ops / cfe-nginx-php-fpm · Commits

Commit 1794df1896eff59620e669ec5ddeba236a6ecc88

Authored by nollieheel
Committed by Earth Ugat
1 parent 0975ffb2

Bump to v0.4.2. Add new site type 'webserver_basic', add mitigations for HTTPOXY attacks.

Inline Side-by-side
Showing 9 changed files with 101 additions and 17 deletions
  1 +## 0.4.2 - 2016-09-09
  2 +### Security
  3 +- Add proxy and fastcgi directives to prevent HTTPOXY attacks as described [here](https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/ "Mitigate HTTPOXY with Nginx")
  4 +
  5 +### Added
  6 +- Add more appropriate keywords for virtual site types
  7 +- Add a new site type `webserver_basic` with a customizable template
  8 +
1 9 # 0.4.1
2 10
3 11 Add attribute to customize listen options for virtual host
... ...
... ... @@ -2,7 +2,7 @@
2 2
3 3 Installs PHP5-FPM, Nginx, Postfix, and MariaDB client on a server. Also sets up webserver configs for all virtual servers, including TLS and basic auth.
4 4
5   -Can also auto-generate config files for certain site types, such as Wordpress, etc. (right now it's: `wordpress`, `basic`, and `webserver`).
  5 +Can also auto-generate config files for certain site types, such as Wordpress, etc. (right now it's: `wordpress`, `basic_php`, `webserver_basic`, and `webserver_ws`).
6 6
7 7 ## Supported Platforms
8 8
... ...
... ... @@ -150,12 +150,14 @@ default['cfe-nginx-php-fpm']['nginx']['sites'] = [
150 150 # Each type element of this array is a hash containing different attributes.
151 151 #
152 152 # Mandatory attributes are:
153   - # :type => One of: 'basic' (basic PHP site)
  153 + # :type => One of: 'basic_php' (basic PHP site)
154 154 # 'wordpress' (standard Wordpress site)
155   - # 'webserver' (proxy webserver)
  155 + # 'webserver_ws' (proxy webserver with websocket)
  156 + # 'webserver_basic' (proxy generic webserver)
156 157 # :upstream_servers => An array containing upstream server endpoints.
157 158 # Unix socket example: ['/var/run/php-fpm.sock']
158 159 # Tcp port example: ['127.0.0.1:9000']
  160 + # (This is optional for type 'webserver_basic')
159 161 #
160 162 # Optional attributes are:
161 163 # :subpath => A string of the form: 'news/blog'.
... ... @@ -179,15 +181,28 @@ default['cfe-nginx-php-fpm']['nginx']['sites'] = [
179 181 # or not. Default: false
180 182 #
181 183 # Unique attributes for each type are indicated below:
182   - # Basic PHP Site (:type => 'basic'):
  184 + # Basic PHP Site (:type => 'basic_php'):
183 185 # :fastcgi_intercept_errors => Optional. Default: false
184 186 # Standard Wordpress Site (:type => 'wordpress'):
185 187 # :fastcgi_intercept_errors => Optional. Default: false
186 188 # :loginpage_statements => An array of strings to be put on the
187 189 # config for the /wp-login.php
188 190 # and /wp-admin pages. Default: []
189   - # Proxy Webserver (:type => 'webserver'):
  191 + # Proxy Websocket Webserver (:type => 'webserver_ws'):
190 192 # (none)
  193 + # Proxy Generic Webserver (:type => 'webserver_basic'):
  194 + # :source => The name of the config template.
  195 + # Default is 'inc_type_webserver_basic.erb'.
  196 + # :cookbook => The name of the cookbook where the template
  197 + # will be taken from. Default is this cookbook.
  198 + # In combination with the :source attribute above,
  199 + # any custom template in a wrapper cookbook can be
  200 + # used. A template file 'inc_type_webserver_basic.erb'
  201 + # exists as an example.
  202 + # :custom_params => A hash that will be passed into the template
  203 + # (along with the optional attributes mentioned
  204 + # above) as the variable called cparams.
  205 + # Default: {}
191 206 #
192 207 #:types => []
193 208 #}
... ...
... ... @@ -4,7 +4,7 @@ maintainer_email 'sysadmin@chromedia.com'
4 4 license 'Apache License'
5 5 description 'Simplifies setup of Nginx+PHP-FPM in Chromedia.'
6 6 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
7   -version '0.4.1'
  7 +version '0.4.2'
8 8
9 9 {
10 10 'openssl' => '4.4.0',
... ...
... ... @@ -179,25 +179,27 @@ node[cb]['nginx']['sites'].each do |site|
179 179 :log_static => stype_logstatic
180 180 }
181 181
182   - site_upstreams.push( {
183   - :name => stype_ups,
184   - :servers => stype[:upstream_servers] || []
185   - } )
  182 + if stype[:upstream_servers] && stype[:upstream_servers].length > 0
  183 + site_upstreams.push( {
  184 + :name => stype_ups,
  185 + :servers => stype[:upstream_servers] || []
  186 + } )
  187 + end
186 188
187 189 case stype[:type]
188 190 # BASIC PHP SITE
189   - when 'basic'
  191 + when 'basic', 'basic_php'
190 192 vars[:index] = site_index
191 193 vars[:fastcgi_intercept_errors] =
192 194 stype.has_key?(:fastcgi_intercept_errors) ?
193 195 stype[:fastcgi_intercept_errors] : false
194 196
195   - template "#{inc_dir}/inc_type_basic_#{site_sname}" do
  197 + template "#{inc_dir}/type_basic_php_#{site_sname}" do
196 198 source 'inc_type_basic.erb'
197 199 mode 0644
198 200 variables vars
199 201 end
200   - site_includes.push("#{inc_dir}/inc_type_basic_#{site_sname}")
  202 + site_includes.push("#{inc_dir}/type_basic_php_#{site_sname}")
201 203
202 204 # STANDARD WORDPRESS SITE
203 205 when 'wordpress'
... ... @@ -214,9 +216,9 @@ node[cb]['nginx']['sites'].each do |site|
214 216 end
215 217 site_includes.push("#{inc_dir}/inc_type_wordpress_#{site_sname}")
216 218
217   - # REVERSE PROXY WEBSERVER
218   - when 'webserver'
219   - template "#{inc_dir}/inc_type_webserver_#{site_sname}" do
  219 + # REVERSE PROXY WEBSERVER WITH WEBSOCKET
  220 + when 'webserver', 'webserver_ws'
  221 + template "#{inc_dir}/inc_type_webserver_ws_#{site_sname}" do
220 222 source 'inc_type_webserver.erb'
221 223 mode 0644
222 224 variables vars
... ... @@ -225,7 +227,19 @@ node[cb]['nginx']['sites'].each do |site|
225 227 " default upgrade;\n"\
226 228 " '' close;\n"\
227 229 "}")
228   - site_includes.push("#{inc_dir}/inc_type_webserver_#{site_sname}")
  230 + site_includes.push("#{inc_dir}/inc_type_webserver_ws_#{site_sname}")
  231 +
  232 + # GENERIC REVERSE PROXY WEBSERVER
  233 + when 'webserver_basic'
  234 + vars[:cparams] = stype[:custom_params] || {}
  235 +
  236 + template "#{inc_dir}/inc_type_webserver_basic_#{site_sname}" do
  237 + source stype[:source] || 'inc_type_webserver_basic.erb'
  238 + cookbook stype[:cookbook] || cookbook_name
  239 + mode 0644
  240 + variables vars
  241 + end
  242 + site_includes.push("#{inc_dir}/inc_type_webserver_basic_#{site_sname}")
229 243
230 244 else
231 245 Chef::Log.error("Unknown site type: #{stype[:type]}")
... ...
... ... @@ -36,6 +36,9 @@ location ~ ^/<%= @subpath %>.+\.php(/|$) {
36 36 include fastcgi_params;
37 37 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
38 38
  39 + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
  40 + fastcgi_param HTTP_PROXY "";
  41 +
39 42 fastcgi_pass <%= @upstream_name %>;
40 43 }
41 44
... ...
... ... @@ -22,8 +22,13 @@ location ~* ^/<%= @subpath %>.+\.(<%= @static_types.join('|') %>)$ {
22 22
23 23 <% end -%>
24 24 location ~ ^/<%= @subpath %> {
  25 + proxy_redirect off;
25 26 proxy_pass http://<%= @upstream_name %>;
26 27 proxy_http_version 1.1;
  28 +
  29 + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
  30 + proxy_set_header Proxy "";
  31 +
27 32 proxy_set_header Upgrade $http_upgrade;
28 33 proxy_set_header Connection $connection_upgrade;
29 34 proxy_set_header X-Real-IP $remote_addr;
... ...
  1 +# Generated by Chef
  2 +<% -%>
  3 +<% # This is an example template. Use this as a guide for your wrapper.-%>
  4 +<% # It expects a :cparams hash with the following keys:-%>
  5 +<% # :proxy_host-%>
  6 +<% # :proxy_port-%>
  7 +
  8 +<% if @static_types -%>
  9 +# Send expires headers and (probably?) turn off 404 error logging.
  10 +location ~* ^/<%= @subpath %>.+\.(<%= @static_types.join('|') %>)$ {
  11 + expires max;
  12 +<% unless @log_static -%>
  13 + log_not_found off;
  14 + access_log off;
  15 +<% end -%>
  16 +}
  17 +
  18 +<% end -%>
  19 +location ~ ^/<%= @subpath %> {
  20 + proxy_redirect off;
  21 + proxy_pass http://<%= @cparams[:proxy_host] %>:<%= @cparams[:proxy_port] %>;
  22 + proxy_set_header Connection "";
  23 +
  24 + proxy_http_version 1.1;
  25 + proxy_pass_request_headers on;
  26 +
  27 + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
  28 + proxy_set_header Proxy "";
  29 +
  30 + proxy_set_header X-Real-IP $remote_addr;
  31 + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  32 + proxy_set_header Host $http_host;
  33 +}
... ...
... ... @@ -46,6 +46,9 @@ location ~ ^/<%= @subpath %>(wp-admin|wp-login\.php) {
46 46 include fastcgi_params;
47 47 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
48 48
  49 + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
  50 + fastcgi_param HTTP_PROXY "";
  51 +
49 52 fastcgi_pass <%= @upstream_name %>;
50 53 }
51 54 }
... ... @@ -65,6 +68,9 @@ location ~ ^/<%= @subpath %>.+\.php(/|$) {
65 68 include fastcgi_params;
66 69 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
67 70
  71 + # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
  72 + fastcgi_param HTTP_PROXY "";
  73 +
68 74 fastcgi_pass <%= @upstream_name %>;
69 75 }
70 76
... ...