[MediaWiki-commits] [Gerrit] webserver::apache: misc SSL fixes - change (operations/puppet)

[Faidon Liambotis (Code Review)]

Faidon Liambotis has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/106700


Change subject: webserver::apache: misc SSL fixes
..

webserver::apache: misc SSL fixes

- Set ServerAdmin correct on the 443 virtualhost
- Support redirected; it was previously a stub
- Add SSLCACertificatePath
- Remove the defaulting to wildcard certificate support

Change-Id: I0c545ad3a7dab2d569ac52b75b63740c9dcb37cd
---
M manifests/webserver.pp
M templates/apache/generic_vhost.erb
2 files changed, 22 insertions(+), 10 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/00/106700/1

diff --git a/manifests/webserver.pp b/manifests/webserver.pp
index 392a520..426db44 100644
--- a/manifests/webserver.pp
+++ b/manifests/webserver.pp
@@ -284,10 +284,10 @@
# Parameters:
#   $aliases=[]   - array of ServerAliases
#   $ssl=false  - if true, sets up an ssl certificate for 
$title
-   #   $certfile=undef   - defaults to 
/etc/ssl/certs/${wildcard_domain}.pem, based on $title
-   #   $certkey=undef- defaults to 
/etc/ssl/private/${wildcard_domain}.key based on $title
+   #   $certfile=undef   - defaults to /etc/ssl/certs/${title}.pem
+   #   $certkey=undef- defaults to /etc/ssl/private/${title}.key
#   $docroot=undef- defaults to: $title == 
'stats.wikimedia.org', then /srv/stats.wikimedia.org
-   #   $custom=[]- custom Apachce config strings to put into 
virtual host site file
+   #   $custom=[]- custom Apache config strings to put into 
virtual host site file
#   $includes=[]
#   $server_admin=r...@wikimedia.org,
#   $access_log   - path to access log, default: 
/var/log/apache2/access.log
@@ -320,13 +320,12 @@
if $ssl in [true, only, redirected] {
webserver::apache::module { ssl: }

-   # If no cert files are defined, assume a wildcart 
certificate for the domain
-   $wildcard_domain = regsubst($title, '^[^\.]+', *)
+   # If no cert files are defined, assume a named 
certificate for the domain
if ! $certfile {
-   $certfile = 
/etc/ssl/certs/${wildcard_domain}.pem
+   $certfile = /etc/ssl/certs/${title}.pem
}
if ! $certkey {
-   $certkey = 
/etc/ssl/private/${wildcard_domain}.key
+   $certkey = /etc/ssl/private/${title}.key
}
}

diff --git a/templates/apache/generic_vhost.erb 
b/templates/apache/generic_vhost.erb
index a8ea804..86c183b 100644
--- a/templates/apache/generic_vhost.erb
+++ b/templates/apache/generic_vhost.erb
@@ -1,6 +1,6 @@
 # This file is managed by Puppet!
 
-% if ssl != only -%
+% if [true, false].include?(ssl) -%
 VirtualHost *:80
ServerName %= title %
 % if aliases.length  0 -%
@@ -34,13 +34,25 @@
 /VirtualHost
 % end -%
 
+% if ssl == redirected -%
+VirtualHost *:80
+   ServerName %= title %
+% if aliases.length  0 -%
+   ServerAlias %= aliases.join( ) %
+% end -%
+   ServerAdmin %= server_admin %
+
+   Redirect permanent / https://%= title %/
+/VirtualHost
+% else %
+
 % if [true, only, redirected].include?(ssl) -%
 VirtualHost *:443
ServerName %= title %
 % if aliases.length  0 -%
ServerAlias %= aliases.join( ) %
 % end -%
-   ServerAdmin r...@wikimedia.org
+   ServerAdmin %= server_admin %
 
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
@@ -48,6 +60,7 @@
SSLHonorCipherOrder on
SSLCertificateFile %= certfile %
SSLCertificateKeyFile %= certkey %
+   SSLCACertificatePath /etc/ssl/certs
 
DocumentRoot %= docroot %
Directory %= docroot %
@@ -76,4 +89,4 @@
 % end -%
 
 
-# vim: filetype=apache
\ No newline at end of file
+# vim: filetype=apache

-- 
To view, visit https://gerrit.wikimedia.org/r/106700
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0c545ad3a7dab2d569ac52b75b63740c9dcb37cd
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis fai...@wikimedia.org

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] webserver::apache: misc SSL fixes - change (operations/puppet)

[Faidon Liambotis (Code Review)]

Faidon Liambotis has submitted this change and it was merged.

Change subject: webserver::apache: misc SSL fixes
..


webserver::apache: misc SSL fixes

- Set ServerAdmin correct on the 443 virtualhost
- Support redirected; it was previously a stub
- Add SSLCACertificatePath
- Remove the defaulting to wildcard certificate support

Change-Id: I0c545ad3a7dab2d569ac52b75b63740c9dcb37cd
---
M manifests/webserver.pp
M templates/apache/generic_vhost.erb
2 files changed, 22 insertions(+), 10 deletions(-)

Approvals:
  Faidon Liambotis: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/manifests/webserver.pp b/manifests/webserver.pp
index 392a520..426db44 100644
--- a/manifests/webserver.pp
+++ b/manifests/webserver.pp
@@ -284,10 +284,10 @@
# Parameters:
#   $aliases=[]   - array of ServerAliases
#   $ssl=false  - if true, sets up an ssl certificate for 
$title
-   #   $certfile=undef   - defaults to 
/etc/ssl/certs/${wildcard_domain}.pem, based on $title
-   #   $certkey=undef- defaults to 
/etc/ssl/private/${wildcard_domain}.key based on $title
+   #   $certfile=undef   - defaults to /etc/ssl/certs/${title}.pem
+   #   $certkey=undef- defaults to /etc/ssl/private/${title}.key
#   $docroot=undef- defaults to: $title == 
'stats.wikimedia.org', then /srv/stats.wikimedia.org
-   #   $custom=[]- custom Apachce config strings to put into 
virtual host site file
+   #   $custom=[]- custom Apache config strings to put into 
virtual host site file
#   $includes=[]
#   $server_admin=r...@wikimedia.org,
#   $access_log   - path to access log, default: 
/var/log/apache2/access.log
@@ -320,13 +320,12 @@
if $ssl in [true, only, redirected] {
webserver::apache::module { ssl: }

-   # If no cert files are defined, assume a wildcart 
certificate for the domain
-   $wildcard_domain = regsubst($title, '^[^\.]+', *)
+   # If no cert files are defined, assume a named 
certificate for the domain
if ! $certfile {
-   $certfile = 
/etc/ssl/certs/${wildcard_domain}.pem
+   $certfile = /etc/ssl/certs/${title}.pem
}
if ! $certkey {
-   $certkey = 
/etc/ssl/private/${wildcard_domain}.key
+   $certkey = /etc/ssl/private/${title}.key
}
}

diff --git a/templates/apache/generic_vhost.erb 
b/templates/apache/generic_vhost.erb
index a8ea804..2c66ff6 100644
--- a/templates/apache/generic_vhost.erb
+++ b/templates/apache/generic_vhost.erb
@@ -1,6 +1,6 @@
 # This file is managed by Puppet!
 
-% if ssl != only -%
+% if [true, false].include?(ssl) -%
 VirtualHost *:80
ServerName %= title %
 % if aliases.length  0 -%
@@ -34,13 +34,25 @@
 /VirtualHost
 % end -%
 
+% if ssl == redirected -%
+VirtualHost *:80
+   ServerName %= title %
+% if aliases.length  0 -%
+   ServerAlias %= aliases.join( ) %
+% end -%
+   ServerAdmin %= server_admin %
+
+   Redirect permanent / https://%= title %/
+/VirtualHost
+% end -%
+
 % if [true, only, redirected].include?(ssl) -%
 VirtualHost *:443
ServerName %= title %
 % if aliases.length  0 -%
ServerAlias %= aliases.join( ) %
 % end -%
-   ServerAdmin r...@wikimedia.org
+   ServerAdmin %= server_admin %
 
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
@@ -48,6 +60,7 @@
SSLHonorCipherOrder on
SSLCertificateFile %= certfile %
SSLCertificateKeyFile %= certkey %
+   SSLCACertificatePath /etc/ssl/certs
 
DocumentRoot %= docroot %
Directory %= docroot %
@@ -76,4 +89,4 @@
 % end -%
 
 
-# vim: filetype=apache
\ No newline at end of file
+# vim: filetype=apache

-- 
To view, visit https://gerrit.wikimedia.org/r/106700
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I0c545ad3a7dab2d569ac52b75b63740c9dcb37cd
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis fai...@wikimedia.org
Gerrit-Reviewer: Faidon Liambotis fai...@wikimedia.org
Gerrit-Reviewer: jenkins-bot

___
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits