Faidon Liambotis has submitted this change and it was merged.
Change subject: webserver::apache: misc SSL fixes
......................................................................
webserver::apache: misc SSL fixes
- Set ServerAdmin correct on the 443 virtualhost
- Support "redirected"; it was previously a stub
- Add SSLCACertificatePath
- Remove the defaulting to wildcard certificate support
Change-Id: I0c545ad3a7dab2d569ac52b75b63740c9dcb37cd
---
M manifests/webserver.pp
M templates/apache/generic_vhost.erb
2 files changed, 22 insertions(+), 10 deletions(-)
Approvals:
Faidon Liambotis: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/webserver.pp b/manifests/webserver.pp
index 392a520..426db44 100644
--- a/manifests/webserver.pp
+++ b/manifests/webserver.pp
@@ -284,10 +284,10 @@
# Parameters:
# $aliases=[] - array of ServerAliases
# $ssl="false" - if true, sets up an ssl certificate for
$title
- # $certfile=undef - defaults to
/etc/ssl/certs/${wildcard_domain}.pem, based on $title
- # $certkey=undef - defaults to
"/etc/ssl/private/${wildcard_domain}.key based on $title
+ # $certfile=undef - defaults to /etc/ssl/certs/${title}.pem
+ # $certkey=undef - defaults to "/etc/ssl/private/${title}.key
# $docroot=undef - defaults to: $title ==
'stats.wikimedia.org', then /srv/stats.wikimedia.org
- # $custom=[] - custom Apachce config strings to put into
virtual host site file
+ # $custom=[] - custom Apache config strings to put into
virtual host site file
# $includes=[]
# $server_admin="r...@wikimedia.org",
# $access_log - path to access log, default:
/var/log/apache2/access.log
@@ -320,13 +320,12 @@
if "$ssl" in ["true", "only", "redirected"] {
webserver::apache::module { ssl: }
- # If no cert files are defined, assume a wildcart
certificate for the domain
- $wildcard_domain = regsubst($title, '^[^\.]+', "*")
+ # If no cert files are defined, assume a named
certificate for the domain
if ! $certfile {
- $certfile =
"/etc/ssl/certs/${wildcard_domain}.pem"
+ $certfile = "/etc/ssl/certs/${title}.pem"
}
if ! $certkey {
- $certkey =
"/etc/ssl/private/${wildcard_domain}.key"
+ $certkey = "/etc/ssl/private/${title}.key"
}
}
diff --git a/templates/apache/generic_vhost.erb
b/templates/apache/generic_vhost.erb
index a8ea804..2c66ff6 100644
--- a/templates/apache/generic_vhost.erb
+++ b/templates/apache/generic_vhost.erb
@@ -1,6 +1,6 @@
# This file is managed by Puppet!
-<% if ssl != "only" -%>
+<% if ["true", "false"].include?(ssl) -%>
<VirtualHost *:80>
ServerName <%= title %>
<% if aliases.length > 0 -%>
@@ -34,13 +34,25 @@
</VirtualHost>
<% end -%>
+<% if ssl == "redirected" -%>
+<VirtualHost *:80>
+ ServerName <%= title %>
+<% if aliases.length > 0 -%>
+ ServerAlias <%= aliases.join(" ") %>
+<% end -%>
+ ServerAdmin <%= server_admin %>
+
+ Redirect permanent / https://<%= title %>/
+</VirtualHost>
+<% end -%>
+
<% if ["true", "only", "redirected"].include?(ssl) -%>
<VirtualHost *:443>
ServerName <%= title %>
<% if aliases.length > 0 -%>
ServerAlias <%= aliases.join(" ") %>
<% end -%>
- ServerAdmin r...@wikimedia.org
+ ServerAdmin <%= server_admin %>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
@@ -48,6 +60,7 @@
SSLHonorCipherOrder on
SSLCertificateFile <%= certfile %>
SSLCertificateKeyFile <%= certkey %>
+ SSLCACertificatePath /etc/ssl/certs
DocumentRoot <%= docroot %>
<Directory <%= docroot %>>
@@ -76,4 +89,4 @@
<% end -%>
-# vim: filetype=apache
\ No newline at end of file
+# vim: filetype=apache
--
To view, visit https://gerrit.wikimedia.org/r/106700
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I0c545ad3a7dab2d569ac52b75b63740c9dcb37cd
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: Faidon Liambotis <fai...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
