From 7478d4fafddd881df63d6100800aee6ee3e42fe1 Mon Sep 17 00:00:00 2001 From: Matthew Haughton Date: Sat, 11 Jul 2015 19:53:30 -0400 Subject: [PATCH] vhost: add ssl_buffer_size to SSL config --- manifests/resource/vhost.pp | 2 ++ spec/defines/resource_vhost_spec.rb | 6 ++++++ templates/vhost/vhost_ssl_settings.erb | 3 +++ 3 files changed, 11 insertions(+) diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index d86e7d30c..bf02f916a 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -56,6 +56,7 @@ # vHost on. Defaults to TCP 443 # [*ssl_protocols*] - SSL protocols enabled. Defaults to 'TLSv1 TLSv1.1 # TLSv1.2'. +# [*ssl_buffer_size*] - Sets the size of the buffer used for sending data. # [*ssl_ciphers*] - SSL ciphers enabled. Defaults to # 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'. # [*ssl_stapling*] - Bool: Enables or disables stapling of OCSP @@ -181,6 +182,7 @@ $ssl_key = undef, $ssl_port = '443', $ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2', + $ssl_buffer_size = undef, $ssl_ciphers = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA', $ssl_cache = 'shared:SSL:10m', $ssl_crl = undef, diff --git a/spec/defines/resource_vhost_spec.rb b/spec/defines/resource_vhost_spec.rb index d09b52b6f..8d419f5ba 100644 --- a/spec/defines/resource_vhost_spec.rb +++ b/spec/defines/resource_vhost_spec.rb @@ -428,6 +428,12 @@ :value => false, :match => %r'\s+server_name\s+www.rspec.example.com;', }, + { + :title => 'should set the SSL buffer size', + :attr => 'ssl_buffer_size', + :value => '4k', + :match => ' ssl_buffer_size 4k;', + }, { :title => 'should set the SSL client certificate file', :attr => 'ssl_client_cert', diff --git a/templates/vhost/vhost_ssl_settings.erb b/templates/vhost/vhost_ssl_settings.erb index 2d12c391e..62babe451 100644 --- a/templates/vhost/vhost_ssl_settings.erb +++ b/templates/vhost/vhost_ssl_settings.erb @@ -11,6 +11,9 @@ <% end -%> ssl_session_cache <%= @ssl_cache %>; ssl_session_timeout <%= @ssl_session_timeout %>; +<% if @ssl_buffer_size -%> + ssl_buffer_size <%= @ssl_buffer_size %>; +<% end -%> ssl_protocols <%= @ssl_protocols %>; ssl_ciphers <%= @ssl_ciphers %>; ssl_prefer_server_ciphers on;