Puppet Class: simp_apache::ssl

Defined in:
manifests/ssl.pp

Summary

Configures an Apache server with SSL support

Overview

Ensures that the appropriate files are in the appropriate places and have the correct permissions.

@NOTE: Any parameter that comes directly from Apache is not documented here and should be found in the Apache mod_ssl reference documentation.

Parameters:

  • listen (Array[Variant[Simplib::Host::Port, Simplib::Port]]) (defaults to: [443])

    An array of ports upon which the stock SSL configuration should listen.

    @NOTE: If you are using an IPv6 with a port, you need to bracket the address

  • trusted_nets (Simplib::Netlist) (defaults to: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1', '::1'] }))

    An array of networks that you trust to connect to your server.

  • logformat (String) (defaults to: '%t %h %{SSL_CLIENT_S_DN_CN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b %s')

    The default LogFormat to be used for SSL logging. Set to ” to disable logging.

  • enable_default_vhost (Boolean) (defaults to: true)

    Whether to activate the default VirtualHost on the $listen port.

  • firewall (Boolean) (defaults to: simplib::lookup('simp_options::firewall', { 'default_value' => false, }))

    Whether to use the SIMP iptables module.

  • pki (Variant[Boolean,Enum['simp']]) (defaults to: simplib::lookup('simp_options::pki', { 'default_value' => false }))

    • If ‘simp’, include SIMP’s pki module and use pki::copy to manage application certs in /etc/pki/simp_apps/simp_apache/x509

    • If true, do not include SIMP’s pki module, but still use pki::copy to manage certs in /etc/pki/simp_apps/simp_apache/x509

    • If false, do not include SIMP’s pki module and do not use pki::copy to manage certs. You will need to appropriately assign a subset of:

      • app_pki_dir

      • app_pki_key

      • app_pki_cert

      • app_pki_ca

      • app_pki_ca_dir

  • app_pki_external_source (String) (defaults to: simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' }))

    • If pki = ‘simp’ or true, this is the directory from which certs will be copied, via pki::copy. Defaults to /etc/pki/simp/x509.

    • If pki = false, this variable has no effect.

  • app_pki_dir (Stdlib::AbsolutePath) (defaults to: '/etc/pki/simp_apps/simp_apache/x509')

    This variable controls the basepath of $app_pki_key, $app_pki_cert, $app_pki_ca, $app_pki_ca_dir, and $app_pki_crl. It defaults to /etc/pki/simp_apps/simp_apache/pki.

  • app_pki_key (Stdlib::AbsolutePath) (defaults to: "${app_pki_dir}/private/${facts['networking']['fqdn']}.pem")

    Path and name of the private SSL key file

  • app_pki_cert (Stdlib::AbsolutePath) (defaults to: "${app_pki_dir}/public/${facts['networking']['fqdn']}.pub")

    Path and name of the public SSL certificate

  • app_pki_ca_dir (Stdlib::AbsolutePath) (defaults to: "${app_pki_dir}/cacerts")

    Path to the CA.

  • haveged (Boolean) (defaults to: simplib::lookup('simp_options::haveged', { 'default_value' => false }))

    Whether to use the SIMP haveged module to assist with entropy generation.

  • openssl_cipher_suite (Array[String]) (defaults to: simplib::lookup('simp_options::openssl::cipher_suite', { 'default_value' => ['DEFAULT', '!MEDIUM'] }))

    The Cipher Suite the client is permitted to negotiate in the SSL handshake phase.

  • ssl_protocols (Array[String]) (defaults to: ['TLSv1.2'])

    This directive can be used to control which versions of the SSL/TLS protocol will be accepted in new connections.

  • ssl_honor_cipher_order (Boolean) (defaults to: true)

    Option to prefer the server’s cipher preference order.

  • sslverifyclient (String) (defaults to: 'require')

    This directive sets the Certificate verification level for the Client Authentication.

  • sslverifydepth (Integer) (defaults to: 10)

    This directive sets how deeply mod_ssl should verify before deciding that the clients don’t have a valid certificate.

See Also:

Author:



89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
 
# File 'manifests/ssl.pp', line 89

class simp_apache::ssl (
  Array[Variant[Simplib::Host::Port, Simplib::Port]] $listen                  = [443],
  Simplib::Netlist                                   $trusted_nets            = simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1', '::1'] }),
  Array[String]                                      $openssl_cipher_suite    = simplib::lookup('simp_options::openssl::cipher_suite', { 'default_value' => ['DEFAULT', '!MEDIUM'] }),
  Array[String]                                      $ssl_protocols           = ['TLSv1.2'],
  Boolean                                            $ssl_honor_cipher_order  = true,
  String                                             $sslverifyclient         = 'require',
  Integer                                            $sslverifydepth          = 10,
  Variant[Boolean,Enum['simp']]                      $pki                     = simplib::lookup('simp_options::pki', { 'default_value' => false }),
  String                                             $app_pki_external_source = simplib::lookup('simp_options::pki::source', { 'default_value' => '/etc/pki/simp/x509' }),
  Stdlib::AbsolutePath                               $app_pki_dir             = '/etc/pki/simp_apps/simp_apache/x509',
  Stdlib::AbsolutePath                               $app_pki_ca_dir          = "${app_pki_dir}/cacerts",
  Stdlib::AbsolutePath                               $app_pki_cert            = "${app_pki_dir}/public/${facts['networking']['fqdn']}.pub",
  Stdlib::AbsolutePath                               $app_pki_key             = "${app_pki_dir}/private/${facts['networking']['fqdn']}.pem",
  String                                             $logformat               = '%t %h %{SSL_CLIENT_S_DN_CN}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b %s',
  Boolean                                            $enable_default_vhost    = true,
  Boolean                                            $firewall                = simplib::lookup('simp_options::firewall', { 'default_value' => false, }),
  Boolean                                            $haveged                 = simplib::lookup('simp_options::haveged', { 'default_value' => false })
) {
  include 'simp_apache'

  if $haveged { include 'haveged' }

  file { '/etc/httpd/conf.d/ssl.conf':
    ensure  => 'file',
    owner   => pick($simp_apache::conf::user,'root'),
    group   => pick($simp_apache::conf::group,'apache'),
    mode    => '0640',
    content => template("${module_name}/etc/httpd/conf.d/ssl.conf.erb"),
    notify  => Class['simp_apache::service']
  }

  if $firewall {
    include 'iptables'

    iptables::listen::tcp_stateful { 'allow_https':
      order        => 11,
      trusted_nets => $trusted_nets,
      dports       => $listen
    }
  }

  if $pki {
    pki::copy { 'simp_apache':
      source => $app_pki_external_source,
      group  => pick($simp_apache::conf::group,'apache'),
      pki    => $pki,
      notify => Class['simp_apache::service']
    }
  }
}