diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 000000000..5bb969e45 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.pp linguist-language=Puppet diff --git a/.gitignore b/.gitignore index fa054403f..ba372e093 100644 --- a/.gitignore +++ b/.gitignore @@ -1,9 +1,10 @@ files/server_test.crt files/server_test.pem pkg/ -pkg/ +log/ Gemfile.lock spec/fixtures/modules spec/fixtures/manifests vendor .ruby-version +.vagrant/ diff --git a/.nodeset.yml b/.nodeset.yml deleted file mode 100644 index 767f9cd2f..000000000 --- a/.nodeset.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -default_set: 'centos-64-x64' -sets: - 'centos-59-x64': - nodes: - "main.foo.vm": - prefab: 'centos-59-x64' - 'centos-64-x64': - nodes: - "main.foo.vm": - prefab: 'centos-64-x64' - 'fedora-18-x64': - nodes: - "main.foo.vm": - prefab: 'fedora-18-x64' - 'debian-607-x64': - nodes: - "main.foo.vm": - prefab: 'debian-607-x64' - 'debian-70rc1-x64': - nodes: - "main.foo.vm": - prefab: 'debian-70rc1-x64' - 'ubuntu-server-10044-x64': - nodes: - "main.foo.vm": - prefab: 'ubuntu-server-10044-x64' - 'ubuntu-server-12042-x64': - nodes: - "main.foo.vm": - prefab: 'ubuntu-server-12042-x64' diff --git a/.travis.yml b/.travis.yml index 520e4893f..b9a55ab5e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,10 +10,6 @@ bundler_args: --without rake matrix: fast_finish: true include: - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 2.7.0" - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 3.0" - rvm: 1.9.3 env: PUPPET_GEM_VERSION="~> 3.0" - rvm: 2.0.0 @@ -21,13 +17,6 @@ matrix: - rvm: 2.1.0 env: PUPPET_GEM_VERSION="~> 3.0" - rvm: 2.1.0 - env: PUPPET_GEM_VERSION="~> 3.5.0" FUTURE_PARSER="yes" - allow_failures: - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 2.7.0" - - rvm: 1.8.7 - env: PUPPET_GEM_VERSION="~> 3.0" - - rvm: 2.1.0 - env: PUPPET_GEM_VERSION="~> 3.5.0" FUTURE_PARSER="yes" + env: PUPPET_GEM_VERSION="~> 4.0" notifications: - email: false + email: false diff --git a/Gemfile b/Gemfile index 2c081b88a..42468eb1c 100644 --- a/Gemfile +++ b/Gemfile @@ -7,14 +7,14 @@ end group :rake, :test do gem 'puppetlabs_spec_helper', '>=0.8.2', :require => false gem 'puppet-blacksmith', :require => false - gem 'rspec-system-puppet', :require => false + gem 'beaker', :require => false + gem 'beaker-rspec', :require => false end group :rake do - gem 'rspec-puppet', '~>1.0' + gem 'rspec-puppet', '>=2.1.0', :require => false gem 'rake', '>=0.9.2.2' gem 'puppet-lint', '>=1.0.1' - gem 'rspec-system-serverspec', :require => false end if puppetversion = ENV['PUPPET_GEM_VERSION'] diff --git a/README.markdown b/README.markdown index 32ef21cd7..d7ead8bca 100644 --- a/README.markdown +++ b/README.markdown @@ -5,6 +5,8 @@ maintenance. Please take a look at [https://github.com/jfryman/puppet-nginx/blob/master/docs/hiera.md](https://github.com/jfryman/puppet-nginx/blob/master/docs/hiera.md) before upgrading or installing Version 0.1.0 or greater. +[![Puppet +Forge](http://img.shields.io/puppetforge/v/jfryman/nginx.svg)](https://forge.puppetlabs.com/jfryman/nginx) [![Build Status](https://travis-ci.org/jfryman/puppet-nginx.png)](https://travis-ci.org/jfryman/puppet-nginx) @@ -115,6 +117,7 @@ nginx::nginx_locations: 'static': location: '~ "^/static/[0-9a-fA-F]{8}\/(.*)$"' vhost: www.puppetlabs.com + www_root: /var/www/html 'userContent': location: /userContent vhost: www.puppetlabs.com @@ -130,8 +133,9 @@ nginx::nginx_mailhosts: ## Nginx with precompiled Passenger -Currently this works only for Debian family. +Currently this works only for Debian family and OpenBSD. +On Debian it might look like: ```puppet class { 'nginx': package_source => 'passenger', @@ -141,6 +145,20 @@ class { 'nginx': } ``` +Here the example for OpenBSD: + +```puppet +class { 'nginx': + package_flavor => 'passenger', + service_flags => '-u' + http_cfg_append => { + passenger_root => '/usr/local/lib/ruby/gems/2.1/gems/passenger-4.0.44', + passenger_ruby => '/usr/local/bin/ruby21', + passenger_max_pool_size => '15', + } +} +``` + Package source `passenger` will add [Phusion Passenger repository](https://oss-binaries.phusionpassenger.com/apt/passenger) to APT sources. For each virtual host you should specify which ruby should be used. diff --git a/Rakefile b/Rakefile index 1878335b3..fb137be36 100644 --- a/Rakefile +++ b/Rakefile @@ -7,11 +7,10 @@ CLOBBER.include('.tmp', '.librarian') require 'puppetlabs_spec_helper/rake_tasks' require 'puppet_blacksmith/rake_tasks' -require 'rspec-system/rake_task' task :default => [:clean, :spec] -PuppetLint.configuration.fail_on_warnings +PuppetLint.configuration.fail_on_warnings = true PuppetLint.configuration.send('relative') PuppetLint.configuration.send('disable_80chars') PuppetLint.configuration.send('disable_class_inherits_from_params_class') diff --git a/manifests/config.pp b/manifests/config.pp index 45c1f86d1..af05844f4 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -62,6 +62,7 @@ $multi_accept = 'off', $names_hash_bucket_size = '64', $names_hash_max_size = '512', + $nginx_cfg_prepend = false, $proxy_buffers = '32 4k', $proxy_buffer_size = '8k', $proxy_cache_inactive = '20m', @@ -93,7 +94,7 @@ ) inherits ::nginx::params { ### Validations ### - if (!is_string($worker_processes)) and (!is_integer($worker_processes)) { + if ($worker_processes != 'auto') and (!is_integer($worker_processes)) { fail('$worker_processes must be an integer or have value "auto".') } if (!is_integer($worker_connections)) { @@ -151,6 +152,12 @@ } } + if ($nginx_cfg_prepend != false) { + if !(is_hash($nginx_cfg_prepend) or is_array($nginx_cfg_prepend)) { + fail('$nginx_cfg_prepend must be either a hash or array') + } + } + validate_string($nginx_error_log) validate_string($http_access_log) validate_string($proxy_headers_hash_bucket_size) diff --git a/manifests/init.pp b/manifests/init.pp index 66e42e90d..311583ab8 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -102,12 +102,14 @@ $package_ensure = present, $package_name = $::nginx::params::package_name, $package_source = 'nginx', + $package_flavor = undef, $manage_repo = $::nginx::params::manage_repo, ### END Package Configuration ### ### START Service Configuation ### $configtest_enable = false, $service_ensure = running, + $service_flags = undef, $service_restart = '/etc/init.d/nginx configtest && /etc/init.d/nginx restart', $service_name = undef, ### END Service Configuration ### @@ -210,6 +212,7 @@ package_name => $package_name, package_source => $package_source, package_ensure => $package_ensure, + package_flavor => $package_flavor, notify => Class['::nginx::service'], manage_repo => $manage_repo, } @@ -281,24 +284,24 @@ sites_available_owner => $sites_available_owner, sites_available_group => $sites_available_group, sites_available_mode => $sites_available_mode, - require => Class['::nginx::package'], - notify => Class['::nginx::service'], } } + Class['::nginx::package'] -> Class['::nginx::config'] ~> Class['::nginx::service'] class { '::nginx::service': configtest_enable => $configtest_enable, service_ensure => $service_ensure, service_restart => $service_restart, service_name => $service_name, + service_flags => $service_flags, } - create_resources('::nginx::resource::upstream', $nginx_upstreams) - create_resources('::nginx::resource::vhost', $nginx_vhosts, $nginx_vhosts_defaults) - create_resources('::nginx::resource::location', $nginx_locations) - create_resources('::nginx::resource::mailhost', $nginx_mailhosts) - create_resources('::nginx::resource::map', $string_mappings) - create_resources('::nginx::resource::geo', $geo_mappings) + create_resources('nginx::resource::upstream', $nginx_upstreams) + create_resources('nginx::resource::vhost', $nginx_vhosts, $nginx_vhosts_defaults) + create_resources('nginx::resource::location', $nginx_locations) + create_resources('nginx::resource::mailhost', $nginx_mailhosts) + create_resources('nginx::resource::map', $string_mappings) + create_resources('nginx::resource::geo', $geo_mappings) # Allow the end user to establish relationships to the "main" class # and preserve the relationship to the implementation classes through diff --git a/manifests/package.pp b/manifests/package.pp index 6c76032ca..fd44d7eac 100644 --- a/manifests/package.pp +++ b/manifests/package.pp @@ -17,6 +17,7 @@ $package_name = $::nginx::params::package_name, $package_source = 'nginx', $package_ensure = 'present', + $package_flavor = undef, $manage_repo = $::nginx::params::manage_repo, ) inherits ::nginx::params { @@ -57,8 +58,14 @@ source => $package_source, } } + 'OpenBSD': { + package { $package_name: + ensure => $package_ensure, + flavor => $package_flavor, + } + } default: { - package { 'nginx': + package { $package_name: ensure => $package_ensure, } } diff --git a/manifests/package/debian.pp b/manifests/package/debian.pp index 5f06921dc..d6beb3e39 100644 --- a/manifests/package/debian.pp +++ b/manifests/package/debian.pp @@ -34,34 +34,35 @@ case $package_source { 'nginx', 'nginx-stable': { apt::source { 'nginx': - location => "http://nginx.org/packages/${distro}", - repos => 'nginx', - key => '7BD9BF62', - key_source => 'http://nginx.org/keys/nginx_signing.key', + location => "http://nginx.org/packages/${distro}", + repos => 'nginx', + key => '573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62', } } 'nginx-mainline': { apt::source { 'nginx': - location => "http://nginx.org/packages/mainline/${distro}", - repos => 'nginx', - key => '7BD9BF62', - key_source => 'http://nginx.org/keys/nginx_signing.key', + location => "http://nginx.org/packages/mainline/${distro}", + repos => 'nginx', + key => '573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62', } } 'passenger': { apt::source { 'nginx': - location => 'https://oss-binaries.phusionpassenger.com/apt/passenger', - repos => 'main', - key => '561F9B9CAC40B2F7', - key_source => 'https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt', - required_packages => 'apt-transport-https ca-certificates', + location => 'https://oss-binaries.phusionpassenger.com/apt/passenger', + repos => 'main', + key => '16378A33A6EF16762922526E561F9B9CAC40B2F7', + } + + package { ['apt-transport-https', 'ca-certificates']: + ensure => 'present', + before => Apt::Source['nginx'], } package { 'passenger': ensure => 'present', require => Exec['apt_update'], } - + if $package_name != 'nginx-extras' { warning('You must set $package_name to "nginx-extras" to enable Passenger') } diff --git a/manifests/package/redhat.pp b/manifests/package/redhat.pp index 5c95a3684..2b11716e7 100644 --- a/manifests/package/redhat.pp +++ b/manifests/package/redhat.pp @@ -39,7 +39,7 @@ gpgcheck => '1', priority => '1', gpgkey => 'http://nginx.org/keys/nginx_signing.key', - before => Package[$package_name], + before => Package['nginx'], } } 'nginx-mainline': { @@ -50,7 +50,7 @@ gpgcheck => '1', priority => '1', gpgkey => 'http://nginx.org/keys/nginx_signing.key', - before => Package[$package_name], + before => Package['nginx'], } } default: { diff --git a/manifests/params.pp b/manifests/params.pp index a9673be5d..3eb85d950 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -20,7 +20,7 @@ } 'Debian': { if ($::operatingsystem == 'ubuntu' and $::lsbdistcodename in ['lucid', 'precise', 'trusty']) - or ($::operatingsystem == 'debian' and $::operatingsystemmajrelease in ['6', '7']) { + or ($::operatingsystem == 'debian' and $::operatingsystemmajrelease in ['6', '7', '8']) { $_module_os_overrides = { 'manage_repo' => true, 'daemon_user' => 'www-data', diff --git a/manifests/resource/geo.pp b/manifests/resource/geo.pp index bd5af49ac..0fd9de39d 100644 --- a/manifests/resource/geo.pp +++ b/manifests/resource/geo.pp @@ -38,7 +38,7 @@ # # Sample Hiera usage: # -# nginx::geos: +# nginx::geo_mappings: # client_network: # ensure: present # ranges: false diff --git a/manifests/resource/location.pp b/manifests/resource/location.pp index 1ecbd21c3..3b5313a72 100644 --- a/manifests/resource/location.pp +++ b/manifests/resource/location.pp @@ -36,6 +36,8 @@ # [*fastcgi_script*] - optional SCRIPT_FILE parameter # [*fastcgi_split_path*] - Allows settings of fastcgi_split_path_info so # that you can split the script_name and path_info via regex +# [*uwsgi*] - location of uwsgi (host:port) +# [*uwsgi_params*] - optional alternative uwsgi_params file to use # [*ssl*] - Indicates whether to setup SSL bindings for # this location. # [*ssl_only*] - Required if the SSL and normal vHost have the @@ -145,6 +147,8 @@ $fastcgi_params = "${::nginx::config::conf_dir}/fastcgi_params", $fastcgi_script = undef, $fastcgi_split_path = undef, + $uwsgi = undef, + $uwsgi_params = "${nginx::config::conf_dir}/uwsgi_params", $ssl = false, $ssl_only = false, $location_alias = undef, @@ -217,6 +221,10 @@ if ($fastcgi_split_path != undef) { validate_string($fastcgi_split_path) } + if ($uwsgi != undef) { + validate_string($uwsgi) + } + validate_string($uwsgi_params) validate_bool($internal) @@ -298,28 +306,29 @@ default => file, } - $vhost_sanitized = regsubst($vhost, ' ', '_', 'G') - $config_file = "${::nginx::config::conf_dir}/sites-available/${vhost_sanitized}.conf" - - $location_sanitized_tmp = regsubst($location, '\/', '_', 'G') - $location_sanitized = regsubst($location_sanitized_tmp, '\\\\', '_', 'G') - ## Check for various error conditions if ($vhost == undef) { fail('Cannot create a location reference without attaching to a virtual host') } - if (($www_root == undef) and ($proxy == undef) and ($location_alias == undef) and ($stub_status == undef) and ($fastcgi == undef) and ($location_custom_cfg == undef) and ($internal == false)) { - fail('Cannot create a location reference without a www_root, proxy, location_alias, fastcgi, stub_status, internal, or location_custom_cfg defined') + if (($www_root == undef) and ($proxy == undef) and ($location_alias == undef) and ($stub_status == undef) and ($fastcgi == undef) and ($uwsgi == undef) and ($location_custom_cfg == undef) and ($internal == false)) { + fail('Cannot create a location reference without a www_root, proxy, location_alias, fastcgi, uwsgi, stub_status, internal, or location_custom_cfg defined') } if (($www_root != undef) and ($proxy != undef)) { fail('Cannot define both directory and proxy in a virtual host') } + # Use proxy, fastcgi or uwsgi template if $proxy is defined, otherwise use directory template. # fastcgi_script is deprecated if ($fastcgi_script != undef) { warning('The $fastcgi_script parameter is deprecated; please use $fastcgi_param instead to define custom fastcgi_params!') } + $vhost_sanitized = regsubst($vhost, ' ', '_', 'G') + $config_file = "${::nginx::config::conf_dir}/sites-available/${vhost_sanitized}.conf" + + $location_sanitized_tmp = regsubst($location, '\/', '_', 'G') + $location_sanitized = regsubst($location_sanitized_tmp, '\\\\', '_', 'G') + # Use proxy or fastcgi template if $proxy is defined, otherwise use directory template. if ($proxy != undef) { $content_real = template('nginx/vhost/locations/proxy.erb') @@ -329,6 +338,8 @@ $content_real = template('nginx/vhost/locations/stub_status.erb') } elsif ($fastcgi != undef) { $content_real = template('nginx/vhost/locations/fastcgi.erb') + } elsif ($uwsgi != undef) { + $content_real = template('nginx/vhost/locations/uwsgi.erb') } elsif ($www_root != undef) { $content_real = template('nginx/vhost/locations/directory.erb') } else { @@ -343,12 +354,20 @@ } } + if $ensure == present and $uwsgi != undef and !defined(File[$uwsgi_params]) { + file { $uwsgi_params: + ensure => present, + mode => '0770', + content => template('nginx/vhost/uwsgi_params.erb'), + } + } + + ## Create stubs for vHost File Fragment Pattern if ($ssl_only != true) { $tmpFile=md5("${vhost_sanitized}-${priority}-${location_sanitized}") concat::fragment { $tmpFile: - ensure => $ensure, target => $config_file, content => join([ template('nginx/vhost/location_header.erb'), @@ -365,7 +384,6 @@ $sslTmpFile=md5("${vhost_sanitized}-${ssl_priority}-${location_sanitized}-ssl") concat::fragment { $sslTmpFile: - ensure => $ensure, target => $config_file, content => join([ template('nginx/vhost/location_header.erb'), @@ -375,13 +393,4 @@ order => $ssl_priority, } } - - if ($auth_basic_user_file != undef) { - #Generate htpasswd with provided file-locations - file { "${::nginx::config::conf_dir}/${location_sanitized}_htpasswd": - ensure => $ensure_real, - mode => '0644', - source => $auth_basic_user_file, - } - } } diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp index 51e8d3986..2fb44a83f 100644 --- a/manifests/resource/mailhost.pp +++ b/manifests/resource/mailhost.pp @@ -74,12 +74,16 @@ } validate_re($ensure, '^(present|absent)$', "${ensure} is not supported for ensure. Allowed values are 'present' and 'absent'.") - validate_string($listen_ip) + if !(is_array($listen_ip) or is_string($listen_ip)) { + fail('$listen_ip must be a string or array.') + } if ($listen_options != undef) { validate_string($listen_options) } validate_bool($ipv6_enable) - validate_string($ipv6_listen_ip) + if !(is_array($ipv6_listen_ip) or is_string($ipv6_listen_ip)) { + fail('$ipv6_listen_ip must be a string or array.') + } if !is_integer($ipv6_listen_port) { fail('$ipv6_listen_port must be an integer.') } @@ -129,7 +133,6 @@ if ($listen_port != $ssl_port) { concat::fragment { "${name}-header": - ensure => present, target => $config_file, content => template('nginx/mailhost/mailhost.erb'), order => '001', @@ -139,7 +142,6 @@ # Create SSL File Stubs if SSL is enabled if ($ssl) { concat::fragment { "${name}-ssl": - ensure => present, target => $config_file, content => template('nginx/mailhost/mailhost_ssl.erb'), order => '700', diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index 3f65d4848..d80de407e 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -44,6 +44,9 @@ # vhost. # [*ssl_cert*] - Pre-generated SSL Certificate file to reference # for SSL Support. This is not generated by this module. +# [*ssl_client_cert*] - Pre-generated SSL Certificate file to reference +# for client verify SSL Support. This is not generated by this module. +# [*ssl_crl*] - String: Specifies CRL path in file system # [*ssl_dhparam*] - This directive specifies a file containing # Diffie-Hellman key agreement protocol cryptographic parameters, in PEM # format, utilized for exchanging session keys between server and client. @@ -125,6 +128,10 @@ # options like error level to the end. # [*passenger_cgi_param*] - Allows one to define additional CGI environment # variables to pass to the backend application +# [*passenger_set_header*] - Allows one to set headers to pass to the +# backend application (Passenger 5.0+) +# [*passenger_env_var*] - Allows one to set environemnt variables to pass +# to the backend application (Passenger 5.0+) # [*log_by_lua*] - Run the Lua source code inlined as the # at the log request processing phase. # This does not replace the current access logs, but runs after. @@ -135,6 +142,9 @@ # [*owner*] - Defines owner of the .conf file # [*group*] - Defines group of the .conf file # [*mode*] - Defines mode of the .conf file +# [*maintenance*] - A boolean value to set a vhost in maintenance +# [*maintenance_value*] - Value to return when maintenance is on. +# Default to return 503 # Actions: # # Requires: @@ -162,12 +172,14 @@ $ssl = false, $ssl_listen_option = true, $ssl_cert = undef, + $ssl_client_cert = undef, $ssl_dhparam = undef, $ssl_key = undef, $ssl_port = '443', $ssl_protocols = 'TLSv1 TLSv1.1 TLSv1.2', $ssl_ciphers = 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA', $ssl_cache = 'shared:SSL:10m', + $ssl_crl = undef, $ssl_stapling = false, $ssl_stapling_file = undef, $ssl_stapling_responder = undef, @@ -188,6 +200,8 @@ $fastcgi = undef, $fastcgi_params = "${::nginx::config::conf_dir}/fastcgi_params", $fastcgi_script = undef, + $uwsgi = undef, + $uwsgi_params = "${nginx::config::conf_dir}/uwsgi_params", $index_files = [ 'index.html', 'index.htm', @@ -221,6 +235,8 @@ $error_log = undef, $format_log = 'combined', $passenger_cgi_param = undef, + $passenger_set_header = undef, + $passenger_env_var = undef, $log_by_lua = undef, $log_by_lua_file = undef, $use_default_location = true, @@ -231,11 +247,15 @@ $owner = $::nginx::config::global_owner, $group = $::nginx::config::global_group, $mode = $::nginx::config::global_mode, + $maintenance = false, + $maintenance_value = 'return 503' ) { validate_re($ensure, '^(present|absent)$', "${ensure} is not supported for ensure. Allowed values are 'present' and 'absent'.") - validate_string($listen_ip) + if !(is_array($listen_ip) or is_string($listen_ip)) { + fail('$listen_ip must be a string or array.') + } if !is_integer($listen_port) { fail('$listen_port must be an integer.') } @@ -245,7 +265,9 @@ validate_array($location_allow) validate_array($location_deny) validate_bool($ipv6_enable) - validate_string($ipv6_listen_ip) + if !(is_array($ipv6_listen_ip) or is_string($ipv6_listen_ip)) { + fail('$ipv6_listen_ip must be a string or array.') + } if !is_integer($ipv6_listen_port) { fail('$ipv6_listen_port must be an integer.') } @@ -257,6 +279,12 @@ if ($ssl_cert != undef) { validate_string($ssl_cert) } + if ($ssl_client_cert != undef) { + validate_string($ssl_client_cert) + } + if ($ssl_crl != undef) { + validate_string($ssl_crl) + } validate_bool($ssl_listen_option) if ($ssl_dhparam != undef) { validate_string($ssl_dhparam) @@ -311,6 +339,10 @@ if ($fastcgi_script != undef) { validate_string($fastcgi_script) } + if ($uwsgi != undef) { + validate_string($uwsgi) + } + validate_string($uwsgi_params) validate_array($index_files) if ($autoindex != undef) { validate_string($autoindex) @@ -393,6 +425,12 @@ if ($passenger_cgi_param != undef) { validate_hash($passenger_cgi_param) } + if ($passenger_set_header != undef) { + validate_hash($passenger_set_header) + } + if ($passenger_env_var != undef) { + validate_hash($passenger_env_var) + } if ($log_by_lua != undef) { validate_string($log_by_lua) } @@ -498,10 +536,12 @@ fastcgi => $fastcgi, fastcgi_params => $fastcgi_params, fastcgi_script => $fastcgi_script, + uwsgi => $uwsgi, + uwsgi_params => $uwsgi_params, try_files => $try_files, www_root => $www_root, autoindex => $autoindex, - index_files => [], + index_files => $index_files, location_custom_cfg => $location_custom_cfg, notify => Class['::nginx::service'], rewrite_rules => $rewrite_rules, @@ -542,9 +582,16 @@ } } + if $uwsgi != undef and !defined(File[$uwsgi_params]) { + file { $uwsgi_params: + ensure => present, + mode => '0770', + content => template('nginx/vhost/uwsgi_params.erb'), + } + } + if ($listen_port != $ssl_port) { concat::fragment { "${name_sanitized}-header": - ensure => present, target => $config_file, content => template('nginx/vhost/vhost_header.erb'), order => '001', @@ -554,7 +601,6 @@ # Create a proper file close stub. if ($listen_port != $ssl_port) { concat::fragment { "${name_sanitized}-footer": - ensure => present, target => $config_file, content => template('nginx/vhost/vhost_footer.erb'), order => '699', @@ -589,43 +635,6 @@ content => template('nginx/vhost/vhost_ssl_footer.erb'), order => '999', } - - #Generate ssl key/cert with provided file-locations - $cert = regsubst($name,' ','_', 'G') - - # Check if the file has been defined before creating the file to - # avoid the error when using wildcard cert on the multiple vhosts - ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.crt", { - owner => $::nginx::config::daemon_user, - mode => '0444', - source => $ssl_cert, - }) - ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.key", { - owner => $::nginx::config::daemon_user, - mode => '0440', - source => $ssl_key, - }) - if ($ssl_dhparam != undef) { - ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.dh.pem", { - owner => $::nginx::config::daemon_user, - mode => '0440', - source => $ssl_dhparam, - }) - } - if ($ssl_stapling_file != undef) { - ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.ocsp.resp", { - owner => $::nginx::config::daemon_user, - mode => '0440', - source => $ssl_stapling_file, - }) - } - if ($ssl_trusted_cert != undef) { - ensure_resource('file', "${::nginx::config::conf_dir}/${cert}.trusted.crt", { - owner => $::nginx::config::daemon_user, - mode => '0440', - source => $ssl_trusted_cert, - }) - } } file{ "${name_sanitized}.conf symlink": @@ -633,7 +642,7 @@ path => "${vhost_enable_dir}/${name_sanitized}.conf", target => $config_file, require => Concat[$config_file], - notify => Service['nginx'], + notify => Class['::nginx::service'], } create_resources('::nginx::resource::map', $string_mappings) diff --git a/manifests/service.pp b/manifests/service.pp index fa7fedc12..c081e123c 100644 --- a/manifests/service.pp +++ b/manifests/service.pp @@ -18,6 +18,7 @@ $service_restart = $::nginx::service_restart, $service_ensure = $::nginx::service_ensure, $service_name = 'nginx', + $service_flags = undef, ) { $service_enable = $service_ensure ? { @@ -34,13 +35,28 @@ $service_ensure_real = $service_ensure } - service { 'nginx': - ensure => $service_ensure_real, - name => $service_name, - enable => $service_enable, - hasstatus => true, - hasrestart => true, + case $::osfamily { + 'OpenBSD': { + service { 'nginx': + ensure => $service_ensure_real, + name => $service_name, + enable => $service_enable, + flags => $service_flags, + hasstatus => true, + hasrestart => true, + } + } + default: { + service { 'nginx': + ensure => $service_ensure_real, + name => $service_name, + enable => $service_enable, + hasstatus => true, + hasrestart => true, + } + } } + if $configtest_enable == true { Service['nginx'] { restart => $service_restart, diff --git a/metadata.json b/metadata.json index 94a01bb78..8a062fc06 100644 --- a/metadata.json +++ b/metadata.json @@ -1,32 +1,45 @@ { "name": "jfryman-nginx", - "version": "0.2.1", + "version": "0.2.6", "author": "James Fryman", "summary": "Puppet NGINX management module", "license": "MIT", "source": "https://github.com/jfryman/puppet-nginx.git", "project_page": "http://github.com/jfryman/puppet-nginx", "issues_url": "https://github.com/jfryman/puppet-nginx/issues", - "description": "This module can be used for basic NGINX Management", "dependencies": [ {"name":"puppetlabs/stdlib","version_requirement":">= 4.2.0 <5.0.0"}, - {"name":"puppetlabs/apt","version_requirement":">= 1.0.0 <2.0.0"}, + {"name":"puppetlabs/apt","version_requirement":">= 1.8.0 <3.0.0"}, {"name":"puppetlabs/concat","version_requirement":">= 1.1.1 <2.0.0"} ], + "requirements": [ + { + "name": "pe", + "version_requirement": "3.x" + }, + { + "name": "puppet", + "version_requirement": "3.x" + } + ], "operatingsystem_support": [ { "operatingsystem": "Debian", "operatingsystemrelease":[ - "5.0", - "6.0" + "5", + "6", + "7" ] }, + { + "operatingsystem": "OpenBSD" + }, { "operatingsystem": "RedHat", "operatingsystemrelease":[ - "5.0", - "6.0", - "7.0" + "5", + "6", + "7" ] }, { diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb new file mode 100644 index 000000000..f35d5c81d --- /dev/null +++ b/spec/acceptance/class_spec.rb @@ -0,0 +1,24 @@ +require 'spec_helper_acceptance' + +describe "nginx class:" do + + context 'default parameters' do + it 'should run successfully' do + pp = "class { 'nginx': }" + + # Run it twice and test for idempotency + apply_manifest(pp, :catch_failures => true) + expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero + end + end + + describe package('nginx') do + it { is_expected.to be_installed } + end + + describe service('nginx') do + it { is_expected.to be_running } + it { is_expected.to be_enabled } + end + +end diff --git a/spec/acceptance/nginx_mail_spec.rb b/spec/acceptance/nginx_mail_spec.rb new file mode 100644 index 000000000..df4c34246 --- /dev/null +++ b/spec/acceptance/nginx_mail_spec.rb @@ -0,0 +1,39 @@ +require 'spec_helper_acceptance' + +describe "nginx::resource::mailhost define:" do + it 'should run successfully' do + + pp = " + class { 'nginx': + mail => true, + } + nginx::resource::mailhost { 'domain1.example': + ensure => present, + auth_http => 'localhost/cgi-bin/auth', + protocol => 'smtp', + listen_port => 587, + ssl => true, + ssl_port => 465, + ssl_cert => '/tmp/blah.cert', + ssl_key => '/tmp/blah.key', + xclient => 'off', + } + " + + apply_manifest(pp, :catch_failures => true) + end + + describe file('/etc/nginx/conf.mail.d/domain1.example.conf') do + it { is_expected.to be_file } + it { is_expected.to contain "auth_http localhost/cgi-bin/auth;" } + end + + describe port(587) do + it { is_expected.to be_listening } + end + + describe port(465) do + it { is_expected.to be_listening } + end + +end diff --git a/spec/system/nginx_proxy_spec.rb b/spec/acceptance/nginx_proxy_spec.rb similarity index 53% rename from spec/system/nginx_proxy_spec.rb rename to spec/acceptance/nginx_proxy_spec.rb index 09b188565..27cd9065d 100644 --- a/spec/system/nginx_proxy_spec.rb +++ b/spec/acceptance/nginx_proxy_spec.rb @@ -1,4 +1,4 @@ -require 'spec_helper_system' +require 'spec_helper_acceptance' describe "nginx::resource::upstream define:" do it 'should run successfully' do @@ -19,25 +19,20 @@ class { 'nginx': } } " - puppet_apply(pp) do |r| - [0,2].should include r.exit_code - r.refresh - r.stderr.should be_empty - r.exit_code.should be_zero - end + apply_manifest(pp, :catch_failures => true) end describe file('/etc/nginx/conf.d/puppet_rack_app-upstream.conf') do - it { should be_file } - it { should contain "server localhost:3000" } - it { should contain "server localhost:3001" } - it { should contain "server localhost:3002" } - it { should_not contain "server localhost:3003" } + it { is_expected.to be_file } + it { is_expected.to contain "server localhost:3000" } + it { is_expected.to contain "server localhost:3001" } + it { is_expected.to contain "server localhost:3002" } + it { is_expected.not_to contain "server localhost:3003" } end describe file('/etc/nginx/sites-available/rack.puppetlabs.com.conf') do - it { should be_file } - it { should contain "proxy_pass http://puppet_rack_app;" } + it { is_expected.to be_file } + it { is_expected.to contain "proxy_pass http://puppet_rack_app;" } end end diff --git a/spec/system/nginx_vhost_spec.rb b/spec/acceptance/nginx_vhost_spec.rb similarity index 67% rename from spec/system/nginx_vhost_spec.rb rename to spec/acceptance/nginx_vhost_spec.rb index d4f344676..287621d6a 100644 --- a/spec/system/nginx_vhost_spec.rb +++ b/spec/acceptance/nginx_vhost_spec.rb @@ -1,4 +1,4 @@ -require 'spec_helper_system' +require 'spec_helper_acceptance' describe "nginx::resource::vhost define:" do context 'new vhost on port 80' do @@ -15,31 +15,30 @@ class { 'nginx': } file { '/var/www/www.puppetlabs.com/index.html': ensure => file, content => 'Hello from www\n', } " - puppet_apply(pp) do |r| - [0,2].should include r.exit_code - r.refresh - r.stderr.should be_empty - r.exit_code.should be_zero - end + apply_manifest(pp, :catch_failures => true) end describe file('/etc/nginx/sites-available/www.puppetlabs.com.conf') do - it { should be_file } - it { should contain "www.puppetlabs.com" } + it { is_expected.to be_file } + it { is_expected.to contain "www.puppetlabs.com" } end describe file('/etc/nginx/sites-enabled/www.puppetlabs.com.conf') do - it { should be_linked_to '/etc/nginx/sites-available/www.puppetlabs.com.conf' } + it { is_expected.to be_linked_to '/etc/nginx/sites-available/www.puppetlabs.com.conf' } end describe service('nginx') do - it { should be_running } + it { is_expected.to be_running } + end + + describe port(80) do + it { is_expected.to be_listening } end it 'should answer to www.puppetlabs.com' do shell("/usr/bin/curl http://www.puppetlabs.com:80") do |r| - r.stdout.should == "Hello from www\n" - r.exit_code.should be_zero + expect(r.stdout).to eq("Hello from www\n") + expect(r.exit_code).to be_zero end end end @@ -61,39 +60,38 @@ class { 'nginx': } file { '/var/www/www.puppetlabs.com/index.html': ensure => file, content => 'Hello from www\n', } " - puppet_apply(pp) do |r| - [0,2].should include r.exit_code - r.refresh - r.stderr.should be_empty - r.exit_code.should be_zero - end + apply_manifest(pp, :catch_failures => true) end describe file('/etc/nginx/sites-available/www.puppetlabs.com.conf') do - it { should be_file } - it { should contain "ssl on;" } + it { is_expected.to be_file } + it { is_expected.to contain "ssl on;" } end describe file('/etc/nginx/sites-enabled/www.puppetlabs.com.conf') do - it { should be_linked_to '/etc/nginx/sites-available/www.puppetlabs.com.conf' } + it { is_expected.to be_linked_to '/etc/nginx/sites-available/www.puppetlabs.com.conf' } end describe service('nginx') do - it { should be_running } + it { is_expected.to be_running } + end + + describe port(443) do + it { is_expected.to be_listening } end it 'should answer to http://www.puppetlabs.com' do shell("/usr/bin/curl http://www.puppetlabs.com:80") do |r| - r.stdout.should == "Hello from www\n" - r.exit_code.should == 0 + expect(r.stdout).to eq("Hello from www\n") + expect(r.exit_code).to eq(0) end end it 'should answer to https://www.puppetlabs.com' do # use --insecure because it's a self-signed cert shell("/usr/bin/curl --insecure https://www.puppetlabs.com:443") do |r| - r.stdout.should == "Hello from www\n" - r.exit_code.should == 0 + expect(r.stdout).to eq("Hello from www\n") + expect(r.exit_code).to eq(0) end end end diff --git a/spec/acceptance/nodesets/centos-5-x64.yml b/spec/acceptance/nodesets/centos-5-x64.yml new file mode 100644 index 000000000..3b48f360b --- /dev/null +++ b/spec/acceptance/nodesets/centos-5-x64.yml @@ -0,0 +1,11 @@ +HOSTS: + centos-5-x64: + roles: + - master + platform: el-5-x86_64 + box : puppetlabs/centos-5.11-64-nocm + box_url : https://vagrantcloud.com/puppetlabs/boxes/centos-5.11-64-nocm + hypervisor : vagrant +CONFIG: + log_level: verbose + type: foss diff --git a/spec/acceptance/nodesets/centos-6-x64.yml b/spec/acceptance/nodesets/centos-6-x64.yml new file mode 100644 index 000000000..ad1d123a6 --- /dev/null +++ b/spec/acceptance/nodesets/centos-6-x64.yml @@ -0,0 +1,11 @@ +HOSTS: + centos-6-x64: + roles: + - master + platform: el-6-x86_64 + box : puppetlabs/centos-6.6-64-nocm + box_url : https://vagrantcloud.com/puppetlabs/boxes/centos-6.6-64-nocm + hypervisor : vagrant +CONFIG: + log_level: verbose + type: foss diff --git a/spec/acceptance/nodesets/centos-7-x64.yml b/spec/acceptance/nodesets/centos-7-x64.yml new file mode 100644 index 000000000..8a5ff9228 --- /dev/null +++ b/spec/acceptance/nodesets/centos-7-x64.yml @@ -0,0 +1,11 @@ +HOSTS: + centos-7-x64: + roles: + - master + platform: el-7-x86_64 + box : puppetlabs/centos-7.0-64-nocm + box_url : https://vagrantcloud.com/puppetlabs/boxes/centos-7.0-64-nocm + hypervisor : vagrant +CONFIG: + log_level: verbose + type: foss diff --git a/spec/acceptance/nodesets/debian-6-x64.yml b/spec/acceptance/nodesets/debian-6-x64.yml new file mode 100644 index 000000000..00de3cbdf --- /dev/null +++ b/spec/acceptance/nodesets/debian-6-x64.yml @@ -0,0 +1,11 @@ +HOSTS: + debian-6-x64: + roles: + - master + platform: debian-6-amd64 + box : puppetlabs/debian-6.0.10-64-nocm + box_url : http://vagrantcloud.com/puppetlabs/debian-6.0.10-64-nocm + hypervisor : vagrant +CONFIG: + log_level: debug + type: git diff --git a/spec/acceptance/nodesets/debian-7-x64.yml b/spec/acceptance/nodesets/debian-7-x64.yml new file mode 100644 index 000000000..e06c45052 --- /dev/null +++ b/spec/acceptance/nodesets/debian-7-x64.yml @@ -0,0 +1,11 @@ +HOSTS: + debian-7-x64: + roles: + - master + platform: debian-7-amd64 + box : puppetlabs/debian-7.8-64-nocm + box_url : http://vagrantcloud.com/puppetlabs/debian-7.8-64-nocm + hypervisor : vagrant +CONFIG: + log_level: debug + type: git diff --git a/spec/acceptance/nodesets/default.yml b/spec/acceptance/nodesets/default.yml new file mode 100644 index 000000000..3bb3e6264 --- /dev/null +++ b/spec/acceptance/nodesets/default.yml @@ -0,0 +1,11 @@ +HOSTS: + ubuntu-server-1404-x64: + roles: + - master + platform: ubuntu-14.04-amd64 + box: puppetlabs/ubuntu-14.04-64-nocm + box_url: https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm + hypervisor: vagrant +CONFIG: + log_level: debug + type: git diff --git a/spec/acceptance/nodesets/ubuntu-server-1204-x64.yml b/spec/acceptance/nodesets/ubuntu-server-1204-x64.yml new file mode 100644 index 000000000..d6b4b287f --- /dev/null +++ b/spec/acceptance/nodesets/ubuntu-server-1204-x64.yml @@ -0,0 +1,11 @@ +HOSTS: + ubuntu-server-1204-x64: + roles: + - master + platform: ubuntu-12.04-amd64 + box: puppetlabs/ubuntu-12.04-64-nocm + box_url: https://vagrantcloud.com/puppetlabs/ubuntu-12.04-64-nocm + hypervisor: vagrant +CONFIG: + log_level: debug + type: git diff --git a/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml b/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml new file mode 100644 index 000000000..3bb3e6264 --- /dev/null +++ b/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml @@ -0,0 +1,11 @@ +HOSTS: + ubuntu-server-1404-x64: + roles: + - master + platform: ubuntu-14.04-amd64 + box: puppetlabs/ubuntu-14.04-64-nocm + box_url: https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm + hypervisor: vagrant +CONFIG: + log_level: debug + type: git diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb index ba50afa98..ece8734d7 100644 --- a/spec/classes/config_spec.rb +++ b/spec/classes/config_spec.rb @@ -70,12 +70,30 @@ describe "nginx.conf template content" do [ + { + :title => 'should not set user', + :attr => 'super_user', + :value => false, + :notmatch => /user/, + }, + { + :title => 'should set user', + :attr => 'daemon_user', + :value => 'test-user', + :match => 'user test-user;', + }, { :title => 'should set worker_processes', :attr => 'worker_processes', :value => '4', :match => 'worker_processes 4;', }, + { + :title => 'should set worker_processes', + :attr => 'worker_processes', + :value => 'auto', + :match => 'worker_processes auto;', + }, { :title => 'should set worker_rlimit_nofile', :attr => 'worker_rlimit_nofile', @@ -88,6 +106,18 @@ :value => '/path/to/error.log', :match => 'error_log /path/to/error.log;', }, + { + :title => 'should set pid', + :attr => 'pid', + :value => '/path/to/pid', + :match => 'pid /path/to/pid;', + }, + { + :title => 'should not set pid', + :attr => 'pid', + :value => false, + :notmatch => /pid/, + }, { :title => 'should set worker_connections', :attr => 'worker_connections', @@ -112,18 +142,108 @@ :value => {}, :notmatch => /log_format/, }, + { + :title => 'should set multi_accept', + :attr => 'multi_accept', + :value => 'on', + :match => /\s*multi_accept\s+on;/, + }, + { + :title => 'should not set multi_accept', + :attr => 'multi_accept', + :value => 'off', + :notmatch => /multi_accept/, + }, + { + :title => 'should set events_use', + :attr => 'events_use', + :value => 'eventport', + :match => /\s*use\s+eventport;/, + }, + { + :title => 'should not set events_use', + :attr => 'events_use', + :value => false, + :notmatch => /use /, + }, { :title => 'should set access_log', :attr => 'http_access_log', :value => '/path/to/access.log', :match => ' access_log /path/to/access.log;', }, + { + :title => 'should set sendfile', + :attr => 'sendfile', + :value => 'on', + :match => ' sendfile on;', + }, + { + :title => 'should not set sendfile', + :attr => 'sendfile', + :value => false, + :notmatch => /sendfile/, + }, { :title => 'should set server_tokens', :attr => 'server_tokens', :value => 'on', :match => ' server_tokens on;', }, + { + :title => 'should set types_hash_max_size', + :attr => 'types_hash_max_size', + :value => 10, + :match => ' types_hash_max_size 10;', + }, + { + :title => 'should set types_hash_bucket_size', + :attr => 'types_hash_bucket_size', + :value => 10, + :match => ' types_hash_bucket_size 10;', + }, + { + :title => 'should set server_names_hash_bucket_size', + :attr => 'names_hash_bucket_size', + :value => 10, + :match => ' server_names_hash_bucket_size 10;', + }, + { + :title => 'should set server_names_hash_max_size', + :attr => 'names_hash_max_size', + :value => 10, + :match => ' server_names_hash_max_size 10;', + }, + { + :title => 'should set keepalive_timeout', + :attr => 'keepalive_timeout', + :value => '123', + :match => ' keepalive_timeout 123;', + }, + { + :title => 'should set tcp_nodelay', + :attr => 'http_tcp_nodelay', + :value => 'on', + :match => ' tcp_nodelay on;', + }, + { + :title => 'should set tcp_nopush', + :attr => 'http_tcp_nopush', + :value => 'on', + :match => ' tcp_nopush on;', + }, + { + :title => 'should set gzip', + :attr => 'gzip', + :value => 'on', + :match => ' gzip on;', + }, + { + :title => 'should not set gzip', + :attr => 'gzip', + :value => 'off', + :notmatch => /gzip/, + }, { :title => 'should set proxy_cache_path', :attr => 'proxy_cache_path', @@ -134,7 +254,31 @@ :title => 'should not set proxy_cache_path', :attr => 'proxy_cache_path', :value => false, - :notmatch => %r'\s+proxy_cache_path\s+/path/to/proxy\.cache levels=1 keys_zone=d2:100m max_size=500m inactive=20m;', + :notmatch => /proxy_cache_path/, + }, + { + :title => 'should set fastcgi_cache_path', + :attr => 'fastcgi_cache_path', + :value => '/path/to/proxy.cache', + :match => %r'\s*fastcgi_cache_path\s+/path/to/proxy.cache levels=1 keys_zone=d3:100m max_size=500m inactive=20m;', + }, + { + :title => 'should not set fastcgi_cache_path', + :attr => 'fastcgi_cache_path', + :value => false, + :notmatch => /fastcgi_cache_path/, + }, + { + :title => 'should set fastcgi_cache_use_stale', + :attr => 'fastcgi_cache_use_stale', + :value => 'invalid_header', + :match => ' fastcgi_cache_use_stale invalid_header;', + }, + { + :title => 'should not set fastcgi_cache_use_stale', + :attr => 'fastcgi_cache_use_stale', + :value => false, + :notmatch => /fastcgi_cache_use_stale/, }, { :title => 'should contain ordered appended directives from hash', @@ -164,6 +308,35 @@ ' test1 test value 2;', ], }, + { + :title => 'should contain ordered appended directives from hash', + :attr => 'nginx_cfg_prepend', + :value => { 'test1' => 'test value 1', 'test2' => 'test value 2', 'allow' => 'test value 3' }, + :match => [ + 'allow test value 3;', + 'test1 test value 1;', + 'test2 test value 2;', + ], + }, + { + :title => 'should contain duplicate appended directives from list of hashes', + :attr => 'nginx_cfg_prepend', + :value => [[ 'allow', 'test value 1'], ['allow', 'test value 2' ]], + :match => [ + 'allow test value 1;', + 'allow test value 2;', + ], + }, + { + :title => 'should contain duplicate appended directives from array values', + :attr => 'nginx_cfg_prepend', + :value => { 'test1' => ['test value 1', 'test value 2', 'test value 3'] }, + :match => [ + 'test1 test value 1;', + 'test1 test value 2;', + 'test1 test value 3;', + ], + }, { :title => 'should set pid', :attr => 'pid', @@ -188,6 +361,18 @@ :value => '123', :match => ' keepalive_timeout 123;', }, + { + :title => 'should set mail', + :attr => 'mail', + :value => true, + :match => 'mail {', + }, + { + :title => 'should not set mail', + :attr => 'mail', + :value => false, + :notmatch => /mail/, + }, ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let :params do { param[:attr].to_sym => param[:value] } end @@ -199,7 +384,7 @@ if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_file('/etc/nginx/nginx.conf').with_content(item) } else - lines = subject.resource('file', '/etc/nginx/nginx.conf').send(:parameters)[:content].split("\n") + lines = catalogue.resource('file', '/etc/nginx/nginx.conf').send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end @@ -269,7 +454,7 @@ if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_file('/etc/nginx/conf.d/proxy.conf').with_content(item) } else - lines = subject.resource('file', '/etc/nginx/conf.d/proxy.conf').send(:parameters)[:content].split("\n") + lines = catalogue.resource('file', '/etc/nginx/conf.d/proxy.conf').send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end @@ -281,6 +466,13 @@ end end + context "when conf_dir is /path/to/nginx" do + let(:params) {{:conf_dir => '/path/to/nginx'}} + it { is_expected.to contain_file('/path/to/nginx/nginx.conf').with_content(%r{include /path/to/nginx/mime\.types;}) } + it { is_expected.to contain_file('/path/to/nginx/nginx.conf').with_content(%r{include /path/to/nginx/conf\.d/\*\.conf;}) } + it { is_expected.to contain_file('/path/to/nginx/nginx.conf').with_content(%r{include /path/to/nginx/sites-enabled/\*;}) } + end + context "when confd_purge true" do let(:params) {{:confd_purge => true}} it { is_expected.to contain_file('/etc/nginx/conf.d').with( diff --git a/spec/classes/package_spec.rb b/spec/classes/package_spec.rb index 77c83443c..03106a658 100644 --- a/spec/classes/package_spec.rb +++ b/spec/classes/package_spec.rb @@ -67,8 +67,7 @@ it { is_expected.to contain_apt__source('nginx').with( 'location' => "http://nginx.org/packages/#{operatingsystem.downcase}", 'repos' => 'nginx', - 'key' => '7BD9BF62', - 'key_source' => 'http://nginx.org/keys/nginx_signing.key' + 'key' => '573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62', )} it { is_expected.to contain_anchor('nginx::package::begin').that_comes_before('Class[nginx::package::debian]') } it { is_expected.to contain_anchor('nginx::package::end').that_requires('Class[nginx::package::debian]') } @@ -88,8 +87,7 @@ it { is_expected.to contain_apt__source('nginx').with( 'location' => 'https://oss-binaries.phusionpassenger.com/apt/passenger', 'repos' => "main", - 'key' => '561F9B9CAC40B2F7', - 'key_source' => 'https://oss-binaries.phusionpassenger.com/auto-software-signing-gpg-key.txt' + 'key' => '16378A33A6EF16762922526E561F9B9CAC40B2F7', )} end diff --git a/spec/defines/resource_geo_spec.rb b/spec/defines/resource_geo_spec.rb index 537be255d..f3c3914ed 100644 --- a/spec/defines/resource_geo_spec.rb +++ b/spec/defines/resource_geo_spec.rb @@ -99,7 +99,7 @@ it { is_expected.to contain_file("/etc/nginx/conf.d/#{title}-geo.conf").with_mode('0644') } it param[:title] do - verify_contents(subject, "/etc/nginx/conf.d/#{title}-geo.conf", Array(param[:match])) + verify_contents(catalogue, "/etc/nginx/conf.d/#{title}-geo.conf", Array(param[:match])) Array(param[:notmatch]).each do |item| is_expected.to contain_file("/etc/nginx/conf.d/#{title}-geo.conf").without_content(item) end diff --git a/spec/defines/resource_location_spec.rb b/spec/defines/resource_location_spec.rb index 4aa88a45d..20a246dc0 100644 --- a/spec/defines/resource_location_spec.rb +++ b/spec/defines/resource_location_spec.rb @@ -148,6 +148,18 @@ :value => [], :notmatch => /rewrite/ }, + { + :title => 'should set auth_basic', + :attr => 'auth_basic', + :value => 'value', + :match => ' auth_basic "value";', + }, + { + :title => 'should set auth_basic_user_file', + :attr => 'auth_basic_user_file', + :value => 'value', + :match => ' auth_basic_user_file value;', + }, ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let :default_params do { :location => 'location', :proxy => 'proxy_value', :vhost => 'vhost1' } end @@ -162,7 +174,7 @@ if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment(fragment).with_content(item) } else - lines = subject.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") expect(lines & matches).to eq(matches) end @@ -239,7 +251,7 @@ if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment(fragment).with_content(item) } else - lines = subject.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") expect(lines & matches).to eq(matches) end @@ -250,7 +262,7 @@ it "should end with a closing brace" do fragment = Digest::MD5.hexdigest("vhost1-500-#{params[:location]}") - content = subject.resource('concat::fragment', fragment).send(:parameters)[:content] + content = catalogue.resource('concat::fragment', fragment).send(:parameters)[:content] expect((content.split("\n").reject {|l| l =~ /^(\s*#|$)/ }.last).strip).to eq('}') end end @@ -318,18 +330,6 @@ :value => ['name1','name2'], :match => ' index name1 name2;', }, - { - :title => 'should set auth_basic', - :attr => 'auth_basic', - :value => 'value', - :match => ' auth_basic "value";', - }, - { - :title => 'should set auth_basic_user_file', - :attr => 'auth_basic_user_file', - :value => 'value', - :match => ' auth_basic_user_file value;', - }, ].each do |param| context "when #{param[:attr]} is #{param[:value]}" do let :params do default_params.merge({ param[:attr].to_sym => param[:value] }) end @@ -342,7 +342,7 @@ if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment(fragment).with_content(item) } else - lines = subject.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") expect(lines & matches).to eq(matches) end @@ -403,7 +403,7 @@ if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment(fragment).with_content(item) } else - lines = subject.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") expect(lines & matches).to eq(matches) end @@ -467,7 +467,7 @@ if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment(fragment).with_content(item) } else - lines = subject.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") expect(lines & matches).to eq(matches) end @@ -519,6 +519,65 @@ end end + describe "vhost_location_uwsgi template content" do + let :default_params do + { + :location => 'location', + :uwsgi => 'unix:/home/project/uwsgi.socket', + :vhost => 'vhost1' + } + end + + [ + { + :title => 'should set www_root', + :attr => 'www_root', + :value => '/', + :match => %r'\s+root\s+/;' + }, + { + :title => 'should set try_file(s)', + :attr => 'try_files', + :value => ['name1','name2'], + :match => %r'\s+try_files\s+name1 name2;', + }, + { + :title => 'should set uwsgi_params', + :attr => 'uwsgi_params', + :value => 'value', + :match => %r'\s+include\s+value;' + }, + { + :title => 'should set uwsgi_pass', + :attr => 'uwsgi', + :value => 'value', + :match => %r'\s+uwsgi_pass\s+value;' + }, + ].each do |param| + context "when #{param[:attr]} is #{param[:value]}" do + let :params do default_params.merge({ param[:attr].to_sym => param[:value] }) end + + it { is_expected.to contain_concat__fragment(Digest::MD5.hexdigest("vhost1-500-#{params[:location]}")) } + it param[:title] do + fragment = Digest::MD5.hexdigest("vhost1-500-#{params[:location]}") + matches = Array(param[:match]) + + if matches.all? { |m| m.is_a? Regexp } + matches.each { |item| is_expected.to contain_concat__fragment(fragment).with_content(item) } + else + lines = catalogue.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") + expect(lines & matches).to eq(matches) + end + + Array(param[:notmatch]).each do |item| + is_expected.to contain_concat__fragment(Digest::MD5.hexdigest("vhost1-500-#{params[:location]}")).without_content(item) + end + end + end + end + end + + describe "vhost_location_proxy template content" do [ { @@ -603,7 +662,7 @@ if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment(fragment).with_content(item) } else - lines = subject.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', fragment).send(:parameters)[:content].split("\n") expect(lines & matches).to eq(matches) end @@ -642,6 +701,13 @@ it { is_expected.to contain_file('/etc/nginx/fastcgi_params').with_mode('0770') } end + context 'when uwsgi => "unix:/home/project/uwsgi.socket"' do + let :params do { :uwsgi => 'uwsgi_upstream', :vhost => 'vhost1' } end + + it { should contain_file('/etc/nginx/uwsgi_params') } + end + + context 'when ssl_only => true' do let :params do { :ssl_only => true, :vhost => 'vhost1', :www_root => '/', } end it { is_expected.not_to contain_concat__fragment(Digest::MD5.hexdigest("vhost1-500-rspec-test")) } @@ -665,24 +731,6 @@ it { is_expected.not_to contain_concat__fragment(Digest::MD5.hexdigest("vhost1-800-rspec-test-ssl")) } end - context 'when auth_basic_user_file => true' do - let :params do { :auth_basic_user_file => '/path/to/file', :vhost => 'vhost1', :www_root => '/', } end - - it { is_expected.to contain_file("/etc/nginx/rspec-test_htpasswd") } - end - - context 'when ensure => absent' do - let :params do { - :www_root => '/', - :vhost => 'vhost1', - :ensure => 'absent', - :ssl => true, - :auth_basic_user_file => '/path/to/file', - } end - - it { is_expected.to contain_file("/etc/nginx/rspec-test_htpasswd").with_ensure('absent') } - end - context "vhost missing" do let :params do { :www_root => '/', @@ -696,7 +744,7 @@ :vhost => 'vhost1', } end - it { expect { is_expected.to contain_class('nginx::resource::location') }.to raise_error(Puppet::Error, /Cannot create a location reference without a www_root, proxy, location_alias, fastcgi, stub_status, internal, or location_custom_cfg defined/) } + it { expect { is_expected.to contain_class('nginx::resource::location') }.to raise_error(Puppet::Error, /Cannot create a location reference without a www_root, proxy, location_alias, fastcgi, uwsgi, stub_status, internal, or location_custom_cfg defined/) } end context "www_root and proxy are set" do diff --git a/spec/defines/resource_mailhost_spec.rb b/spec/defines/resource_mailhost_spec.rb index 5e6a6f53a..7a7040924 100644 --- a/spec/defines/resource_mailhost_spec.rb +++ b/spec/defines/resource_mailhost_spec.rb @@ -139,7 +139,7 @@ it { is_expected.to contain_concat__fragment("#{title}-header") } it param[:title] do - lines = subject.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) Array(param[:notmatch]).each do |item| is_expected.to contain_concat__fragment("#{title}-header").without_content(item) @@ -193,7 +193,7 @@ it { is_expected.to contain_concat__fragment("#{title}-header") } it param[:title] do - lines = subject.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) Array(param[:notmatch]).each do |item| is_expected.to contain_concat__fragment("#{title}-header").without_content(item) @@ -209,29 +209,29 @@ :title => 'should set the IPv4 SSL listen port', :attr => 'ssl_port', :value => '45', - :match => ' listen 45;', + :match => ' listen *:45;', }, { :title => 'should enable IPv6', :attr => 'ipv6_enable', :value => true, - :match => ' listen [::]:80 default ipv6only=on;', + :match => ' listen [::]:587 default ipv6only=on;', }, { :title => 'should not enable IPv6', :attr => 'ipv6_enable', :value => false, - :notmatch => / listen \[::\]:80 default ipv6only=on;/, + :notmatch => / listen \[::\]:587 default ipv6only=on;/, }, { :title => 'should set the IPv6 listen IP', :attr => 'ipv6_listen_ip', :value => '2001:0db8:85a3:0000:0000:8a2e:0370:7334', - :match => ' listen [2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80 default ipv6only=on;', + :match => ' listen [2001:0db8:85a3:0000:0000:8a2e:0370:7334]:587 default ipv6only=on;', }, { - :title => 'should set the IPv6 listen port', - :attr => 'ipv6_listen_port', + :title => 'should set the IPv6 ssl port', + :attr => 'ssl_port', :value => 45, :match => ' listen [::]:45 default ipv6only=on;', }, @@ -239,7 +239,7 @@ :title => 'should set the IPv6 listen options', :attr => 'ipv6_listen_options', :value => 'spdy', - :match => ' listen [::]:80 spdy;', + :match => ' listen [::]:587 spdy;', }, { :title => 'should set servername(s)', @@ -281,6 +281,7 @@ context "when #{param[:attr]} is #{param[:value]}" do let :default_params do { :listen_port => 25, + :ssl_port => 587, :ipv6_enable => true, :ssl => true, :ssl_cert => 'dummy.crt', @@ -290,7 +291,7 @@ it { is_expected.to contain_concat__fragment("#{title}-ssl") } it param[:title] do - lines = subject.resource('concat::fragment', "#{title}-ssl").send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', "#{title}-ssl").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) Array(param[:notmatch]).each do |item| is_expected.to contain_concat__fragment("#{title}-ssl").without_content(item) diff --git a/spec/defines/resource_map_spec.rb b/spec/defines/resource_map_spec.rb index b10665f19..5172c3176 100644 --- a/spec/defines/resource_map_spec.rb +++ b/spec/defines/resource_map_spec.rb @@ -72,7 +72,7 @@ it { is_expected.to contain_file("/etc/nginx/conf.d/#{title}-map.conf").with_mode('0644') } it param[:title] do - verify_contents(subject, "/etc/nginx/conf.d/#{title}-map.conf", Array(param[:match])) + verify_contents(catalogue, "/etc/nginx/conf.d/#{title}-map.conf", Array(param[:match])) Array(param[:notmatch]).each do |item| is_expected.to contain_file("/etc/nginx/conf.d/#{title}-map.conf").without_content(item) end diff --git a/spec/defines/resource_upstream_spec.rb b/spec/defines/resource_upstream_spec.rb index ce7d0d6c6..f50d8235f 100644 --- a/spec/defines/resource_upstream_spec.rb +++ b/spec/defines/resource_upstream_spec.rb @@ -99,7 +99,7 @@ it { is_expected.to contain_file("/etc/nginx/conf.d/#{title}-upstream.conf").with_mode('0644') } it { is_expected.to contain_concat__fragment("#{title}_upstream_#{param[:fragment]}") } it param[:title] do - lines = subject.resource('concat::fragment', "#{title}_upstream_#{param[:fragment]}").send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', "#{title}_upstream_#{param[:fragment]}").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) Array(param[:notmatch]).each do |item| is_expected.to contain_concat__fragment("#{title}_upstream_#{param[:fragment]}").without_content(item) diff --git a/spec/defines/resource_vhost_spec.rb b/spec/defines/resource_vhost_spec.rb index f8c6616f9..1d4353750 100644 --- a/spec/defines/resource_vhost_spec.rb +++ b/spec/defines/resource_vhost_spec.rb @@ -51,9 +51,8 @@ :value => false, :notmatch => %r| ^ - \s+listen\s+\*:80;\n \s+server_name\s+www\.rspec\.example\.com;\n - \s+return\s+301\s+http://rspec\.example\.com\$uri; + \s+return\s+301\s+http://rspec\.example\.com\$request_uri; |x, }, { @@ -62,9 +61,8 @@ :value => true, :match => %r| ^ - \s+listen\s+\*:80;\n \s+server_name\s+www\.rspec\.example\.com;\n - \s+return\s+301\s+http://rspec\.example\.com\$uri; + \s+return\s+301\s+http://rspec\.example\.com\$request_uri; |x, }, { @@ -255,7 +253,7 @@ if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-header").with_content(item) } else - lines = subject.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', "#{title}-header").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end Array(param[:notmatch]).each do |item| @@ -274,9 +272,8 @@ :value => false, :notmatch => %r| ^ - \s+listen\s+\*:443\s+ssl;\n \s+server_name\s+www\.rspec\.example\.com;\n - \s+return\s+301\s+https://rspec\.example\.com\$uri; + \s+return\s+301\s+https://rspec\.example\.com\$request_uri; |x, }, { @@ -320,7 +317,7 @@ if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-footer").with_content(item) } else - lines = subject.resource('concat::fragment', "#{title}-footer").send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', "#{title}-footer").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end Array(param[:notmatch]).each do |item| @@ -339,9 +336,8 @@ :value => false, :notmatch => %r| ^ - \s+listen\s+\*:443\s+ssl;\n \s+server_name\s+www\.rspec\.example\.com;\n - \s+return\s+301\s+https://rspec\.example\.com\$uri; + \s+return\s+301\s+https://rspec\.example\.com\$request_uri; |x, }, { @@ -350,9 +346,8 @@ :value => true, :match => %r| ^ - \s+listen\s+\*:443\s+ssl;\n \s+server_name\s+www\.rspec\.example\.com;\n - \s+return\s+301\s+https://rspec\.example\.com\$uri; + \s+return\s+301\s+https://rspec\.example\.com\$request_uri; |x, }, { @@ -433,6 +428,36 @@ :value => false, :match => %r'\s+server_name\s+www.rspec.example.com;', }, + { + :title => 'should set the SSL client certificate file', + :attr => 'ssl_client_cert', + :value => '/tmp/client_certificate', + :match => %r'\s+ssl_client_certificate\s+/tmp/client_certificate;', + }, + { + :title => 'should set the SSL CRL file', + :attr => 'ssl_crl', + :value => '/tmp/crl', + :match => %r'\s+ssl_crl\s+/tmp/crl;', + }, + { + :title => 'should set the SSL DH parameters file', + :attr => 'ssl_dhparam', + :value => '/tmp/dhparam', + :match => %r'\s+ssl_dhparam\s+/tmp/dhparam;', + }, + { + :title => 'should set the SSL stapling file', + :attr => 'ssl_stapling_file', + :value => '/tmp/stapling_file', + :match => %r'\s+ssl_stapling_file\s+/tmp/stapling_file;', + }, + { + :title => 'should set the SSL trusted certificate file', + :attr => 'ssl_trusted_cert', + :value => '/tmp/trusted_certificate', + :match => %r'\s+ssl_trusted_certificate\s+/tmp/trusted_certificate;', + }, { :title => 'should set the SSL cache', :attr => 'ssl_cache', @@ -576,7 +601,7 @@ if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(item) } else - lines = subject.resource('concat::fragment', "#{title}-ssl-header").send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', "#{title}-ssl-header").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end Array(param[:notmatch]).each do |item| @@ -595,9 +620,8 @@ :value => false, :notmatch => %r| ^ - \s+listen\s+\*:443\s+ssl;\n \s+server_name\s+www\.rspec\.example\.com;\n - \s+return\s+301\s+https://rspec\.example\.com\$uri; + \s+return\s+301\s+https://rspec\.example\.com\$request_uri; |x, }, { @@ -656,7 +680,7 @@ if matches.all? { |m| m.is_a? Regexp } matches.each { |item| is_expected.to contain_concat__fragment("#{title}-ssl-footer").with_content(item) } else - lines = subject.resource('concat::fragment', "#{title}-ssl-footer").send(:parameters)[:content].split("\n") + lines = catalogue.resource('concat::fragment', "#{title}-ssl-footer").send(:parameters)[:content].split("\n") expect(lines & Array(param[:match])).to eq(Array(param[:match])) end Array(param[:notmatch]).each do |item| @@ -769,6 +793,15 @@ it { is_expected.to contain_file('/etc/nginx/fastcgi_params').with_mode('0770') } end + context 'when uwsgi => "uwsgi_upstream"' do + let :params do default_params.merge({ + :uwsgi => 'uwsgi_upstream', + }) end + + it { should contain_file('/etc/nginx/uwsgi_params').with_mode('0770') } + end + + context 'when listen_port == ssl_port' do let :params do default_params.merge({ :listen_port => 80, @@ -813,11 +846,26 @@ it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) } + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate\s+dummy.cert;}) } + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate_key\s+dummy.key;}) } it { is_expected.to contain_concat__fragment("#{title}-ssl-footer") } - it { is_expected.to contain_file("/etc/nginx/#{title}.crt") } - it { is_expected.to contain_file("/etc/nginx/#{title}.key") } end + context 'when ssl_client_cert is set' do + let :params do default_params.merge({ + :ssl => true, + :listen_port => 80, + :ssl_port => 80, + :ssl_key => 'dummy.key', + :ssl_cert => 'dummy.cert', + :ssl_client_cert => 'client.cert', + }) end + + it { is_expected.to contain_nginx__resource__location("#{title}-default").with_ssl_only(true) } + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{access_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.access\.log combined;}) } + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{error_log\s+/var/log/nginx/ssl-www\.rspec\.example\.com\.error\.log}) } + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_verify_client on;}) } + end context 'when passenger_cgi_param is set' do let :params do default_params.merge({ :passenger_cgi_param => { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' } @@ -841,12 +889,73 @@ it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content( /passenger_set_cgi_param test3 test value 3;/ ) } end + context 'when passenger_set_header is set' do + let :params do default_params.merge({ + :passenger_set_header => { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' } + }) end + + it { is_expected.to contain_concat__fragment("#{title}-header").with_content( /passenger_set_header test1 test value 1;/ ) } + it { is_expected.to contain_concat__fragment("#{title}-header").with_content( /passenger_set_header test2 test value 2;/ ) } + it { is_expected.to contain_concat__fragment("#{title}-header").with_content( /passenger_set_header test3 test value 3;/ ) } + end + + context 'when passenger_set_header is set and ssl => true' do + let :params do default_params.merge({ + :passenger_set_header => { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' }, + :ssl => true, + :ssl_key => 'dummy.key', + :ssl_cert => 'dummy.cert', + }) end + + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content( /passenger_set_header test1 test value 1;/ ) } + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content( /passenger_set_header test2 test value 2;/ ) } + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content( /passenger_set_header test3 test value 3;/ ) } + end + + context 'when passenger_env_var is set' do + let :params do default_params.merge({ + :passenger_env_var => { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' } + }) end + + it { is_expected.to contain_concat__fragment("#{title}-header").with_content( /passenger_env_var test1 test value 1;/ ) } + it { is_expected.to contain_concat__fragment("#{title}-header").with_content( /passenger_env_var test2 test value 2;/ ) } + it { is_expected.to contain_concat__fragment("#{title}-header").with_content( /passenger_env_var test3 test value 3;/ ) } + end + + context 'when passenger_env_var is set and ssl => true' do + let :params do default_params.merge({ + :passenger_env_var => { 'test1' => 'test value 1', 'test2' => 'test value 2', 'test3' => 'test value 3' }, + :ssl => true, + :ssl_key => 'dummy.key', + :ssl_cert => 'dummy.cert', + }) end + + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content( /passenger_env_var test1 test value 1;/ ) } + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content( /passenger_env_var test2 test value 2;/ ) } + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content( /passenger_env_var test3 test value 3;/ ) } + end + context 'when vhost name is sanitized' do let :title do 'www rspec-vhost com' end let :params do default_params end it { is_expected.to contain_concat('/etc/nginx/sites-available/www_rspec-vhost_com.conf') } end + + context 'when add_header is set' do + let :params do default_params.merge({ + :add_header => { 'header3' => 'test value 3', 'header2' => 'test value 2', 'header1' => 'test value 1' } + }) end + + it 'should have correctly ordered entries in the config' do + is_expected.to contain_concat__fragment("#{title}-header").with_content(/ + %r| + \s+add_header\s+header1 test value 1;\n + \s+add_header\s+header2 test value 2;\n + \s+add_header\s+header3 test value 3;\n + |/) + end + end end end end diff --git a/spec/spec_helper_system.rb b/spec/spec_helper_acceptance.rb similarity index 73% rename from spec/spec_helper_system.rb rename to spec/spec_helper_acceptance.rb index bfb7271d0..24e707590 100644 --- a/spec/spec_helper_system.rb +++ b/spec/spec_helper_acceptance.rb @@ -1,30 +1,31 @@ -require 'rspec-system/spec_helper' -require 'rspec-system-puppet/helpers' -require 'rspec-system-serverspec/helpers' -include RSpecSystemPuppet::Helpers +require 'beaker-rspec' + +hosts.each do |host| + # Install Puppet + on host, install_puppet +end RSpec.configure do |c| # Project root proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) - # Enable colour - c.tty = true + c.formatter = :documentation # This is where we 'setup' the nodes before running our tests c.before :suite do - # Install puppet - puppet_install - - # Install modules and dependencies - puppet_module_install(:source => proj_root, :module_name => 'nginx') - shell('puppet module install puppetlabs-apt') - shell('puppet module install puppetlabs-stdlib') - shell('puppet module install puppetlabs-concat') + hosts.each do |host| + # Install module + copy_module_to(host, :source => proj_root, :module_name => 'nginx') + if fact('osfamily') == 'Debian' + on host, puppet('module','install','puppetlabs-apt'), { :acceptable_exit_codes => [0,1] } + end + on host, puppet('module','install','puppetlabs-stdlib'), { :acceptable_exit_codes => [0,1] } + on host, puppet('module','install','puppetlabs-concat'), { :acceptable_exit_codes => [0,1] } - # Fake keys. - # Valid self-signed SSL key with 10 year expiry. - # Required for nginx to start when SSL enabled - shell('echo "-----BEGIN PRIVATE KEY----- + # Fake keys. + # Valid self-signed SSL key with 10 year expiry. + # Required for nginx to start when SSL enabled + on host, shell('echo "-----BEGIN PRIVATE KEY----- MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAOPchwRZRF4KmU6E g7C6Pq9zhdLiQt9owdcLZNiZS+UVRQjeDHSy3titzh5YwSoQonlnSqd0g/PJ6kNA O3CNOMVuzAddnAaHzW1J4Rt6sZwOuidtJC4t/hFCgz5NqOMgYOOfratQx00A7ZXK @@ -40,7 +41,7 @@ b0fTREZFZRGZBJcSu959YyMzhpSFA+lXkLNTWX8j1/D88H731oMSImoQNWcYx2dH sCwOCDqu1nZ2LJ8= -----END PRIVATE KEY-----" > /tmp/blah.key') - shell('echo "-----BEGIN CERTIFICATE----- + on host, shell('echo "-----BEGIN CERTIFICATE----- MIIDRjCCAq+gAwIBAgIJAL9m0V4sHW2tMA0GCSqGSIb3DQEBBQUAMIG7MQswCQYD VQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0eTEZ MBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2FuaXph @@ -60,5 +61,6 @@ aIZ8kxsBjLvpi9KQTHi7Wl6Sw3ecoYdKy+2P8S5xOIpWjs8XVmOWf7Tq1+9KPv3z HLw/FDCzntkdq3G4em15CdFlO9BTY4HXiHU= -----END CERTIFICATE-----" > /tmp/blah.cert') + end end end diff --git a/spec/system/basic_spec.rb b/spec/system/basic_spec.rb deleted file mode 100644 index 775c8b654..000000000 --- a/spec/system/basic_spec.rb +++ /dev/null @@ -1,33 +0,0 @@ -require 'spec_helper_system' - -# Here we put the more basic fundamental tests, ultra obvious stuff. -describe "basic tests:" do - context 'make sure we have copied the module across' do - # No point diagnosing any more if the module wasn't copied properly - context shell 'ls /etc/puppet/modules/nginx' do - its(:stdout) { should =~ /Modulefile/ } - its(:stderr) { should be_empty } - its(:exit_code) { should be_zero } - end - end - - #puppet smoke test - context puppet_apply 'notice("foo")' do - its(:stdout) { should =~ /foo/ } - its(:stderr) { should be_empty } - its(:exit_code) { should be_zero } - end - - it 'nginx class should work with no errors' do - pp = <<-EOS - class { 'nginx': } - EOS - - # Run it twice and test for idempotency - puppet_apply(pp) do |r| - [0,2].should include(r.exit_code) - r.refresh - r.exit_code.should be_zero - end - end -end diff --git a/spec/system/class_spec.rb b/spec/system/class_spec.rb deleted file mode 100644 index d8eff7c41..000000000 --- a/spec/system/class_spec.rb +++ /dev/null @@ -1,35 +0,0 @@ -require 'spec_helper_system' - -describe "nginx class:" do - case node.facts['osfamily'] - when 'RedHat' - package_name = 'nginx' - when 'Debian' - package_name = 'nginx' - when 'Suse' - package_name = 'nginx-0.8' - end - - context 'should run successfully' do - it 'should run successfully' do - pp = "class { 'nginx': }" - - puppet_apply(pp) do |r| - #r.stderr.should be_empty - [0,2].should include r.exit_code - r.refresh - #r.stderr.should be_empty - r.exit_code.should be_zero - end - end - end - - describe package(package_name) do - it { should be_installed } - end - - describe service('nginx') do - it { should be_running } - end - -end diff --git a/spec/system/nginx_mail_spec.rb b/spec/system/nginx_mail_spec.rb deleted file mode 100644 index e8cce6cf1..000000000 --- a/spec/system/nginx_mail_spec.rb +++ /dev/null @@ -1,42 +0,0 @@ -require 'spec_helper_system' - -describe "nginx::resource::mailhost define:" do - it 'should run successfully' do - - pp = " - class { 'nginx': - mail => true, - } - nginx::resource::vhost { 'www.puppetlabs.com': - ensure => present, - www_root => '/var/www/www.puppetlabs.com', - } - nginx::resource::mailhost { 'domain1.example': - ensure => present, - auth_http => 'localhost/cgi-bin/auth', - protocol => 'smtp', - listen_port => 587, - ssl_port => 465, - xclient => 'off', - } - " - - puppet_apply(pp) do |r| - [0,2].should include r.exit_code - r.refresh - # Not until deprecated variables fixed. - #r.stderr.should be_empty - r.exit_code.should be_zero - end - end - - describe file('/etc/nginx/conf.mail.d/domain1.example.conf') do - it { should be_file } - it { should contain "auth_http localhost/cgi-bin/auth;" } - end - - describe file('/etc/nginx/sites-available/www.puppetlabs.com.conf') do - it { should be_file } - end - -end diff --git a/templates/conf.d/nginx.conf.erb b/templates/conf.d/nginx.conf.erb index f3d97f024..4838a90f3 100644 --- a/templates/conf.d/nginx.conf.erb +++ b/templates/conf.d/nginx.conf.erb @@ -11,6 +11,15 @@ pid <%= @pid %>; <% end -%> error_log <%= @nginx_error_log %>; +<% if @nginx_cfg_prepend -%> +<%- field_width = @nginx_cfg_prepend.inject(0) { |l,(k,v)| k.size > l ? k.size : l } -%> +<%- @nginx_cfg_prepend.sort_by{|k,v| k}.each do |key,value| -%> +<%- Array(value).each do |asubvalue| -%> +<%= sprintf("%-*s", field_width, key) %> <%= asubvalue %>; +<%- end -%> +<%- end -%> +<% end -%> + events { worker_connections <%= @worker_connections -%>; <%- if @multi_accept == 'on' -%> diff --git a/templates/mailhost/mailhost.erb b/templates/mailhost/mailhost.erb index 399d09b45..ef47a20d7 100644 --- a/templates/mailhost/mailhost.erb +++ b/templates/mailhost/mailhost.erb @@ -1,10 +1,22 @@ server { +<%- if @listen_ip.is_a?(Array) then -%> + <%- @listen_ip.each do |ip| -%> + listen <%= ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; + <%- end -%> +<%- else -%> listen <%= @listen_ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; - <% # check to see if ipv6 support exists in the kernel before applying %> - <% if @ipv6_enable && (defined? @ipaddress6) %> - listen [<%= @ipv6_listen_ip %>]:<%= @ipv6_listen_port %><% if @ipv6_listen_options %> <%= @ipv6_listen_options %><% end %>; - <% end %> +<%- end -%> +<%# check to see if ipv6 support exists in the kernel before applying -%> +<%- if @ipv6_enable && (defined? @ipaddress6) -%> + <%- if @ipv6_listen_ip.is_a?(Array) then -%> + <%- @ipv6_listen_ip.each do |ipv6| -%> + listen [<%= ipv6 %>]:<%= @ipv6_listen_port %> <% if @ipv6_listen_options %><%= @ipv6_listen_options %><% end %>; + <%- end -%> + <%- else -%> + listen [<%= @ipv6_listen_ip %>]:<%= @ipv6_listen_port %> <% if @ipv6_listen_options %><%= @ipv6_listen_options %><% end %>; + <%- end -%> +<%- end -%> server_name <%= @server_name.join(" ") %>; protocol <%= @protocol %>; xclient <%= @xclient %>; diff --git a/templates/mailhost/mailhost_ssl.erb b/templates/mailhost/mailhost_ssl.erb index e568566f8..cc4e6201c 100644 --- a/templates/mailhost/mailhost_ssl.erb +++ b/templates/mailhost/mailhost_ssl.erb @@ -1,10 +1,22 @@ server { - listen <%= @ssl_port %>; - <% # check to see if ipv6 support exists in the kernel before applying %> - <% if @ipv6_enable && (defined? @ipaddress6) %> - listen [<%= @ipv6_listen_ip %>]:<%= @ipv6_listen_port %> <% if @ipv6_listen_options %><%= @ipv6_listen_options %><% end %>; - <% end %> +<%- if @listen_ip.is_a?(Array) then -%> + <%- @listen_ip.each do |ip| -%> + listen <%= ip %>:<%= @ssl_port %>; + <%- end -%> +<%- else -%> + listen <%= @listen_ip %>:<%= @ssl_port %>; +<%- end -%> +<%# check to see if ipv6 support exists in the kernel before applying -%> +<%- if @ipv6_enable && (defined? @ipaddress6) -%> + <%- if @ipv6_listen_ip.is_a?(Array) then -%> + <%- @ipv6_listen_ip.each do |ipv6| -%> + listen [<%= ipv6 %>]:<%= @ssl_port %><% if @ipv6_listen_options %> <%= @ipv6_listen_options %><% end %>; + <%- end -%> + <%- else -%> + listen [<%= @ipv6_listen_ip %>]:<%= @ssl_port %><% if @ipv6_listen_options %> <%= @ipv6_listen_options %><% end %>; + <%- end -%> +<%- end -%> server_name <%= @server_name.join(" ") %>; protocol <%= @protocol %>; xclient <%= @xclient %>; diff --git a/templates/vhost/fastcgi_params.erb b/templates/vhost/fastcgi_params.erb index dc6049c14..a786da26c 100644 --- a/templates/vhost/fastcgi_params.erb +++ b/templates/vhost/fastcgi_params.erb @@ -1,27 +1,27 @@ # This file managed by puppet on host <%= @fqdn %> -fastcgi_param QUERY_STRING $query_string; -fastcgi_param REQUEST_METHOD $request_method; -fastcgi_param CONTENT_TYPE $content_type; -fastcgi_param CONTENT_LENGTH $content_length; +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; -fastcgi_param SCRIPT_FILENAME $request_filename; -fastcgi_param SCRIPT_NAME $fastcgi_script_name; -fastcgi_param REQUEST_URI $request_uri; -fastcgi_param DOCUMENT_URI $document_uri; -fastcgi_param DOCUMENT_ROOT $document_root; -fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param SCRIPT_FILENAME $request_filename; +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; -fastcgi_param GATEWAY_INTERFACE CGI/1.1; -fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; -fastcgi_param REMOTE_ADDR $remote_addr; -fastcgi_param REMOTE_PORT $remote_port; -fastcgi_param SERVER_ADDR $server_addr; -fastcgi_param SERVER_PORT $server_port; -fastcgi_param SERVER_NAME $server_name; +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; -fastcgi_param HTTPS $https; +fastcgi_param HTTPS $https; # PHP only, required if PHP was built with --enable-force-cgi-redirect -fastcgi_param REDIRECT_STATUS 200; +fastcgi_param REDIRECT_STATUS 200; diff --git a/templates/vhost/location_header.erb b/templates/vhost/location_header.erb index 023cd2388..64c5b93b7 100644 --- a/templates/vhost/location_header.erb +++ b/templates/vhost/location_header.erb @@ -19,6 +19,12 @@ deny <%= deny_rule %>; <%- end -%> <% end -%> +<% if @auth_basic -%> + auth_basic "<%= @auth_basic %>"; +<%- end %> +<%- if @auth_basic_user_file -%> + auth_basic_user_file <%= @auth_basic_user_file %>; +<% end -%> <% if @location_custom_cfg_prepend -%> <%- @location_custom_cfg_prepend.each do |key,value| -%> <%- if value.is_a?(Hash) -%> diff --git a/templates/vhost/locations/directory.erb b/templates/vhost/locations/directory.erb index 95c973763..60850a0c1 100644 --- a/templates/vhost/locations/directory.erb +++ b/templates/vhost/locations/directory.erb @@ -11,12 +11,3 @@ <% if @try_files -%> try_files<% @try_files.each do |try| -%> <%= try %><% end -%>; <% end -%> -<% if instance_variables.any? { |iv| iv.to_s.include? 'auth_basic' } -%> - - <%- if @auth_basic -%> - auth_basic "<%= @auth_basic %>"; - <%- end -%> - <%- if defined? @auth_basic_user_file -%> - auth_basic_user_file <%= @auth_basic_user_file %>; - <%- end -%> -<% end -%> \ No newline at end of file diff --git a/templates/vhost/locations/fastcgi.erb b/templates/vhost/locations/fastcgi.erb index 2dacdf0cf..cb3937c41 100644 --- a/templates/vhost/locations/fastcgi.erb +++ b/templates/vhost/locations/fastcgi.erb @@ -16,7 +16,7 @@ <% end -%> <% if defined? @fastcgi_param -%> <%- field_width = @fastcgi_param.inject(0) { |l,(k,v)| k.size > l ? k.size : l } -%> - <%- @fastcgi_param.each do |key, val| -%> + <%- @fastcgi_param.sort_by {|k,v| k}.each do |key, val| -%> fastcgi_param <%= sprintf("%-*s", field_width, key) %> <%= val %>; <%- end -%> <% end -%> diff --git a/templates/vhost/locations/proxy.erb b/templates/vhost/locations/proxy.erb index 971a0abd4..1687417bf 100644 --- a/templates/vhost/locations/proxy.erb +++ b/templates/vhost/locations/proxy.erb @@ -21,12 +21,3 @@ <% if @proxy_cache_valid -%> proxy_cache_valid <%= @proxy_cache_valid %>; <% end -%> -<% if instance_variables.any? { |iv| iv.to_s.include? 'auth_basic' } -%> - - <%- if @auth_basic -%> - auth_basic "<%= @auth_basic %>"; - <%- end -%> - <%- if defined? @auth_basic_user_file -%> - auth_basic_user_file <%= @auth_basic_user_file %>; - <%- end -%> -<% end -%> diff --git a/templates/vhost/locations/uwsgi.erb b/templates/vhost/locations/uwsgi.erb new file mode 100644 index 000000000..a20cc4685 --- /dev/null +++ b/templates/vhost/locations/uwsgi.erb @@ -0,0 +1,8 @@ +<% if defined? @www_root -%> + root <%= @www_root %>; +<% end -%> +<% if @try_files -%> + try_files<% @try_files.each do |try| -%> <%= try %><% end -%>; +<% end -%> + include <%= @uwsgi_params %>; + uwsgi_pass <%= @uwsgi %>; diff --git a/templates/vhost/uwsgi_params.erb b/templates/vhost/uwsgi_params.erb new file mode 100644 index 000000000..86b9a2de7 --- /dev/null +++ b/templates/vhost/uwsgi_params.erb @@ -0,0 +1,15 @@ +# This file managed by puppet on host <%= @fqdn %> + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_ADDR $server_addr; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; diff --git a/templates/vhost/vhost_header.erb b/templates/vhost/vhost_header.erb index ce343a2b2..4289d1606 100644 --- a/templates/vhost/vhost_header.erb +++ b/templates/vhost/vhost_header.erb @@ -1,20 +1,48 @@ <% if @rewrite_www_to_non_www -%> server { - listen <%= @listen_ip %>:<%= @listen_port %>; + <%- if @listen_ip.is_a?(Array) then -%> + <%- @listen_ip.each do |ip| -%> + listen <%= ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; + <%- end -%> + <%- else -%> + listen <%= @listen_ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; + <%- end -%> +<%# check to see if ipv6 support exists in the kernel before applying -%> + <%- if @ipv6_enable && (defined? @ipaddress6) -%> + <%- if @ipv6_listen_ip.is_a?(Array) then -%> + <%- @ipv6_listen_ip.each do |ipv6| -%> + listen [<%= ipv6 %>]:<%= @ipv6_listen_port %> <% if @ipv6_listen_options %><%= @ipv6_listen_options %><% end %>; + <%- end -%> + <%- else -%> + listen [<%= @ipv6_listen_ip %>]:<%= @ipv6_listen_port %> <% if @ipv6_listen_options %><%= @ipv6_listen_options %><% end %>; + <%- end -%> + <%- end -%> server_name www.<%= @server_name[0].gsub(/^www\./, '') %>; - return 301 http://<%= @server_name[0].gsub(/^www\./, '') %>$uri; + return 301 http://<%= @server_name[0].gsub(/^www\./, '') %>$request_uri; } <% end -%> server { - listen <%= @listen_ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; +<%- if @listen_ip.is_a?(Array) then -%> + <%- @listen_ip.each do |ip| -%> + listen <%= ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; + <%- end -%> +<%- else -%> + listen <%= @listen_ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; +<%- end -%> <%# check to see if ipv6 support exists in the kernel before applying -%> -<% if @ipv6_enable && (defined? @ipaddress6) -%> +<%- if @ipv6_enable && (defined? @ipaddress6) -%> + <%- if @ipv6_listen_ip.is_a?(Array) then -%> + <%- @ipv6_listen_ip.each do |ipv6| -%> + listen [<%= ipv6 %>]:<%= @ipv6_listen_port %> <% if @ipv6_listen_options %><%= @ipv6_listen_options %><% end %>; + <%- end -%> + <%- else -%> listen [<%= @ipv6_listen_ip %>]:<%= @ipv6_listen_port %> <% if @ipv6_listen_options %><%= @ipv6_listen_options %><% end %>; -<% end -%> + <%- end -%> +<%- end -%> server_name <%= @rewrite_www_to_non_www ? @server_name[0].gsub(/^www\./, '') : @server_name.join(" ") %>; <%- if instance_variables.any? { |iv| iv.to_s.include? 'auth_basic' } -%> - <% if defined? @auth_basic -%> + <%- if defined? @auth_basic -%> auth_basic "<%= @auth_basic %>"; <%- end -%> <%- if defined? @auth_basic_user_file -%> @@ -66,14 +94,27 @@ server { passenger_set_cgi_param <%= key %> <%= @passenger_cgi_param[key] %>; <%- end -%> <% end -%> +<% if @passenger_set_header -%> + <%- @passenger_set_header.keys.sort.each do |key| -%> + passenger_set_header <%= key %> <%= @passenger_set_header[key] %>; + <%- end -%> +<% end -%> +<% if @passenger_env_var -%> + <%- @passenger_env_var.keys.sort.each do |key| -%> + passenger_env_var <%= key %> <%= @passenger_env_var[key] %>; + <%- end -%> +<% end -%> <% if Array(@resolver).count > 0 -%> resolver <% Array(@resolver).each do |r| %> <%= r %><% end %>; <% end -%> <% if @add_header -%> - <%- @add_header.each do |key,value| -%> - add_header <%= key %> <%= value %>; + <%- @add_header.keys.sort.each do |key| -%> + add_header <%= key %> <%= @add_header[key] %>; <%- end -%> <% end -%> +<% if @maintenance -%> + <%= @maintenance_value %>; +<% end -%> <% if @rewrite_to_https -%> if ($ssl_protocol = "") { return 301 https://$host<% if @ssl_port.to_i != 443 %>:<%= @ssl_port %><% end %>$request_uri; diff --git a/templates/vhost/vhost_ssl_header.erb b/templates/vhost/vhost_ssl_header.erb index 35de38d62..c1de6ad30 100644 --- a/templates/vhost/vhost_ssl_header.erb +++ b/templates/vhost/vhost_ssl_header.erb @@ -1,48 +1,57 @@ <% if @rewrite_www_to_non_www -%> server { - listen <%= @listen_ip %>:<%= @ssl_port %> ssl; + <%- if @listen_ip.is_a?(Array) then -%> + <%- @listen_ip.each do |ip| -%> + listen <%= ip %>:<%= @ssl_port %> <% if @ssl_listen_option %>ssl<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_options %> <%= @listen_options %><% end %>; + <%- end -%> + <%- else -%> + listen <%= @listen_ip %>:<%= @ssl_port %> <% if @ssl_listen_option %>ssl<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_options %> <%= @listen_options %><% end %>; + <%- end -%> +<%# check to see if ipv6 support exists in the kernel before applying -%> + <%- if @ipv6_enable && (defined? @ipaddress6) -%> + <%- if @ipv6_listen_ip.is_a?(Array) then -%> + <%- @ipv6_listen_ip.each do |ipv6| -%> + listen [<%= ipv6 %>]:<%= @ssl_port %> ssl<% if @spdy == 'on' %> spdy<% end %><% if @ipv6_listen_options %> <%= @ipv6_listen_options %><% end %>; + <%- end -%> + <%- else -%> + listen [<%= @ipv6_listen_ip %>]:<%= @ssl_port %> ssl<% if @spdy == 'on' %> spdy<% end %><% if @ipv6_listen_options %> <%= @ipv6_listen_options %><% end %>; + <%- end -%> + <%- end -%> server_name www.<%= @server_name[0].gsub(/^www\./, '') %>; - return 301 https://<%= @server_name[0].gsub(/^www\./, '') %>$uri; + return 301 https://<%= @server_name[0].gsub(/^www\./, '') %>$request_uri; + +<%= scope.function_template(["nginx/vhost/vhost_ssl_settings.erb"]) %> + } <% end -%> server { + <%- if @listen_ip.is_a?(Array) then -%> + <%- @listen_ip.each do |ip| -%> + listen <%= ip %>:<%= @ssl_port %> <% if @ssl_listen_option %>ssl<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_options %> <%= @listen_options %><% end %>; + <%- end -%> + <%- else -%> listen <%= @listen_ip %>:<%= @ssl_port %> <% if @ssl_listen_option %>ssl<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_options %> <%= @listen_options %><% end %>; + <%- end -%> +<%# check to see if ipv6 support exists in the kernel before applying -%> <%- if @ipv6_enable && (defined? @ipaddress6) -%> - listen [<%= @ipv6_listen_ip %>]:<%= @ssl_port %> ssl<% if @spdy == 'on' %> spdy<% end %><% if @ipv6_listen_options %> <%= @ipv6_listen_options %><% end %>; + <%- if @ipv6_listen_ip.is_a?(Array) then -%> + <%- @ipv6_listen_ip.each do |ipv6| -%> + listen [<%= ipv6 %>]:<%= @ssl_port %> ssl<% if @spdy == 'on' %> spdy<% end %><% if @ipv6_listen_options %> <%= @ipv6_listen_options %><% end %>; + <%- end -%> + <%- else -%> + listen [<%= @ipv6_listen_ip %>]:<%= @ssl_port %> ssl<% if @spdy == 'on' %> spdy<% end %><% if @ipv6_listen_options %> <%= @ipv6_listen_options %><% end %>; + <%- end -%> <%- end -%> server_name <%= @rewrite_www_to_non_www ? @server_name[0].gsub(/^www\./, '') : @server_name.join(" ") %>; - ssl on; +<%= scope.function_template(["nginx/vhost/vhost_ssl_settings.erb"]) %> - ssl_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.crt; - ssl_certificate_key <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.key; -<% if defined? @ssl_dhparam -%> - ssl_dhparam <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.dh.pem; +<% if @maintenance -%> + <%= @maintenance_value %>; <% end -%> - ssl_session_cache <%= @ssl_cache %>; - ssl_session_timeout <%= @ssl_session_timeout %>; - ssl_protocols <%= @ssl_protocols %>; - ssl_ciphers <%= @ssl_ciphers %>; - ssl_prefer_server_ciphers on; -<%- if instance_variables.any? { |iv| iv.to_s.include? 'ssl_' } -%> - <%- if @ssl_stapling -%> - ssl_stapling on; - <%- end -%> - <%- if defined? @ssl_stapling_file -%> - ssl_stapling_file <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.ocsp.resp; - <%- end -%> - <%- if defined? @ssl_stapling_responder -%> - ssl_stapling_responder <%= @ssl_stapling_responder %>; - <%- end -%> - <%- if @ssl_stapling_verify -%> - ssl_stapling_verify on; - <%- end -%> - <%- if defined? @ssl_trusted_cert -%> - ssl_trusted_certificate <%= scope.lookupvar('nginx::config::conf_dir') %>/<%= @name.gsub(' ', '_') %>.trusted.crt; - <%- end -%> -<% end -%> + <% if Array(@resolver).count > 0 -%> resolver <% Array(@resolver).each do |r| %> <%= r %><% end %>; <% end -%> @@ -116,6 +125,12 @@ server { <% Array(@passenger_cgi_param).each do |key,value| -%> passenger_set_cgi_param <%= key %> <%= value %>; <% end -%> +<% Array(@passenger_set_header).each do |key,value| -%> + passenger_set_header <%= key %> <%= value %>; +<% end -%> +<% Array(@passenger_env_var).each do |key,value| -%> + passenger_env_var <%= key %> <%= value %>; +<% end -%> <% Array(@add_header).each do |key,value| -%> add_header <%= key %> <%= value %>; <% end -%> diff --git a/templates/vhost/vhost_ssl_settings.erb b/templates/vhost/vhost_ssl_settings.erb new file mode 100644 index 000000000..2d12c391e --- /dev/null +++ b/templates/vhost/vhost_ssl_settings.erb @@ -0,0 +1,37 @@ + ssl on; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; +<% if defined? @ssl_client_cert -%> + ssl_client_certificate <%= @ssl_client_cert %>; + ssl_verify_client on; +<% end -%> +<% if defined? @ssl_dhparam -%> + ssl_dhparam <%= @ssl_dhparam %>; +<% end -%> + ssl_session_cache <%= @ssl_cache %>; + ssl_session_timeout <%= @ssl_session_timeout %>; + ssl_protocols <%= @ssl_protocols %>; + ssl_ciphers <%= @ssl_ciphers %>; + ssl_prefer_server_ciphers on; +<% if @ssl_crl -%> + ssl_crl <%= @ssl_crl %>; +<% end -%> +<%- if instance_variables.any? { |iv| iv.to_s.include? 'ssl_' } -%> + <%- if @ssl_stapling -%> + ssl_stapling on; + <%- end -%> + <%- if defined? @ssl_stapling_file -%> + ssl_stapling_file <%= @ssl_stapling_file %>; + <%- end -%> + <%- if defined? @ssl_stapling_responder -%> + ssl_stapling_responder <%= @ssl_stapling_responder %>; + <%- end -%> + <%- if @ssl_stapling_verify -%> + ssl_stapling_verify on; + <%- end -%> + <%- if defined? @ssl_trusted_cert -%> + ssl_trusted_certificate <%= @ssl_trusted_cert %>; + <%- end -%> + +<% end -%> diff --git a/tests/vhost_ssl.pp b/tests/vhost_ssl.pp index 0eff758d2..2973273d8 100644 --- a/tests/vhost_ssl.pp +++ b/tests/vhost_ssl.pp @@ -1,5 +1,14 @@ include nginx +nginx::resource::vhost { 'test3.local test3': + ensure => present, + www_root => '/var/www/nginx-default', + ssl => true, + ssl_cert => 'puppet:///modules/sslkey/whildcard_mydomain.crt', + ssl_client_cert => 'puppet:///modules/sslkey/whildcard_mydomain.crt', + ssl_key => 'puppet:///modules/sslkey/whildcard_mydomain.key' +} + nginx::resource::vhost { 'test2.local test2': ensure => present, www_root => '/var/www/nginx-default', @@ -15,3 +24,11 @@ vhost => 'test2.local test2', } +nginx::resource::location { 'test3.local-bob': + ensure => present, + www_root => '/var/www/bob', + location => '/bob', + vhost => 'test3.local test3', +} + +