[MediaWiki-commits] [Gerrit] webserver::apache: misc SSL fixes - change (operations/puppet)
Faidon Liambotis has uploaded a new change for review. https://gerrit.wikimedia.org/r/106700 Change subject: webserver::apache: misc SSL fixes .. webserver::apache: misc SSL fixes - Set ServerAdmin correct on the 443 virtualhost - Support redirected; it was previously a stub - Add SSLCACertificatePath - Remove the defaulting to wildcard certificate support Change-Id: I0c545ad3a7dab2d569ac52b75b63740c9dcb37cd --- M manifests/webserver.pp M templates/apache/generic_vhost.erb 2 files changed, 22 insertions(+), 10 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/operations/puppet refs/changes/00/106700/1 diff --git a/manifests/webserver.pp b/manifests/webserver.pp index 392a520..426db44 100644 --- a/manifests/webserver.pp +++ b/manifests/webserver.pp @@ -284,10 +284,10 @@ # Parameters: # $aliases=[] - array of ServerAliases # $ssl=false - if true, sets up an ssl certificate for $title - # $certfile=undef - defaults to /etc/ssl/certs/${wildcard_domain}.pem, based on $title - # $certkey=undef- defaults to /etc/ssl/private/${wildcard_domain}.key based on $title + # $certfile=undef - defaults to /etc/ssl/certs/${title}.pem + # $certkey=undef- defaults to /etc/ssl/private/${title}.key # $docroot=undef- defaults to: $title == 'stats.wikimedia.org', then /srv/stats.wikimedia.org - # $custom=[]- custom Apachce config strings to put into virtual host site file + # $custom=[]- custom Apache config strings to put into virtual host site file # $includes=[] # $server_admin=r...@wikimedia.org, # $access_log - path to access log, default: /var/log/apache2/access.log @@ -320,13 +320,12 @@ if $ssl in [true, only, redirected] { webserver::apache::module { ssl: } - # If no cert files are defined, assume a wildcart certificate for the domain - $wildcard_domain = regsubst($title, '^[^\.]+', *) + # If no cert files are defined, assume a named certificate for the domain if ! $certfile { - $certfile = /etc/ssl/certs/${wildcard_domain}.pem + $certfile = /etc/ssl/certs/${title}.pem } if ! $certkey { - $certkey = /etc/ssl/private/${wildcard_domain}.key + $certkey = /etc/ssl/private/${title}.key } } diff --git a/templates/apache/generic_vhost.erb b/templates/apache/generic_vhost.erb index a8ea804..86c183b 100644 --- a/templates/apache/generic_vhost.erb +++ b/templates/apache/generic_vhost.erb @@ -1,6 +1,6 @@ # This file is managed by Puppet! -% if ssl != only -% +% if [true, false].include?(ssl) -% VirtualHost *:80 ServerName %= title % % if aliases.length 0 -% @@ -34,13 +34,25 @@ /VirtualHost % end -% +% if ssl == redirected -% +VirtualHost *:80 + ServerName %= title % +% if aliases.length 0 -% + ServerAlias %= aliases.join( ) % +% end -% + ServerAdmin %= server_admin % + + Redirect permanent / https://%= title %/ +/VirtualHost +% else % + % if [true, only, redirected].include?(ssl) -% VirtualHost *:443 ServerName %= title % % if aliases.length 0 -% ServerAlias %= aliases.join( ) % % end -% - ServerAdmin r...@wikimedia.org + ServerAdmin %= server_admin % SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 @@ -48,6 +60,7 @@ SSLHonorCipherOrder on SSLCertificateFile %= certfile % SSLCertificateKeyFile %= certkey % + SSLCACertificatePath /etc/ssl/certs DocumentRoot %= docroot % Directory %= docroot % @@ -76,4 +89,4 @@ % end -% -# vim: filetype=apache \ No newline at end of file +# vim: filetype=apache -- To view, visit https://gerrit.wikimedia.org/r/106700 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I0c545ad3a7dab2d569ac52b75b63740c9dcb37cd Gerrit-PatchSet: 1 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis fai...@wikimedia.org ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
[MediaWiki-commits] [Gerrit] webserver::apache: misc SSL fixes - change (operations/puppet)
Faidon Liambotis has submitted this change and it was merged. Change subject: webserver::apache: misc SSL fixes .. webserver::apache: misc SSL fixes - Set ServerAdmin correct on the 443 virtualhost - Support redirected; it was previously a stub - Add SSLCACertificatePath - Remove the defaulting to wildcard certificate support Change-Id: I0c545ad3a7dab2d569ac52b75b63740c9dcb37cd --- M manifests/webserver.pp M templates/apache/generic_vhost.erb 2 files changed, 22 insertions(+), 10 deletions(-) Approvals: Faidon Liambotis: Looks good to me, approved jenkins-bot: Verified diff --git a/manifests/webserver.pp b/manifests/webserver.pp index 392a520..426db44 100644 --- a/manifests/webserver.pp +++ b/manifests/webserver.pp @@ -284,10 +284,10 @@ # Parameters: # $aliases=[] - array of ServerAliases # $ssl=false - if true, sets up an ssl certificate for $title - # $certfile=undef - defaults to /etc/ssl/certs/${wildcard_domain}.pem, based on $title - # $certkey=undef- defaults to /etc/ssl/private/${wildcard_domain}.key based on $title + # $certfile=undef - defaults to /etc/ssl/certs/${title}.pem + # $certkey=undef- defaults to /etc/ssl/private/${title}.key # $docroot=undef- defaults to: $title == 'stats.wikimedia.org', then /srv/stats.wikimedia.org - # $custom=[]- custom Apachce config strings to put into virtual host site file + # $custom=[]- custom Apache config strings to put into virtual host site file # $includes=[] # $server_admin=r...@wikimedia.org, # $access_log - path to access log, default: /var/log/apache2/access.log @@ -320,13 +320,12 @@ if $ssl in [true, only, redirected] { webserver::apache::module { ssl: } - # If no cert files are defined, assume a wildcart certificate for the domain - $wildcard_domain = regsubst($title, '^[^\.]+', *) + # If no cert files are defined, assume a named certificate for the domain if ! $certfile { - $certfile = /etc/ssl/certs/${wildcard_domain}.pem + $certfile = /etc/ssl/certs/${title}.pem } if ! $certkey { - $certkey = /etc/ssl/private/${wildcard_domain}.key + $certkey = /etc/ssl/private/${title}.key } } diff --git a/templates/apache/generic_vhost.erb b/templates/apache/generic_vhost.erb index a8ea804..2c66ff6 100644 --- a/templates/apache/generic_vhost.erb +++ b/templates/apache/generic_vhost.erb @@ -1,6 +1,6 @@ # This file is managed by Puppet! -% if ssl != only -% +% if [true, false].include?(ssl) -% VirtualHost *:80 ServerName %= title % % if aliases.length 0 -% @@ -34,13 +34,25 @@ /VirtualHost % end -% +% if ssl == redirected -% +VirtualHost *:80 + ServerName %= title % +% if aliases.length 0 -% + ServerAlias %= aliases.join( ) % +% end -% + ServerAdmin %= server_admin % + + Redirect permanent / https://%= title %/ +/VirtualHost +% end -% + % if [true, only, redirected].include?(ssl) -% VirtualHost *:443 ServerName %= title % % if aliases.length 0 -% ServerAlias %= aliases.join( ) % % end -% - ServerAdmin r...@wikimedia.org + ServerAdmin %= server_admin % SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 @@ -48,6 +60,7 @@ SSLHonorCipherOrder on SSLCertificateFile %= certfile % SSLCertificateKeyFile %= certkey % + SSLCACertificatePath /etc/ssl/certs DocumentRoot %= docroot % Directory %= docroot % @@ -76,4 +89,4 @@ % end -% -# vim: filetype=apache \ No newline at end of file +# vim: filetype=apache -- To view, visit https://gerrit.wikimedia.org/r/106700 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I0c545ad3a7dab2d569ac52b75b63740c9dcb37cd Gerrit-PatchSet: 2 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Faidon Liambotis fai...@wikimedia.org Gerrit-Reviewer: Faidon Liambotis fai...@wikimedia.org Gerrit-Reviewer: jenkins-bot ___ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits