From a576be4197b63b0a9e4c577c2f3abb6cbaad602c Mon Sep 17 00:00:00 2001 From: Marton Kiss Date: Wed, 19 Nov 2014 21:07:37 +0100 Subject: [PATCH] Enable SSL in groups-dev.openstack.org Extend the Drupal vhost template with ssl capability, and groups-dev.openstack.org now accepts the following hiera variables for ssl setup: - groups_dev_site_ssl_cert_file_contents: x509 certificate of vhost in pem format - groups_dev_site_ssl_key_file_contents: rsa key of x509 certificate in pem format - groups_dev_site_ssl_chain_file_contents: trusted chain of parent certificates (optional) This patch is required for proper openstackid/oauth2 backref communication. Change-Id: Ia148d1db743fc80bcb675c9ca2906333ef62eff8 Implements: blueprint groups-oauth2-authentication --- manifests/init.pp | 54 ++++++++++++++++++++++++++++++++++++++ templates/drupal.vhost.erb | 19 ++++++++++++-- 2 files changed, 71 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index a081445..3ab1116 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -33,6 +33,15 @@ # - site_alias: drush site alias name # - site_profile: installation profile to deploy # +# SSL configuration: +# - site_ssl_enabled: true if ssl is enabled (default: false) +# - site_ssl_cert_file_contents: x509 certificate of vhost in pem format +# - site_ssl_key_file_contents: rsa key of x509 certificate in pem format +# - site_ssl_chain_file_contents: root ca's of site ssl cert +# - site_ssl_cert_file: file path of x509 certificate +# - site_ssl_key_file: file path of certificate rsa key +# - site_ssl_chain_file: file path of certificate chain +# # Mysql connection: # - mysql_user: mysql user of drupal site # - mysql_password: password of site user @@ -66,6 +75,12 @@ class drupal ( $site_create_database = false, $site_base_url = false, $site_file_owner = 'root', + $site_ssl_enabled = false, + $site_ssl_cert_file_contents = undef, + $site_ssl_key_file_contents = undef, + $site_ssl_cert_file = '', + $site_ssl_key_file = '', + $site_ssl_chain_file = '', $package_repository = undef, $package_branch = undef, $conf_cron_key = undef, @@ -76,6 +91,45 @@ class drupal ( include apache include pear + # ssl certificates + if $site_ssl_enabled == true { + + include apache::ssl + + # site x509 certificate + if $site_ssl_cert_file_contents != '' { + file { $site_ssl_cert_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $site_ssl_cert_file_contents, + before => Apache::Vhost[$site_name], + } + } + + # site ssl key + if $site_ssl_key_file_contents != '' { + file { $site_ssl_key_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $site_ssl_key_file_contents, + before => Apache::Vhost[$site_name], + } + } + + # site ca certificates file + if $site_ssl_chain_file_contents != '' { + file { $site_ssl_chain_file: + owner => 'root', + group => 'root', + mode => '0640', + content => $site_ssl_chain_file_contents, + before => Apache::Vhost[$site_name], + } + } + } + # setup apache and virtualhosts, enable mod rewrite file { $site_vhost_root: ensure => directory, diff --git a/templates/drupal.vhost.erb b/templates/drupal.vhost.erb index 9f12193..754491a 100644 --- a/templates/drupal.vhost.erb +++ b/templates/drupal.vhost.erb @@ -3,8 +3,23 @@ # Managed by Puppet # ************************************ -NameVirtualHost <%= @vhost_name %>:<%= @port %> -:<%= @port %>> +NameVirtualHost <%= @vhost_name %>:80 +:80> +<% if @site_ssl_enabled %> + ServerName <%= @srvname %> + Redirect / https://<%= @srvname %>/ + + +NameVirtualHost <%= @vhost_name %>:443 +:443> + SSLEngine on + SSLProtocol All -SSLv2 -SSLv3 + SSLCertificateFile <%= @site_ssl_cert_file %> + SSLCertificateKeyFile <%= @site_ssl_key_file %> +<% if @site_ssl_chain_file_contents != '' %> + SSLCertificateChainFile <%= @site_ssl_chain_file %> +<% end %> +<% end %> ServerName <%= @srvname %> <% if @serveraliases.is_a? Array -%> <% @serveraliases.each do |name| -%><%= " ServerAlias #{name}\n" %><% end -%>