Commit 1d737d6374832869c13342080f49c826d68356eb
Committed by
Earth Ugat
Earth Ugat
1 parent
32e1d36b
Bump to v0.3.5
Showing
5 changed files
with
37 additions
and
19 deletions
| ... | ... | @@ -24,6 +24,12 @@ Ubuntu 14.04 |
| 24 | 24 | <td><tt>''</tt></td> |
| 25 | 25 | </tr> |
| 26 | 26 | <tr> |
| 27 | + <td><tt>['cfe-nginx-php-fpm']['openssl']['dh_modulus']</tt></td> | |
| 28 | + <td>Integer</td> | |
| 29 | + <td>Used if at least one virtual site uses TLS.</td> | |
| 30 | + <td><tt>4096</tt></td> | |
| 31 | + </tr> | |
| 32 | + <tr> | |
| 27 | 33 | <td><tt>['cfe-nginx-php-fpm']['nginx']['sites']</tt></td> |
| 28 | 34 | <td>Array/Hash</td> |
| 29 | 35 | <td>Values that define the virtual servers to be hosted by Nginx.</td> | ... | ... |
| ... | ... | @@ -27,6 +27,8 @@ default['cfe-nginx-php-fpm']['postfix']['email_domain'] = 'example.com' |
| 27 | 27 | # the default one ('www'), which is automatically installed by php-fpm |
| 28 | 28 | default['cfe-nginx-php-fpm']['php-fpm']['delete_pool_www'] = true |
| 29 | 29 | |
| 30 | +default['cfe-nginx-php-fpm']['openssl']['dh_modulus'] = 4096 | |
| 31 | + | |
| 30 | 32 | # Uncomment to set custom locations |
| 31 | 33 | #default['cfe-nginx-php-fpm']['nginx']['inc_dir'] = |
| 32 | 34 | # "#{node['nginx']['dir']}/sites-available/include" |
| ... | ... | @@ -92,7 +94,6 @@ default['cfe-nginx-php-fpm']['nginx']['sites'] = [ |
| 92 | 94 | # |
| 93 | 95 | # :self_signed => false, |
| 94 | 96 | # :cipher_suite => 'medium', # or 'modern' |
| 95 | - # :dh_modulus => 4096, | |
| 96 | 97 | # :hsts_max_age => '15758000', |
| 97 | 98 | # :hsts_subdomains => true |
| 98 | 99 | #}, | ... | ... |
| ... | ... | @@ -4,9 +4,10 @@ maintainer_email 'sysadmin@chromedia.com' |
| 4 | 4 | license 'Apache License' |
| 5 | 5 | description 'Simplifies setup of Nginx+PHP-FPM in Chromedia.' |
| 6 | 6 | long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) |
| 7 | -version '0.3.4' | |
| 7 | +version '0.3.5' | |
| 8 | 8 | |
| 9 | 9 | { |
| 10 | + 'openssl' => '4.4.0', | |
| 10 | 11 | 'php-fpm' => '0.7.5', |
| 11 | 12 | 'mariadb' => '0.3.1', |
| 12 | 13 | 'postfix' => '3.6.2', | ... | ... |
| ... | ... | @@ -18,9 +18,13 @@ |
| 18 | 18 | # limitations under the License. |
| 19 | 19 | # |
| 20 | 20 | |
| 21 | +include_recipe 'openssl::upgrade' | |
| 22 | + | |
| 23 | +cb = 'cfe-nginx-php-fpm' | |
| 24 | + | |
| 21 | 25 | # Create necessary directories |
| 22 | -inc_dir = node['cfe-nginx-php-fpm']['nginx']['inc_dir'] | |
| 23 | -priv_dir = node['cfe-nginx-php-fpm']['nginx']['priv_dir'] | |
| 26 | +inc_dir = node[cb]['nginx']['inc_dir'] | |
| 27 | +priv_dir = node[cb]['nginx']['priv_dir'] | |
| 24 | 28 | |
| 25 | 29 | [ inc_dir, priv_dir ].each do |ndir| |
| 26 | 30 | directory ndir do |
| ... | ... | @@ -29,9 +33,18 @@ priv_dir = node['cfe-nginx-php-fpm']['nginx']['priv_dir'] |
| 29 | 33 | end |
| 30 | 34 | |
| 31 | 35 | # Generate config files for each virtual server. |
| 32 | -catch_all_def_false = node['cfe-nginx-php-fpm']['nginx']['sites'].length > 1 | |
| 36 | +catch_all_def_false = node[cb]['nginx']['sites'].length > 1 | |
| 37 | + | |
| 38 | +# If at least one site is using TLS, configure a high modulus DH param | |
| 39 | +path_dhparam = "#{priv_dir}/dhparam.pem" | |
| 40 | +if node[cb]['nginx']['sites'].any? { |site| site[:ssl] } | |
| 41 | + openssl_dhparam path_dhparam do | |
| 42 | + key_length node[cb]['openssl']['dh_modulus'] | |
| 43 | + generator 2 | |
| 44 | + end | |
| 45 | +end | |
| 33 | 46 | |
| 34 | -node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site| | |
| 47 | +node[cb]['nginx']['sites'].each do |site| | |
| 35 | 48 | |
| 36 | 49 | if site.is_a?(Array) |
| 37 | 50 | site_sname = site[0] |
| ... | ... | @@ -41,12 +54,12 @@ node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site| |
| 41 | 54 | end |
| 42 | 55 | |
| 43 | 56 | # Assign default values to attributes |
| 44 | - site_index = site[:index] || nil | |
| 57 | + site_index = site[:index] | |
| 45 | 58 | site_aliases = site[:aliases] || [] |
| 46 | - site_doc_root = site[:doc_root] || nil | |
| 47 | - site_alo = site[:access_log_options] || nil | |
| 48 | - site_ssl = site[:ssl] || nil | |
| 49 | - site_auth = site[:auth] || nil | |
| 59 | + site_doc_root = site[:doc_root] | |
| 60 | + site_alo = site[:access_log_options] | |
| 61 | + site_ssl = site[:ssl] | |
| 62 | + site_auth = site[:auth] | |
| 50 | 63 | site_ins = site[:init_statements] || [] |
| 51 | 64 | site_ss1 = site[:server_statements_1] || [] |
| 52 | 65 | site_ss2 = site[:server_statements_2] || [] |
| ... | ... | @@ -66,7 +79,6 @@ node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site| |
| 66 | 79 | |
| 67 | 80 | path_crt = '' |
| 68 | 81 | path_key = '' |
| 69 | - path_dhparam = '' | |
| 70 | 82 | path_pass = '' |
| 71 | 83 | |
| 72 | 84 | # If TLS/SSL is enabled, configure it: |
| ... | ... | @@ -105,13 +117,6 @@ node['cfe-nginx-php-fpm']['nginx']['sites'].each do |site| |
| 105 | 117 | action :create_if_missing |
| 106 | 118 | end |
| 107 | 119 | end |
| 108 | - | |
| 109 | - # Configure a high modulus DH param | |
| 110 | - path_dhparam = "#{priv_dir}/#{site_sname}.dhparam" | |
| 111 | - dh_modulus = site_ssl[:dh_modulus] || 4096 | |
| 112 | - execute "openssl dhparam -out #{path_dhparam} #{dh_modulus}" do | |
| 113 | - not_if { ::File.exist?(path_dhparam) } | |
| 114 | - end | |
| 115 | 120 | end |
| 116 | 121 | |
| 117 | 122 | # If basic auth is enabled, create htpasswd file | ... | ... |