Faidon Liambotis has uploaded a new change for review. https://gerrit.wikimedia.org/r/106700
Change subject: webserver::apache: misc SSL fixes ...................................................................... webserver::apache: misc SSL fixes - Set ServerAdmin correct on the 443 virtualhost - Support "redirected"; it was previously a stub - Add SSLCACertificatePath - Remove the defaulting to wildcard certificate support Change-Id: I0c545ad3a7dab2d569ac52b75b63740c9dcb37cd --- M manifests/webserver.pp M templates/apache/generic_vhost.erb 2 files changed, 22 insertions(+), 10 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/00/106700/1 diff --git a/manifests/webserver.pp b/manifests/webserver.pp index 392a520..426db44 100644 --- a/manifests/webserver.pp +++ b/manifests/webserver.pp @@ -284,10 +284,10 @@ # Parameters: # $aliases=[] - array of ServerAliases # $ssl="false" - if true, sets up an ssl certificate for $title - # $certfile=undef - defaults to /etc/ssl/certs/${wildcard_domain}.pem, based on $title - # $certkey=undef - defaults to "/etc/ssl/private/${wildcard_domain}.key based on $title + # $certfile=undef - defaults to /etc/ssl/certs/${title}.pem + # $certkey=undef - defaults to "/etc/ssl/private/${title}.key # $docroot=undef - defaults to: $title == 'stats.wikimedia.org', then /srv/stats.wikimedia.org - # $custom=[] - custom Apachce config strings to put into virtual host site file + # $custom=[] - custom Apache config strings to put into virtual host site file # $includes=[] # $server_admin="r...@wikimedia.org", # $access_log - path to access log, default: /var/log/apache2/access.log @@ -320,13 +320,12 @@ if "$ssl" in ["true", "only", "redirected"] { webserver::apache::module { ssl: } - # If no cert files are defined, assume a wildcart certificate for the domain - $wildcard_domain = regsubst($title, '^[^\.]+', "*") + # If no cert files are defined, assume a named certificate for the domain if ! $certfile { - $certfile = "/etc/ssl/certs/${wildcard_domain}.pem" + $certfile = "/etc/ssl/certs/${title}.pem" } if ! $certkey { - $certkey = "/etc/ssl/private/${wildcard_domain}.key" + $certkey = "/etc/ssl/private/${title}.key" } } diff --git a/templates/apache/generic_vhost.erb b/templates/apache/generic_vhost.erb index a8ea804..86c183b 100644 --- a/templates/apache/generic_vhost.erb +++ b/templates/apache/generic_vhost.erb @@ -1,6 +1,6 @@ # This file is managed by Puppet! -<% if ssl != "only" -%> +<% if ["true", "false"].include?(ssl) -%> <VirtualHost *:80> ServerName <%= title %> <% if aliases.length > 0 -%> @@ -34,13 +34,25 @@ </VirtualHost> <% end -%> +<% if ssl == "redirected" -%> +<VirtualHost *:80> + ServerName <%= title %> +<% if aliases.length > 0 -%> + ServerAlias <%= aliases.join(" ") %> +<% end -%> + ServerAdmin <%= server_admin %> + + Redirect permanent / https://<%= title %>/ +</VirtualHost> +<% else %> + <% if ["true", "only", "redirected"].include?(ssl) -%> <VirtualHost *:443> ServerName <%= title %> <% if aliases.length > 0 -%> ServerAlias <%= aliases.join(" ") %> <% end -%> - ServerAdmin r...@wikimedia.org + ServerAdmin <%= server_admin %> SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 @@ -48,6 +60,7 @@ SSLHonorCipherOrder on SSLCertificateFile <%= certfile %> SSLCertificateKeyFile <%= certkey %> + SSLCACertificatePath /etc/ssl/certs DocumentRoot <%= docroot %> <Directory <%= docroot %>> @@ -76,4 +89,4 @@ <% end -%> -# vim: filetype=apache \ No newline at end of file +# vim: filetype=apache -- To view, visit https://gerrit.wikimedia.org/r/106700 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0c545ad3a7dab2d569ac52b75b63740c9dcb37cd Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits