Skip to content

Commit

Permalink
(MODULES-10847) Add feature to reload apache service when content of …
Browse files Browse the repository at this point in the history 
…ssl files has changed
  • Loading branch information
@timdeluxe
timdeluxe committed Jul 2, 2021
1 parent ed0a126 commit 7d7bae1
Show file tree
Hide file tree
Showing 10 changed files with 185 additions and 2 deletions.
39 changes: 39 additions & 0 deletions REFERENCE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@
* `apache::confd::no_accf`: Manages the `no-accf.conf` file.
* `apache::default_confd_files`: Helper for setting up default conf.d files.
* `apache::default_mods`: Installs and congfigures default mods for Apache
* `apache::mod::ssl::reload`: Manages the puppet_ssl folder for ssl file copies, which is needed to track changes for reloading service on changes
* `apache::package`: Installs an Apache MPM.
* `apache::params`: This class manages Apache parameters
* `apache::php`: This class installs PHP for Apache.
Expand Down Expand Up @@ -206,6 +207,7 @@ The following parameters are available in the `apache` class:
* [`default_ssl_crl_path`](#default_ssl_crl_path)
* [`default_ssl_crl_check`](#default_ssl_crl_check)
* [`default_ssl_key`](#default_ssl_key)
* [`default_ssl_reload_on_change`](#default_ssl_reload_on_change)
* [`default_ssl_vhost`](#default_ssl_vhost)
* [`default_type`](#default_type)
* [`default_vhost`](#default_vhost)
Expand Down Expand Up @@ -433,6 +435,14 @@ environment.

Default value: `$apache::params::default_ssl_key`

##### <a name="default_ssl_reload_on_change"></a>`default_ssl_reload_on_change`

Data type: `Boolean`

Enable reloading of apache if the content of ssl files have changed.

Default value: ``false``

##### <a name="default_ssl_vhost"></a>`default_ssl_vhost`

Data type: `Boolean`
Expand Down Expand Up @@ -2117,6 +2127,7 @@ The following parameters are available in the `apache::mod::disk_cache` class:

* [`cache_root`](#cache_root)
* [`cache_ignore_headers`](#cache_ignore_headers)
* [`default_cache_enable`](#default_cache_enable)

##### <a name="cache_root"></a>`cache_root`

Expand All @@ -2139,6 +2150,16 @@ Specifies HTTP header(s) that should not be stored in the cache.

Default value: ``undef``

##### <a name="default_cache_enable"></a>`default_cache_enable`

Data type: `Boolean`

Default value is true, which enables "CacheEnable disk /" in disk_cache.conf for the webserver. This would cache
every request to apache by default for every vhost. If set to false the default cache all behaviour is supressed.
You can then control this behaviour in individual vhosts by explicitly defining CacheEnable.

Default value: ``true``

### <a name="apachemoddumpio"></a>`apache::mod::dumpio`

Installs and configures `mod_dumpio`.
Expand Down Expand Up @@ -6357,6 +6378,7 @@ The following parameters are available in the `apache::mod::ssl` class:
* [`ssl_stapling`](#ssl_stapling)
* [`ssl_stapling_return_errors`](#ssl_stapling_return_errors)
* [`ssl_mutex`](#ssl_mutex)
* [`ssl_reload_on_change`](#ssl_reload_on_change)
* [`apache_version`](#apache_version)
* [`package_name`](#package_name)
* [`ssl_sessiontickets`](#ssl_sessiontickets)
Expand Down Expand Up @@ -6513,6 +6535,14 @@ Default based on the OS and/or Apache version:

Default value: ``undef``

##### <a name="ssl_reload_on_change"></a>`ssl_reload_on_change`

Data type: `Boolean`

Enable reloading of apache if the content of ssl files have changed.

Default value: ``false``

##### <a name="apache_version"></a>`apache_version`

Data type: `Any`
Expand Down Expand Up @@ -7523,6 +7553,7 @@ The following parameters are available in the `apache::vhost` defined type:
* [`ssl_crl`](#ssl_crl)
* [`ssl_crl_check`](#ssl_crl_check)
* [`ssl_certs_dir`](#ssl_certs_dir)
* [`ssl_reload_on_change`](#ssl_reload_on_change)
* [`ssl_protocol`](#ssl_protocol)
* [`ssl_cipher`](#ssl_cipher)
* [`ssl_honorcipherorder`](#ssl_honorcipherorder)
Expand Down Expand Up @@ -7918,6 +7949,14 @@ Data type: `Any`

Default value: `$apache::params::ssl_certs_dir`

##### <a name="ssl_reload_on_change"></a>`ssl_reload_on_change`

Data type: `Boolean`



Default value: `$apache::default_ssl_reload_on_change`

##### <a name="ssl_protocol"></a>`ssl_protocol`

Data type: `Any`
Expand Down
4 changes: 4 additions & 0 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,9 @@
# this parameter with your SSL key's location before deploying this server in a production
# environment.
#
# @param default_ssl_reload_on_change
# Enable reloading of apache if the content of ssl files have changed.
#
# @param default_ssl_vhost
# Configures a default SSL virtual host.
# If `true`, Puppet automatically configures the following virtual host using the
Expand Down Expand Up @@ -472,6 +475,7 @@
$default_ssl_crl_path = undef,
$default_ssl_crl = undef,
$default_ssl_crl_check = undef,
Boolean $default_ssl_reload_on_change = false,
$default_type = 'none',
$dev_packages = $apache::params::dev_packages,
$ip = undef,
Expand Down
40 changes: 40 additions & 0 deletions manifests/mod/ssl.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,9 @@
# - Debian/Ubuntu + Apache >= 2.4: 'default'.
# - Debian/Ubuntu + Apache < 2.4: 'file:${APACHE_RUN_DIR}/ssl_mutex'.
#
# @param ssl_reload_on_change
# Enable reloading of apache if the content of ssl files have changed.
#
# @param apache_version
# Used to verify that the Apache version you have requested is compatible with the module.
#
Expand Down Expand Up @@ -97,6 +100,7 @@
Optional[String] $stapling_cache = undef,
Optional[Boolean] $ssl_stapling_return_errors = undef,
$ssl_mutex = undef,
Boolean $ssl_reload_on_change = false,
$apache_version = undef,
$package_name = undef,
) inherits ::apache::params {
Expand Down Expand Up @@ -174,6 +178,42 @@
include apache::mod::socache_shmcb
}

if $ssl_reload_on_change {
if $ssl_cert {
include apache::mod::ssl::reload
$_ssl_cert_copy = regsubst($ssl_cert, '/', '_', 'G')
file { $_ssl_cert_copy:
path => "${apache::params::puppet_ssl_dir}/${_ssl_cert_copy}",
source => "file://${ssl_cert}",
mode => '0640',
seltype => 'cert_t',
notify => Class['apache::service'],
}
}
if $ssl_key {
include apache::mod::ssl::reload
$_ssl_key_copy = regsubst($ssl_key, '/', '_', 'G')
file { $_ssl_key_copy:
path => "${apache::params::puppet_ssl_dir}/${_ssl_key_copy}",
source => "file://${ssl_key}",
mode => '0640',
seltype => 'cert_t',
notify => Class['apache::service'],
}
}
if $ssl_ca {
include apache::mod::ssl::reload
$_ssl_ca_copy = regsubst($ssl_ca, '/', '_', 'G')
file { $_ssl_ca_copy:
path => "${apache::params::puppet_ssl_dir}/${_ssl_ca_copy}",
source => "file://${ssl_ca}",
mode => '0640',
seltype => 'cert_t',
notify => Class['apache::service'],
}
}
}

# Template uses
#
# $ssl_compression
Expand Down
17 changes: 17 additions & 0 deletions manifests/mod/ssl/reload.pp
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# @summary
# Manages the puppet_ssl folder for ssl file copies, which is needed to track changes for reloading service on changes
#
# @api private
class apache::mod::ssl::reload () inherits ::apache::params {
file { $apache::params::puppet_ssl_dir:
ensure => directory,
purge => true,
recurse => true,
require => Package['httpd'],
}
file { 'README.txt':
path => "${apache::params::puppet_ssl_dir}/README.txt",
content => 'This directory contains puppet managed copies of ssl files, so it can track changes and reload apache on changes.',
seltype => 'etc_t',
}
}
6 changes: 6 additions & 0 deletions manifests/params.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@
$server_root = "${httpd_root}/etc/httpd"
$conf_dir = "${httpd_dir}/conf"
$confd_dir = "${httpd_dir}/conf.d"
$puppet_ssl_dir = "${httpd_dir}/puppet_ssl"
$mod_dir = $facts['operatingsystemmajrelease'] ? {
'7' => "${httpd_dir}/conf.modules.d",
default => "${httpd_dir}/conf.d",
Expand Down Expand Up @@ -169,6 +170,7 @@
$server_root = '/etc/httpd'
$conf_dir = "${httpd_dir}/conf"
$confd_dir = "${httpd_dir}/conf.d"
$puppet_ssl_dir = "${httpd_dir}/puppet_ssl"
$conf_enabled = undef
if $::operatingsystem =~ /^[Aa]mazon$/ and $::operatingsystemmajrelease == '2' {
# Amazon Linux 2 uses the /conf.modules.d/ dir
Expand Down Expand Up @@ -343,6 +345,7 @@
$confd_dir = "${httpd_dir}/conf.d"
# Overwrite conf_enabled causes errors with Shibboleth when enabled on Ubuntu 18.04
$conf_enabled = undef #"${httpd_dir}/conf-enabled.d"
$puppet_ssl_dir = "${httpd_dir}/puppet_ssl"
$mod_dir = "${httpd_dir}/mods-available"
$mod_enable_dir = "${httpd_dir}/mods-enabled"
$vhost_dir = "${httpd_dir}/sites-available"
Expand Down Expand Up @@ -546,6 +549,7 @@
$conf_dir = $httpd_dir
$confd_dir = "${httpd_dir}/Includes"
$conf_enabled = undef
$puppet_ssl_dir = "${httpd_dir}/puppet_ssl"
$mod_dir = "${httpd_dir}/Modules"
$mod_enable_dir = undef
$vhost_dir = "${httpd_dir}/Vhosts"
Expand Down Expand Up @@ -619,6 +623,7 @@
$conf_dir = $httpd_dir
$confd_dir = "${httpd_dir}/conf.d"
$conf_enabled = undef
$puppet_ssl_dir = "${httpd_dir}/puppet_ssl"
$mod_dir = "${httpd_dir}/modules.d"
$mod_enable_dir = undef
$vhost_dir = "${httpd_dir}/vhosts.d"
Expand Down Expand Up @@ -689,6 +694,7 @@
$conf_dir = $httpd_dir
$confd_dir = "${httpd_dir}/conf.d"
$conf_enabled = undef
$puppet_ssl_dir = "${httpd_dir}/puppet_ssl"
$mod_dir = "${httpd_dir}/mods-available"
$mod_enable_dir = "${httpd_dir}/mods-enabled"
$vhost_dir = "${httpd_dir}/sites-available"
Expand Down
21 changes: 20 additions & 1 deletion manifests/vhost.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1679,6 +1679,9 @@
# @param ssl_user_name
# Sets the [SSLUserName](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslusername) directive.
#
# @param ssl_reload_on_change
# Enable reloading of apache if the content of ssl files have changed.
#
# @param use_canonical_name
# Specifies whether to use the [`UseCanonicalName directive`](https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname),
# which allows you to configure how the server determines it's own name and port.
Expand Down Expand Up @@ -1763,6 +1766,7 @@
$ssl_crl = $apache::default_ssl_crl,
$ssl_crl_check = $apache::default_ssl_crl_check,
$ssl_certs_dir = $apache::params::ssl_certs_dir,
Boolean $ssl_reload_on_change = $apache::default_ssl_reload_on_change,
$ssl_protocol = undef,
$ssl_cipher = undef,
Variant[Boolean, Enum['on', 'On', 'off', 'Off'], Undef] $ssl_honorcipherorder = undef,
Expand Down Expand Up @@ -2707,12 +2711,27 @@
# - $ssl_openssl_conf_cmd
# - $ssl_stapling
# - $apache_version
if $ssl {
if $ssl and $ensure == 'present' {
concat::fragment { "${name}-ssl":
target => "${priority_real}${filename}.conf",
order => 230,
content => template('apache/vhost/_ssl.erb'),
}
if $ssl_reload_on_change {
[$ssl_cert, $ssl_key, $ssl_ca, $ssl_chain, $ssl_crl].each |$ssl_file| {
if $ssl_file {
include apache::mod::ssl::reload
$_ssl_file_copy = regsubst($ssl_file, '/', '_', 'G')
file { "${filename}${_ssl_file_copy}":
path => "${apache::params::puppet_ssl_dir}/${filename}${_ssl_file_copy}",
source => "file://${ssl_file}",
mode => '0640',
seltype => 'cert_t',
notify => Class['apache::service'],
}
}
}
}
}

# Template uses:
Expand Down
32 changes: 32 additions & 0 deletions spec/acceptance/apache_ssl_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,17 @@ class { 'apache':

describe 'vhost ssl parameters' do
pp = <<-MANIFEST
file { [
'/tmp/ssl_cert',
'/tmp/ssl_key',
'/tmp/ssl_chain',
'/tmp/ssl_ca',
'/tmp/ssl_crl',
]:
ensure => file,
before => Class['apache']
}
class { 'apache':
service_ensure => stopped,
}
Expand All @@ -63,6 +74,7 @@ class { 'apache':
ssl_crl => '/tmp/ssl_crl',
ssl_crl_check => 'chain flag',
ssl_certs_dir => '/tmp',
ssl_reload_on_change => true,
ssl_protocol => 'test',
ssl_cipher => 'test',
ssl_honorcipherorder => true,
Expand Down Expand Up @@ -99,6 +111,26 @@ class { 'apache':
it { is_expected.not_to contain 'SSLCARevocationCheck' }
end
end

describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_cert") do
it { is_expected.to be_file }
end

describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_key") do
it { is_expected.to be_file }
end

describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_chain") do
it { is_expected.to be_file }
end

describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_ca") do
it { is_expected.to be_file }
end

describe file("#{apache_hash['httpd_dir']}/puppet_ssl/test_ssl_tmp_ssl_crl") do
it { is_expected.to be_file }
end
end

describe 'vhost ssl ssl_ca only' do
Expand Down
12 changes: 12 additions & 0 deletions spec/classes/mod/ssl_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,18 @@
it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLCACertificateFile}) }
end

context 'setting ssl_cert with reload' do
let :params do
{
ssl_cert: '/etc/pki/some/path/localhost.crt',
ssl_reload_on_change: true,
}
end

it { is_expected.to contain_file('ssl.conf').with_content(%r{^ SSLCertificateFile}) }
it { is_expected.to contain_file('_etc_pki_some_path_localhost.crt') }
end

context 'with Apache version < 2.4 - ssl_compression with default value' do
let :params do
{
Expand Down
Loading

0 comments on commit 7d7bae1

Please sign in to comment.