Enable SSL in groups-dev.openstack.org
Extend the Drupal vhost template with ssl capability, and groups-dev.openstack.org now accepts the following hiera variables for ssl setup: - groups_dev_site_ssl_cert_file_contents: x509 certificate of vhost in pem format - groups_dev_site_ssl_key_file_contents: rsa key of x509 certificate in pem format - groups_dev_site_ssl_chain_file_contents: trusted chain of parent certificates (optional) This patch is required for proper openstackid/oauth2 backref communication. Change-Id: Ia148d1db743fc80bcb675c9ca2906333ef62eff8 Implements: blueprint groups-oauth2-authentication
This commit is contained in:
parent
e3f6a0534e
commit
a576be4197
|
@ -33,6 +33,15 @@
|
|||
# - site_alias: drush site alias name
|
||||
# - site_profile: installation profile to deploy
|
||||
#
|
||||
# SSL configuration:
|
||||
# - site_ssl_enabled: true if ssl is enabled (default: false)
|
||||
# - site_ssl_cert_file_contents: x509 certificate of vhost in pem format
|
||||
# - site_ssl_key_file_contents: rsa key of x509 certificate in pem format
|
||||
# - site_ssl_chain_file_contents: root ca's of site ssl cert
|
||||
# - site_ssl_cert_file: file path of x509 certificate
|
||||
# - site_ssl_key_file: file path of certificate rsa key
|
||||
# - site_ssl_chain_file: file path of certificate chain
|
||||
#
|
||||
# Mysql connection:
|
||||
# - mysql_user: mysql user of drupal site
|
||||
# - mysql_password: password of site user
|
||||
|
@ -66,6 +75,12 @@ class drupal (
|
|||
$site_create_database = false,
|
||||
$site_base_url = false,
|
||||
$site_file_owner = 'root',
|
||||
$site_ssl_enabled = false,
|
||||
$site_ssl_cert_file_contents = undef,
|
||||
$site_ssl_key_file_contents = undef,
|
||||
$site_ssl_cert_file = '',
|
||||
$site_ssl_key_file = '',
|
||||
$site_ssl_chain_file = '',
|
||||
$package_repository = undef,
|
||||
$package_branch = undef,
|
||||
$conf_cron_key = undef,
|
||||
|
@ -76,6 +91,45 @@ class drupal (
|
|||
include apache
|
||||
include pear
|
||||
|
||||
# ssl certificates
|
||||
if $site_ssl_enabled == true {
|
||||
|
||||
include apache::ssl
|
||||
|
||||
# site x509 certificate
|
||||
if $site_ssl_cert_file_contents != '' {
|
||||
file { $site_ssl_cert_file:
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => $site_ssl_cert_file_contents,
|
||||
before => Apache::Vhost[$site_name],
|
||||
}
|
||||
}
|
||||
|
||||
# site ssl key
|
||||
if $site_ssl_key_file_contents != '' {
|
||||
file { $site_ssl_key_file:
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => $site_ssl_key_file_contents,
|
||||
before => Apache::Vhost[$site_name],
|
||||
}
|
||||
}
|
||||
|
||||
# site ca certificates file
|
||||
if $site_ssl_chain_file_contents != '' {
|
||||
file { $site_ssl_chain_file:
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => $site_ssl_chain_file_contents,
|
||||
before => Apache::Vhost[$site_name],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# setup apache and virtualhosts, enable mod rewrite
|
||||
file { $site_vhost_root:
|
||||
ensure => directory,
|
||||
|
|
|
@ -3,8 +3,23 @@
|
|||
# Managed by Puppet
|
||||
# ************************************
|
||||
|
||||
NameVirtualHost <%= @vhost_name %>:<%= @port %>
|
||||
<VirtualHost <%= @vhost_name %>:<%= @port %>>
|
||||
NameVirtualHost <%= @vhost_name %>:80
|
||||
<VirtualHost <%= @vhost_name %>:80>
|
||||
<% if @site_ssl_enabled %>
|
||||
ServerName <%= @srvname %>
|
||||
Redirect / https://<%= @srvname %>/
|
||||
</VirtualHost>
|
||||
|
||||
NameVirtualHost <%= @vhost_name %>:443
|
||||
<VirtualHost <%= @vhost_name %>:443>
|
||||
SSLEngine on
|
||||
SSLProtocol All -SSLv2 -SSLv3
|
||||
SSLCertificateFile <%= @site_ssl_cert_file %>
|
||||
SSLCertificateKeyFile <%= @site_ssl_key_file %>
|
||||
<% if @site_ssl_chain_file_contents != '' %>
|
||||
SSLCertificateChainFile <%= @site_ssl_chain_file %>
|
||||
<% end %>
|
||||
<% end %>
|
||||
ServerName <%= @srvname %>
|
||||
<% if @serveraliases.is_a? Array -%>
|
||||
<% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>
|
||||
|
|
Loading…
Reference in New Issue