates/conf.d/nginx.conf.erb @@ -220,6 +220,61 @@ http { <% if @fastcgi_cache_use_stale -%> fastcgi_cache_use_stale <%= @fastcgi_cache_use_stale %>; <% end -%> + +<% if @ssl_dhparam -%> + ssl_dhparam <%= @ssl_dhparam %>; +<% end -%> +<% if @ssl_ecdh_curve -%> + ssl_ecdh_curve <%= @ssl_ecdh_curve %>; +<% end -%> +<% if @ssl_session_cache -%> + ssl_session_cache <%= @ssl_session_cache %>; +<% end -%> +<% if @ssl_session_timeout -%> + ssl_session_timeout <%= @ssl_session_timeout %>; +<% end -%> +<% if @ssl_session_tickets -%> + ssl_session_tickets <%= @ssl_session_tickets %>; +<% end -%> +<% if @ssl_session_ticket_key -%> + ssl_session_ticket_key <%= @ssl_session_ticket_key %>; +<% end -%> +<% if @ssl_buffer_size -%> + ssl_buffer_size <%= @ssl_buffer_size %>; +<% end -%> +<% if @ssl_protocols -%> + ssl_protocols <%= @ssl_protocols %>; +<% end -%> +<% if @ssl_ciphers -%> + ssl_ciphers <%= @ssl_ciphers %>; +<% end -%> +<% if @ssl_prefer_server_ciphers -%> + ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>; +<% end -%> +<% if @ssl_crl -%> + ssl_crl <%= @ssl_crl %>; +<% end -%> +<% if @ssl_stapling -%> + ssl_stapling <%= @ssl_stapling %>; +<% end -%> +<% if @ssl_stapling_file -%> + ssl_stapling_file <%= @ssl_stapling_file %>; +<% end -%> +<% if @ssl_stapling_responder -%> + ssl_stapling_responder <%= @ssl_stapling_responder %>; +<% end -%> +<% if @ssl_stapling_verify -%> + ssl_stapling_verify <%= @ssl_stapling_verify %>; +<% end -%> +<% if @ssl_trusted_certificate -%> + ssl_trusted_certificate <%= @ssl_trusted_certificate %>; +<% end -%> +<% if @ssl_verify_depth -%> + ssl_verify_depth <%= @ssl_verify_depth %>; +<% end -%> +<% if @ssl_password_file -%> + ssl_password_file <%= @ssl_password_file %>; +<% end -%> <% if @http_cfg_append -%> <%- field_width = @http_cfg_append.inject(0) { |l,(k,v)| k.size > l ? k.size : l } -%> diff --git a/templates/server/server_ssl_settings.erb b/templates/server/server_ssl_settings.erb index 7588c77df..b312d53ff 100755 --- a/templates/server/server_ssl_settings.erb +++ b/templates/server/server_ssl_settings.erb @@ -17,8 +17,12 @@ <%- if defined? @ssl_ecdh_curve -%> ssl_ecdh_curve <%= @ssl_ecdh_curve %>; <%- end -%> +<% if @ssl_cache -%> ssl_session_cache <%= @ssl_cache %>; +<% end -%> +<% if @ssl_session_timeout -%> ssl_session_timeout <%= @ssl_session_timeout %>; +<% end -%> <% if @ssl_session_tickets -%> ssl_session_tickets <%= @ssl_session_tickets %>; <% end -%> @@ -28,9 +32,15 @@ <% if @ssl_buffer_size -%> ssl_buffer_size <%= @ssl_buffer_size %>; <% end -%> +<% if @ssl_protocols -%> ssl_protocols <%= @ssl_protocols %>; +<% end -%> +<% if @ssl_ciphers -%> ssl_ciphers <%= @ssl_ciphers %>; +<% end -%> +<% if @ssl_prefer_server_ciphers -%> ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>; +<% end -%> <% if @ssl_crl -%> ssl_crl <%= @ssl_crl %>; <% end -%>