Puppet Class: apache::mod::ssl

Inherits:
apache::params
Defined in:
manifests/mod/ssl.pp

Summary

Installs `mod_ssl`.

Overview

On most operating systems, the ssl.conf is placed in the module configuration directory. On Red Hat based operating systems, this file is placed in /etc/httpd/conf.d, the same location in which the RPM stores the configuration.

To use SSL with a virtual host, you must either set the default_ssl_vhost parameter in ::apache to true or the ssl parameter in apache::vhost to true.

Parameters:

  • ssl_compression (Boolean) (defaults to: false)

    Enable compression on the SSL level.

  • ssl_sessiontickets (Optional[Boolean]) (defaults to: undef)

    Enable or disable use of TLS session tickets

  • ssl_cryptodevice (String) (defaults to: 'builtin')

    Enable use of a cryptographic hardware accelerator.

  • ssl_options (Array[String]) (defaults to: ['StdEnvVars'])

    Configure various SSL engine run-time options.

  • ssl_openssl_conf_cmd (Optional[String]) (defaults to: undef)

    Configure OpenSSL parameters through its SSL_CONF API.

  • ssl_cert (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Path to server PEM-encoded X.509 certificate data file.

  • ssl_key (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Path to server PEM-encoded private key file

  • ssl_ca (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    File of concatenated PEM-encoded CA Certificates for Client Auth.

  • ssl_cipher (String) (defaults to: $apache::params::ssl_cipher)

    Cipher Suite available for negotiation in SSL handshake.

  • ssl_honorcipherorder (Variant[Boolean, Enum['on', 'off']]) (defaults to: true)

    Option to prefer the server’s cipher preference order.

  • ssl_protocol (Array[String]) (defaults to: $apache::params::ssl_protocol)

    Configure usable SSL/TLS protocol versions. Default based on the OS:

    • RedHat 8: [ ‘all’ ].

    • Other Platforms: [ ‘all’, ‘-SSLv2’, ‘-SSLv3’ ].

  • ssl_proxy_protocol (Array) (defaults to: [])

    Configure usable SSL protocol flavors for proxy usage.

  • ssl_proxy_cipher_suite (Optional[String[1]]) (defaults to: $apache::params::ssl_proxy_cipher_suite)

    Configure usable SSL ciphers for proxy usage. Equivalent to ssl_cipher but for proxy connections.

  • ssl_pass_phrase_dialog (String) (defaults to: 'builtin')

    Type of pass phrase dialog for encrypted private keys.

  • ssl_random_seed_bytes (Integer) (defaults to: 512)

    Pseudo Random Number Generator (PRNG) seeding source.

  • ssl_sessioncache (String) (defaults to: $apache::params::ssl_sessioncache)

    Configures the storage type of the global/inter-process SSL Session Cache

  • ssl_sessioncachetimeout (Integer) (defaults to: 300)

    Number of seconds before an SSL session expires in the Session Cache.

  • ssl_stapling (Boolean) (defaults to: false)

    Enable stapling of OCSP responses in the TLS handshake.

  • stapling_cache (Optional[String]) (defaults to: undef)

    Configures the cache used to store OCSP responses which get included in the TLS handshake if SSLUseStapling is enabled.

  • ssl_stapling_return_errors (Optional[Boolean]) (defaults to: undef)

    Pass stapling related OCSP errors on to client.

  • ssl_mutex (Optional[String]) (defaults to: undef)

    Configures mutex mechanism and lock file directory for all or specified mutexes. Default based on the OS and/or Apache version:

    • RedHat/FreeBSD/Suse/Gentoo: ‘default’.

    • Debian/Ubuntu + Apache >= 2.4: ‘default’.

    • Debian/Ubuntu + Apache < 2.4: ‘file:$APACHE_RUN_DIR/ssl_mutex’.

  • ssl_reload_on_change (Boolean) (defaults to: false)

    Enable reloading of apache if the content of ssl files have changed. It only affects ssl files configured here and not vhost ones.

  • apache_version (Optional[String]) (defaults to: undef)

    Used to verify that the Apache version you have requested is compatible with the module.

  • package_name (Optional[String]) (defaults to: undef)

    Name of ssl package to install.

See Also:



92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
# File 'manifests/mod/ssl.pp', line 92

class apache::mod::ssl (
  Boolean $ssl_compression                                  = false,
  Optional[Boolean] $ssl_sessiontickets                     = undef,
  String $ssl_cryptodevice                                  = 'builtin',
  Array[String] $ssl_options                                = ['StdEnvVars'],
  Optional[String] $ssl_openssl_conf_cmd                    = undef,
  Optional[Stdlib::Absolutepath] $ssl_cert                  = undef,
  Optional[Stdlib::Absolutepath] $ssl_key                   = undef,
  Optional[Stdlib::Absolutepath] $ssl_ca                    = undef,
  String $ssl_cipher                                        = $apache::params::ssl_cipher,
  Variant[Boolean, Enum['on', 'off']] $ssl_honorcipherorder = true,
  Array[String] $ssl_protocol                               = $apache::params::ssl_protocol,
  Array $ssl_proxy_protocol                                 = [],
  Optional[String[1]] $ssl_proxy_cipher_suite               = $apache::params::ssl_proxy_cipher_suite,
  String $ssl_pass_phrase_dialog                            = 'builtin',
  Integer $ssl_random_seed_bytes                            = 512,
  String $ssl_sessioncache                                  = $apache::params::ssl_sessioncache,
  Integer $ssl_sessioncachetimeout                          = 300,
  Boolean $ssl_stapling                                     = false,
  Optional[String] $stapling_cache                          = undef,
  Optional[Boolean] $ssl_stapling_return_errors             = undef,
  Optional[String] $ssl_mutex                               = undef,
  Boolean $ssl_reload_on_change                             = false,
  Optional[String] $apache_version                          = undef,
  Optional[String] $package_name                            = undef,
) inherits apache::params {
  include apache
  include apache::mod::mime
  $_apache_version = pick($apache_version, $apache::apache_version)
  if $ssl_mutex {
    $_ssl_mutex = $ssl_mutex
  } else {
    case $facts['os']['family'] {
      'debian': {
        if versioncmp($_apache_version, '2.4') >= 0 {
          $_ssl_mutex = 'default'
        } else {
          $_ssl_mutex = "file:\${APACHE_RUN_DIR}/ssl_mutex"
        }
      }
      'redhat': {
        $_ssl_mutex = 'default'
      }
      'freebsd': {
        $_ssl_mutex = 'default'
      }
      'gentoo': {
        $_ssl_mutex = 'default'
      }
      'Suse': {
        $_ssl_mutex = 'default'
      }
      default: {
        fail("Unsupported osfamily ${$facts['os']['family']}, please explicitly pass in \$ssl_mutex")
      }
    }
  }

  if $ssl_honorcipherorder =~ Boolean {
    $_ssl_honorcipherorder = $ssl_honorcipherorder
  } else {
    $_ssl_honorcipherorder = $ssl_honorcipherorder ? {
      'on'    => true,
      'off'   => false,
      default => true,
    }
  }

  if $stapling_cache =~ Undef {
    $_stapling_cache = $facts['os']['family'] ? {
      'debian'  => "\${APACHE_RUN_DIR}/ocsp(32768)",
      'redhat'  => '/run/httpd/ssl_stapling(32768)',
      'freebsd' => '/var/run/ssl_stapling(32768)',
      'gentoo'  => '/var/run/ssl_stapling(32768)',
      'Suse'    => '/var/lib/apache2/ssl_stapling(32768)',
    }
  } else {
    $_stapling_cache = $stapling_cache
  }

  if $facts['os']['family'] == 'Suse' {
    if defined(Class['apache::mod::worker']) {
      $suse_path = '/usr/lib64/apache2-worker'
    } else {
      $suse_path = '/usr/lib64/apache2-prefork'
    }
    ::apache::mod { 'ssl':
      package  => $package_name,
      lib_path => $suse_path,
    }
  } else {
    ::apache::mod { 'ssl':
      package => $package_name,
    }
  }

  if versioncmp($_apache_version, '2.4') >= 0 {
    include apache::mod::socache_shmcb
  }

  if $ssl_reload_on_change {
    [$ssl_cert, $ssl_key, $ssl_ca].each |$ssl_file| {
      if $ssl_file {
        include apache::mod::ssl::reload
        $_ssl_file_copy = regsubst($ssl_file, '/', '_', 'G')
        file { $_ssl_file_copy:
          path    => "${apache::params::puppet_ssl_dir}/${_ssl_file_copy}",
          source  => "file://${ssl_file}",
          owner   => 'root',
          group   => $apache::params::root_group,
          mode    => '0640',
          seltype => 'cert_t',
          notify  => Class['apache::service'],
        }
      }
    }
  }

  # Template uses
  #
  # $ssl_compression
  # $ssl_sessiontickets
  # $ssl_cryptodevice
  # $ssl_ca
  # $ssl_cipher
  # $ssl_honorcipherorder
  # $ssl_options
  # $ssl_openssl_conf_cmd
  # $ssl_sessioncache
  # $_stapling_cache
  # $ssl_mutex
  # $ssl_random_seed_bytes
  # $ssl_sessioncachetimeout
  # $_apache_version
  file { 'ssl.conf':
    ensure  => file,
    path    => $apache::_ssl_file,
    mode    => $apache::file_mode,
    content => template('apache/mod/ssl.conf.erb'),
    require => Exec["mkdir ${apache::mod_dir}"],
    before  => File[$apache::mod_dir],
    notify  => Class['apache::service'],
  }
}