Puppet Class: apache::mod::ssl

Inherits:
::apache::params
Defined in:
manifests/mod/ssl.pp

Overview

Parameters:

  • ssl_compression (Boolean) (defaults to: false)
  • ssl_cryptodevice (Any) (defaults to: 'builtin')
  • ssl_options (Any) (defaults to: [ 'StdEnvVars' ])
  • ssl_openssl_conf_cmd (Any) (defaults to: undef)
  • ssl_cert (Optional[String]) (defaults to: undef)
  • ssl_key (Optional[String]) (defaults to: undef)
  • ssl_ca (Any) (defaults to: undef)
  • ssl_cipher (Any) (defaults to: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES')
  • ssl_honorcipherorder (Variant[Boolean, Enum['on', 'off']]) (defaults to: true)
  • ssl_protocol (Any) (defaults to: [ 'all', '-SSLv2', '-SSLv3' ])
  • ssl_proxy_protocol (Array) (defaults to: [])
  • ssl_pass_phrase_dialog (Any) (defaults to: 'builtin')
  • ssl_random_seed_bytes (Any) (defaults to: '512')
  • ssl_sessioncache (String) (defaults to: $::apache::params::ssl_sessioncache)
  • ssl_sessioncachetimeout (Any) (defaults to: '300')
  • ssl_stapling (Boolean) (defaults to: false)
  • ssl_stapling_return_errors (Optional[Boolean]) (defaults to: undef)
  • ssl_mutex (Any) (defaults to: undef)
  • apache_version (Any) (defaults to: undef)
  • package_name (Any) (defaults to: undef) 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
 
# File 'manifests/mod/ssl.pp', line 1

class apache::mod::ssl (
  Boolean $ssl_compression                                  = false,
  $ssl_cryptodevice                                         = 'builtin',
  $ssl_options                                              = [ 'StdEnvVars' ],
  $ssl_openssl_conf_cmd                                     = undef,
  Optional[String] $ssl_cert                                = undef,
  Optional[String] $ssl_key                                 = undef,
  $ssl_ca                                                   = undef,
  $ssl_cipher                                               = 'HIGH:MEDIUM:!aNULL:!MD5:!RC4:!3DES',
  Variant[Boolean, Enum['on', 'off']] $ssl_honorcipherorder = true,
  $ssl_protocol                                             = [ 'all', '-SSLv2', '-SSLv3' ],
  Array $ssl_proxy_protocol                                 = [],
  $ssl_pass_phrase_dialog                                   = 'builtin',
  $ssl_random_seed_bytes                                    = '512',
  String $ssl_sessioncache                                  = $::apache::params::ssl_sessioncache,
  $ssl_sessioncachetimeout                                  = '300',
  Boolean $ssl_stapling                                     = false,
  Optional[Boolean] $ssl_stapling_return_errors             = undef,
  $ssl_mutex                                                = undef,
  $apache_version                                           = undef,
  $package_name                                             = undef,
) inherits ::apache::params {

  include ::apache
  include ::apache::mod::mime
  $_apache_version = pick($apache_version, $apache::apache_version)
  if $ssl_mutex {
    $_ssl_mutex = $ssl_mutex
  } else {
    case $::osfamily {
      'debian': {
        if versioncmp($_apache_version, '2.4') >= 0 {
          $_ssl_mutex = 'default'
        } elsif $::operatingsystem == 'Ubuntu' and $::operatingsystemrelease == '10.04' {
          $_ssl_mutex = 'file:/var/run/apache2/ssl_mutex'
        } else {
          $_ssl_mutex = "file:\${APACHE_RUN_DIR}/ssl_mutex"
        }
      }
      'redhat': {
        $_ssl_mutex = 'default'
      }
      'freebsd': {
        $_ssl_mutex = 'default'
      }
      'gentoo': {
        $_ssl_mutex = 'default'
      }
      'Suse': {
        $_ssl_mutex = 'default'
      }
      default: {
        fail("Unsupported osfamily ${::osfamily}, please explicitly pass in \$ssl_mutex")
      }
    }
  }

  if $ssl_honorcipherorder =~ Boolean {
    $_ssl_honorcipherorder = $ssl_honorcipherorder
  } else {
    $_ssl_honorcipherorder = $ssl_honorcipherorder ? {
      'on'    => true,
      'off'   => false,
      default => true,
    }
  }

  $stapling_cache = $::osfamily ? {
    'debian'  => "\${APACHE_RUN_DIR}/ocsp(32768)",
    'redhat'  => '/run/httpd/ssl_stapling(32768)',
    'freebsd' => '/var/run/ssl_stapling(32768)',
    'gentoo'  => '/var/run/ssl_stapling(32768)',
    'Suse'    => '/var/lib/apache2/ssl_stapling(32768)',
  }

  if $::osfamily == 'Suse' {
    if defined(Class['::apache::mod::worker']){
      $suse_path = '/usr/lib64/apache2-worker'
    } else {
      $suse_path = '/usr/lib64/apache2-worker'
    }
    ::apache::mod { 'ssl':
      package  => $package_name,
      lib_path => $suse_path,
    }
  } else {
    ::apache::mod { 'ssl':
      package => $package_name,
    }
  }

  if versioncmp($_apache_version, '2.4') >= 0 {
    include ::apache::mod::socache_shmcb
  }

  # Template uses
  #
  # $ssl_compression
  # $ssl_cryptodevice
  # $ssl_ca
  # $ssl_cipher
  # $ssl_honorcipherorder
  # $ssl_options
  # $ssl_openssl_conf_cmd
  # $ssl_sessioncache
  # $stapling_cache
  # $ssl_mutex
  # $ssl_random_seed_bytes
  # $ssl_sessioncachetimeout
  # $_apache_version
  file { 'ssl.conf':
    ensure  => file,
    path    => $::apache::_ssl_file,
    mode    => $::apache::file_mode,
    content => template('apache/mod/ssl.conf.erb'),
    require => Exec["mkdir ${::apache::mod_dir}"],
    before  => File[$::apache::mod_dir],
    notify  => Class['apache::service'],
  }
}