diff --git a/ChangeLog b/ChangeLog index c569e1a8c..433ce868b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2011-12-23 Sam Bashton + * manifests/resource/location.pp,manifests/resource/vhost.pp, + templates/vhost/vhost_location_fastcgi.erb: Add support for fastcgi + 2011-06-06 James Fryman * Modulefile, README, files/README.markdown, lib/facter/README.markdown, diff --git a/manifests/config.pp b/manifests/config.pp index 7d0881a1e..cb1d65692 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -14,13 +14,18 @@ # # This class file is not called directly class nginx::config( - $worker_processes = $nginx::params::nx_worker_processes, - $worker_connections = $nginx::params::nx_worker_connections, - $proxy_set_header = $nginx::params::nx_proxy_set_header, - $proxy_http_version = $nginx::params::nx_proxy_http_version, - $confd_purge = $nginx::params::nx_confd_purge, - $server_tokens = $nginx::params::nx_server_tokens, - $types_hash_max_size = $nginx::params::nx_types_hash_max_size, + $worker_processes = $nginx::params::nx_worker_processes, + $worker_connections = $nginx::params::nx_worker_connections, + $confd_purge = $nginx::params::nx_confd_purge, + $server_tokens = $nginx::params::nx_server_tokens, + $proxy_set_header = $nginx::params::nx_proxy_set_header, + $proxy_cache_path = $nginx::params::nx_proxy_cache_path, + $proxy_cache_levels = $nginx::params::nx_proxy_cache_levels, + $proxy_cache_keys_zone = $nginx::params::nx_proxy_cache_keys_zone, + $proxy_cache_max_size = $nginx::params::nx_proxy_cache_max_size, + $proxy_cache_inactive = $nginx::params::nx_proxy_cache_inactive, + $proxy_http_version = $nginx::params::nx_proxy_http_version, + $types_hash_max_size = $nginx::params::nx_types_hash_max_size, $types_hash_bucket_size = $nginx::params::nx_types_hash_bucket_size ) inherits nginx::params { File { @@ -29,7 +34,7 @@ mode => '0644', } - file { "${nginx::params::nx_conf_dir}": + file { $nginx::params::nx_conf_dir: ensure => directory, } @@ -55,17 +60,16 @@ } } - - file { "${nginx::config::nx_run_dir}": + file {$nginx::config::nx_run_dir: ensure => directory, } - file { "${nginx::config::nx_client_body_temp_path}": + file {$nginx::config::nx_client_body_temp_path: ensure => directory, owner => $nginx::params::nx_daemon_user, } - file {"${nginx::config::nx_proxy_temp_path}": + file {$nginx::config::nx_proxy_temp_path: ensure => directory, owner => $nginx::params::nx_daemon_user, } diff --git a/manifests/init.pp b/manifests/init.pp index e56b803e1..6ff318862 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -4,8 +4,8 @@ # # Parameters: # -# There are no default parameters for this class. All module parameters are -# managed via the nginx::params class +# There are no default parameters for this class. All module parameters are managed +# via the nginx::params class # # Actions: # @@ -29,15 +29,20 @@ # include nginx # } class nginx ( - $worker_processes = $nginx::params::nx_worker_processes, - $worker_connections = $nginx::params::nx_worker_connections, - $proxy_set_header = $nginx::params::nx_proxy_set_header, - $proxy_http_version = $nginx::params::nx_proxy_http_version, - $confd_purge = $nginx::params::nx_confd_purge, - $configtest_enable = $nginx::params::nx_configtest_enable, - $service_restart = $nginx::params::nx_service_restart, - $mail = $nginx::params::nx_mail, - $server_tokens = $nginx::params::nx_server_tokens + $worker_processes = $nginx::params::nx_worker_processes, + $worker_connections = $nginx::params::nx_worker_connections, + $proxy_set_header = $nginx::params::nx_proxy_set_header, + $proxy_http_version = $nginx::params::nx_proxy_http_version, + $confd_purge = $nginx::params::nx_confd_purge, + $proxy_cache_path = $nginx::params::nx_proxy_cache_path, + $proxy_cache_levels = $nginx::params::nx_proxy_cache_levels, + $proxy_cache_keys_zone = $nginx::params::nx_proxy_cache_keys_zone, + $proxy_cache_max_size = $nginx::params::nx_proxy_cache_max_size, + $proxy_cache_inactive = $nginx::params::nx_proxy_cache_inactive, + $configtest_enable = $nginx::params::nx_configtest_enable, + $service_restart = $nginx::params::nx_service_restrart, + $mail = $nginx::params::nx_mail, + $server_tokens = $nginx::params::nx_server_tokens ) inherits nginx::params { include stdlib @@ -47,14 +52,18 @@ } class { 'nginx::config': - worker_processes => $worker_processes, - worker_connections => $worker_connections, - proxy_set_header => $proxy_set_header, - proxy_http_version => $proxy_http_version, - confd_purge => $confd_purge, - server_tokens => $server_tokens, - require => Class['nginx::package'], - notify => Class['nginx::service'], + worker_processes => $worker_processes, + worker_connections => $worker_connections, + proxy_set_header => $proxy_set_header, + proxy_http_version => $proxy_http_version, + proxy_cache_path => $proxy_cache_path, + proxy_cache_levels => $proxy_cache_levels, + proxy_cache_keys_zone => $proxy_cache_keys_zone, + proxy_cache_max_size => $proxy_cache_max_size, + proxy_cache_inactive => $proxy_cache_inactive, + confd_purge => $confd_purge, + require => Class['nginx::package'], + notify => Class['nginx::service'], } class { 'nginx::service': diff --git a/manifests/params.pp b/manifests/params.pp index 54a5e5e86..0bd33c795 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -14,24 +14,25 @@ # # This class file is not called directly class nginx::params { - $nx_temp_dir = '/tmp' - $nx_run_dir = '/var/nginx' + $nx_temp_dir = '/tmp' + $nx_run_dir = '/var/nginx' - $nx_conf_dir = '/etc/nginx' - $nx_confd_purge = false - $nx_worker_processes = 1 - $nx_worker_connections = 1024 - $nx_types_hash_max_size = 1024 - $nx_types_hash_bucket_size = 512 - $nx_multi_accept = off + $nx_conf_dir = '/etc/nginx' + $nx_confd_purge = false + $nx_worker_processes = 1 + $nx_worker_connections = 1024 + $nx_types_hash_max_size = 1024 + $nx_types_hash_bucket_size = 512 + $nx_multi_accept = off $nx_events_use = false # One of [kqueue|rtsig|epoll|/dev/poll|select|poll|eventport] or false to use OS default - $nx_sendfile = on - $nx_keepalive_timeout = 65 - $nx_tcp_nodelay = on - $nx_gzip = on - $nx_server_tokens = on - $nx_spdy = off - $nx_ssl_stapling = off + $nx_sendfile = on + $nx_keepalive_timeout = 65 + $nx_tcp_nodelay = on + $nx_gzip = on + $nx_server_tokens = on + $nx_spdy = off + $nx_ssl_stapling = off + $nx_proxy_redirect = off $nx_proxy_set_header = [ @@ -39,6 +40,11 @@ 'X-Real-IP $remote_addr', 'X-Forwarded-For $proxy_add_x_forwarded_for', ] + $nx_proxy_cache_path = false + $nx_proxy_cache_levels = 1 + $nx_proxy_cache_keys_zone = 'd2:100m' + $nx_proxy_cache_max_size = '500m' + $nx_proxy_cache_inactive = '20m' $nx_client_body_temp_path = "${nx_run_dir}/client_body_temp" $nx_client_body_buffer_size = '128k' diff --git a/manifests/resource/location.pp b/manifests/resource/location.pp index 4453ea0d9..55ca8f9aa 100644 --- a/manifests/resource/location.pp +++ b/manifests/resource/location.pp @@ -11,6 +11,9 @@ # [*proxy*] - Proxy server(s) for a location to connect to. Accepts a single value, can be used in conjunction # with nginx::resource::upstream # [*proxy_read_timeout*] - Override the default the proxy read timeout value of 90 seconds +# [*fastcgi*] - location of fastcgi (host:port) +# [*fastcgi_params*] - optional alternative fastcgi_params file to use +# [*fastcgi_script*] - optional SCRIPT_FILE parameter # [*ssl*] - Indicates whether to setup SSL bindings for this location. # [*ssl_only*] - Required if the SSL and normal vHost have the same port. # [*location_alias*] - Path to be used as basis for serving requests for this location @@ -19,6 +22,14 @@ # [*location_cfg_append*] - It expects a hash with custom directives to put after everything else inside location # [*try_files*] - An array of file locations to try # [*option*] - Reserved for future use +# [*proxy_cache*] - This directive sets name of zone for caching. +# The same zone can be used in multiple places. +# [*proxy_cache_valid*] - This directive sets the time for caching +# different replies. +# [*auth_basic*] - This directive includes testing name and password +# with HTTP Basic Authentication. +# [*auth_basic_user_file*] - This directive sets the htpasswd filename for +# the authentication realm. # # Actions: # @@ -58,6 +69,9 @@ 'index.php'], $proxy = undef, $proxy_read_timeout = $nginx::params::nx_proxy_read_timeout, + $fastcgi = undef, + $fastcgi_params = '/etc/nginx/fastcgi_params', + $fastcgi_script = undef, $ssl = false, $ssl_only = false, $location_alias = undef, @@ -65,7 +79,11 @@ $stub_status = undef, $location_cfg_prepend = undef, $location_cfg_append = undef, - $try_files = undef + $try_files = undef, + $proxy_cache = false, + $proxy_cache_valid = false, + $auth_basic = undef, + $auth_basic_user_file = undef ) { File { owner => 'root', @@ -80,43 +98,53 @@ default => file, } - # Use proxy template if $proxy is defined, otherwise use directory template. + # Use proxy or fastcgi template if $proxy is defined, otherwise use directory template. if ($proxy != undef) { $content_real = template('nginx/vhost/vhost_location_proxy.erb') } elsif ($location_alias != undef) { $content_real = template('nginx/vhost/vhost_location_alias.erb') } elsif ($stub_status != undef) { $content_real = template('nginx/vhost/vhost_location_stub_status.erb') + } elsif ($fastcgi != undef) { + $content_real = template('nginx/vhost/vhost_location_fastcgi.erb') } else { $content_real = template('nginx/vhost/vhost_location_directory.erb') } - # # Check for various error condtiions + ## Check for various error conditions if ($vhost == undef) { fail('Cannot create a location reference without attaching to a virtual host') } - - if (($www_root == undef) and ($proxy == undef) and ($location_alias == undef) and ($stub_status == undef)) { - fail('Cannot create a location reference without a www_root, proxy, location_alias or stub_status defined') + if (($www_root == undef) and ($proxy == undef) and ($location_alias == undef) and ($stub_status == undef) and ($fastcgi == undef)) { + fail('Cannot create a location reference without a www_root, proxy, location_alias, fastcgi or stub_status defined') } if (($www_root != undef) and ($proxy != undef)) { fail('Cannot define both directory and proxy in a virtual host') } - # # Create stubs for vHost File Fragment Pattern - if (!$ssl_only) { - file { "${nginx::config::nx_temp_dir}/nginx.d/${vhost}-500-${name}": + ## Create stubs for vHost File Fragment Pattern + if ($ssl_only != 'true') { + file {"${nginx::config::nx_temp_dir}/nginx.d/${vhost}-500-${name}": ensure => $ensure_real, content => $content_real, } } - # # Only create SSL Specific locations if $ssl is true. - if ($ssl) { - file { "${nginx::config::nx_temp_dir}/nginx.d/${vhost}-800-${name}-ssl": + ## Only create SSL Specific locations if $ssl is true. + if ($ssl == 'true') { + file {"${nginx::config::nx_temp_dir}/nginx.d/${vhost}-800-${name}-ssl": ensure => $ensure_real, content => $content_real, } } + + if ($auth_basic_user_file != undef) { + #Generate htpasswd with provided file-locations + file { "${nginx::params::nx_conf_dir}/${name}_htpasswd": + ensure => $ensure, + mode => '0644', + source => $auth_basic_user_file, + } + } } diff --git a/manifests/resource/vhost.pp b/manifests/resource/vhost.pp index 1eade8ce7..cb0435e8b 100644 --- a/manifests/resource/vhost.pp +++ b/manifests/resource/vhost.pp @@ -17,17 +17,32 @@ # [*proxy*] - Proxy server(s) for the root location to connect to. Accepts a single value, can be used in # conjunction with nginx::resource::upstream # [*proxy_read_timeout*] - Override the default the proxy read timeout value of 90 seconds +# [*fastcgi*] - location of fastcgi (host:port) +# [*fastcgi_params*] - optional alternative fastcgi_params file to use +# [*fastcgi_script*] - optional SCRIPT_FILE parameter # [*ssl*] - Indicates whether to setup SSL bindings for this vhost. # [*ssl_cert*] - Pre-generated SSL Certificate file to reference for SSL Support. This is not generated by this module. # [*ssl_key*] - Pre-generated SSL Key file to reference for SSL Support. This is not generated by this module. # [*ssl_port*] - Default IP Port for NGINX to listen with this SSL vHost on. Defaults to TCP 443 # [*server_name*] - List of vhostnames for which this vhost will respond. Default [$name]. # [*www_root*] - Specifies the location on disk for files to be read from. Cannot be set in conjunction with $proxy -# [*rewrite_www_to_non_www*] - Adds a server directive and rewrite rule to rewrite www.domain.com to domain.com in order to avoid -# duplicate content (SEO); -# [*try_files*] - Specifies the locations for files to be checked as an array. Cannot be used in conjuction with $proxy. -# [*rewrite_to_https*] - Adds a server directive and rewrite rule to rewrite to ssl -# [*include_files*] - Adds include files to vhost +# [*rewrite_www_to_non_www*] - Adds a server directive and rewrite rule to +# rewrite www.domain.com to domain.com in order to avoid duplicate content (SEO); +# [*try_files*] - Specifies the locations for files to be +# checked as an array. Cannot be used in conjuction with $proxy. +# [*proxy_cache*] - This directive sets name of zone for caching. +# The same zone can be used in multiple places. +# [*proxy_cache_valid*] - This directive sets the time for caching +# different replies. +# [*auth_basic*] - This directive includes testing name and +# password with HTTP Basic Authentication. +# [*auth_basic_user_file*] - This directive sets the htpasswd filename for +# the authentication realm. +# [*vhost_cfg_append*] - It expects a hash with custom directives to +# put after everything else inside vhost +# [*rewrite_to_https*] - Adds a server directive and rewrite rule to +# rewrite to ssl +# [*include_files*] - Adds include files to vhost # # Actions: # @@ -57,6 +72,11 @@ $proxy = undef, $proxy_read_timeout = $nginx::params::nx_proxy_read_timeout, $proxy_set_header = [], + $proxy_cache = false, + $proxy_cache_valid = false, + $fastcgi = undef, + $fastcgi_params = '/etc/nginx/fastcgi_params', + $fastcgi_script = undef, $index_files = [ 'index.html', 'index.htm', @@ -67,8 +87,13 @@ $rewrite_to_https = undef, $location_cfg_prepend = undef, $location_cfg_append = undef, - $include_files = undef, - $try_files = undef) { + $try_files = undef, + $auth_basic = undef, + $auth_basic_user_file = undef, + $vhost_cfg_append = undef, + $include_files = undef +) { + File { ensure => $ensure ? { 'absent' => absent, @@ -96,25 +121,37 @@ # Use the File Fragment Pattern to construct the configuration files. # Create the base configuration file reference. if ($listen_port != $ssl_port) { - file { "${nginx::config::nx_temp_dir}/nginx.d/${name}-001": content => template('nginx/vhost/vhost_header.erb'), } + file { "${nginx::config::nx_temp_dir}/nginx.d/${name}-001": + ensure => $ensure ? { + 'absent' => absent, + default => 'file', + }, + content => template('nginx/vhost/vhost_header.erb'), + notify => Class['nginx::service'], + } } - if ($ssl == true) and ($ssl_port == $listen_port) { - $ssl_only = true + if ($ssl == 'true') and ($ssl_port == $listen_port) { + $ssl_only = 'true' } # Create the default location reference for the vHost - nginx::resource::location { "${name}-default": - ensure => $ensure, - vhost => $name, - ssl => $ssl, - ssl_only => $ssl_only, - location => '/', - proxy => $proxy, - proxy_read_timeout => $proxy_read_timeout, - try_files => $try_files, - www_root => $www_root, - notify => Class['nginx::service'], + nginx::resource::location {"${name}-default": + ensure => $ensure, + vhost => $name, + ssl => $ssl, + ssl_only => $ssl_only, + location => '/', + proxy => $proxy, + proxy_read_timeout => $proxy_read_timeout, + proxy_cache => $proxy_cache, + proxy_cache_valid => $proxy_cache_valid, + fastcgi => $fastcgi, + fastcgi_params => $fastcgi_params, + fastcgi_script => $fastcgi_script, + try_files => $try_files, + www_root => $www_root, + notify => Class['nginx::service'], } # Support location_cfg_prepend and location_cfg_append on default location created by vhost @@ -134,9 +171,37 @@ } # Create SSL File Stubs if SSL is enabled - if ($ssl) { - file { "${nginx::config::nx_temp_dir}/nginx.d/${name}-700-ssl": content => template('nginx/vhost/vhost_ssl_header.erb'), } + if ($ssl == 'true') { + file { "${nginx::config::nx_temp_dir}/nginx.d/${name}-700-ssl": + ensure => $ensure ? { + 'absent' => absent, + default => 'file', + }, + content => template('nginx/vhost/vhost_ssl_header.erb'), + notify => Class['nginx::service'], + } + file { "${nginx::config::nx_temp_dir}/nginx.d/${name}-999-ssl": + ensure => $ensure ? { + 'absent' => absent, + default => 'file', + }, + content => template('nginx/vhost/vhost_footer.erb'), + notify => Class['nginx::service'], + } - file { "${nginx::config::nx_temp_dir}/nginx.d/${name}-999-ssl": content => template('nginx/vhost/vhost_footer.erb'), } + #Generate ssl key/cert with provided file-locations + + $cert = regsubst($name,' ','_') + + file { "${nginx::params::nx_conf_dir}/${cert}.crt": + ensure => $ensure, + mode => '0644', + source => $ssl_cert, + } + file { "${nginx::params::nx_conf_dir}/${cert}.key": + ensure => $ensure, + mode => '0644', + source => $ssl_key, + } } } diff --git a/templates/conf.d/nginx.conf.erb b/templates/conf.d/nginx.conf.erb index 99479cc22..98b3a8b26 100644 --- a/templates/conf.d/nginx.conf.erb +++ b/templates/conf.d/nginx.conf.erb @@ -5,9 +5,9 @@ error_log <%= scope.lookupvar('nginx::params::nx_logdir')%>/error.log; pid <%= scope.lookupvar('nginx::params::nx_pid')%>; events { - worker_connections <%= worker_connections %>; - <% if scope.lookupvar('nginx::params::nx_multi_accept') == 'on' %>multi_accept on;<% end %> - <% if scope.lookupvar('nginx::params::nx_events_use') %>use <%= scope.lookupvar('nginx::params::nx_events_use')%>;<% end %> + worker_connections <%= worker_connections -%>; +<% if scope.lookupvar('nginx::params::nx_multi_accept') == 'on' %>multi_accept on;<% end -%> +<% if scope.lookupvar('nginx::params::nx_events_use') %>use <%= scope.lookupvar('nginx::params::nx_events_use')%>;<% end -%> } http { @@ -30,7 +30,11 @@ http { <% if scope.lookupvar('nginx::params::nx_gzip') == 'on' %> gzip on; gzip_disable "MSIE [1-6]\.(?!.*SV1)"; - <% end %> + <% end -%> + +<% if proxy_cache_path -%> + proxy_cache_path <%= proxy_cache_path %> levels=<%= proxy_cache_levels %> keys_zone=<%= proxy_cache_keys_zone %> max_size=<%= proxy_cache_max_size %> inactive=<%= proxy_cache_inactive %>; +<% end -%> include /etc/nginx/conf.d/*.conf; } diff --git a/templates/vhost/vhost_footer.erb b/templates/vhost/vhost_footer.erb index 479646121..5286a9c4f 100644 --- a/templates/vhost/vhost_footer.erb +++ b/templates/vhost/vhost_footer.erb @@ -1,6 +1,11 @@ <% if @include_files %><% @include_files.each do |file| -%> include <%= file %>; <% end -%><% end -%> + +<% if @vhost_cfg_append -%><% vhost_cfg_append.each do |key,value| -%> + <%= key %> <%= value %>; +<% end -%><% end -%> + } <% if rewrite_www_to_non_www %> diff --git a/templates/vhost/vhost_header.erb b/templates/vhost/vhost_header.erb index 0803218fa..242cbb3cf 100644 --- a/templates/vhost/vhost_header.erb +++ b/templates/vhost/vhost_header.erb @@ -6,6 +6,12 @@ server { <% end %> server_name <%= rewrite_www_to_non_www ? name.gsub(/^www\./, '') : server_name.join(" ") %>; access_log <%= scope.lookupvar('nginx::params::nx_logdir')%>/<%= name %>.access.log; + <% if defined? auth_basic -%> +auth_basic "<%= auth_basic %>"; + <% end -%> + <% if defined? auth_basic_user_file -%> +auth_basic_user_file <%= auth_basic_user_file %>; + <% end -%> <% proxy_set_header.each do |header| %> proxy_set_header <%= header %>;<% end %> diff --git a/templates/vhost/vhost_location_directory.erb b/templates/vhost/vhost_location_directory.erb index 376cab4ca..2a7e76dd2 100644 --- a/templates/vhost/vhost_location_directory.erb +++ b/templates/vhost/vhost_location_directory.erb @@ -3,10 +3,18 @@ <%= key %> <%= value %>; <% end -%><% end -%> root <%= www_root %>; - <% if @try_files -%> +<% if @try_files -%> try_files <% try_files.each do |try| -%> <%= try %> <% end -%>; - <% end -%> - index <% index_files.each do |i| %> <%= i %> <% end %>; +<% end -%> +<% if index_files -%> + index <% index_files.each do |i| %> <%= i %><% end %>; +<% end -%> +<% if defined? auth_basic -%> + auth_basic "<%= auth_basic %>"; +<% end -%> +<% if defined? auth_basic_user_file -%> + auth_basic_user_file <%= auth_basic_user_file %>; +<% end -%> <% if @location_cfg_append -%><% location_cfg_append.sort_by {|k,v| k}.each do |key,value| -%> <%= key %> <%= value %>; <% end -%><% end -%> diff --git a/templates/vhost/vhost_location_fastcgi.erb b/templates/vhost/vhost_location_fastcgi.erb new file mode 100644 index 000000000..2fa28181b --- /dev/null +++ b/templates/vhost/vhost_location_fastcgi.erb @@ -0,0 +1,9 @@ + location <%= location %> { + root <%= www_root %>; + include <%= fastcgi_params %>; + fastcgi_pass <%= fastcgi %>; +<% unless fastcgi_script == :undef %> + fastcgi_param SCRIPT_FILENAME <%= fastcgi_script %>; +<% end -%> + } + diff --git a/templates/vhost/vhost_location_proxy.erb b/templates/vhost/vhost_location_proxy.erb index a9770eefa..c0bfac869 100644 --- a/templates/vhost/vhost_location_proxy.erb +++ b/templates/vhost/vhost_location_proxy.erb @@ -2,9 +2,13 @@ <% if @location_cfg_prepend -%><% location_cfg_prepend.sort_by {|k,v| k}.each do |key,value| -%> <%= key %> <%= value %>; <% end -%><% end -%> - proxy_pass <%= proxy %>; - proxy_read_timeout <%= proxy_read_timeout %>; +<% if proxy_cache -%> + proxy_cache <%= proxy_cache %>; + proxy_cache_valid <%= proxy_cache_valid %>; +<% end -%> + proxy_pass <%= proxy %>; + proxy_read_timeout <%= proxy_read_timeout %>; <% if @location_cfg_append -%><% location_cfg_append.sort_by {|k,v| k}.each do |key,value| -%> - <%= key %> <%= value %>; + <%= key %> <%= value %>; <% end -%><% end -%> } diff --git a/templates/vhost/vhost_ssl_header.erb b/templates/vhost/vhost_ssl_header.erb index e651ba9c4..63237a933 100644 --- a/templates/vhost/vhost_ssl_header.erb +++ b/templates/vhost/vhost_ssl_header.erb @@ -1,19 +1,23 @@ server { - listen <%= ssl_port %><% if scope.lookupvar('nginx::params::nx_spdy') == 'on' %> ssl spdy<% end %>; + listen <%= listen_ip %>:<%= ssl_port %><% if scope.lookupvar('nginx::params::nx_spdy') == 'on' %> ssl spdy<% end %><% if @listen_options %><%= listen_options %><% end %>; <% if ipv6_enable == 'true' && (defined? ipaddress6) %> listen [<%= ipv6_listen_ip %>]:<%= ipv6_listen_port %> <% if @ipv6_listen_options %><%= ipv6_listen_options %><% end %> ipv6only=on; <% end %> server_name <%= rewrite_www_to_non_www ? name.gsub(/^www\./, '') : server_name.join(" ") %>; - ssl on; - ssl_certificate <%= ssl_cert %>; - ssl_certificate_key <%= ssl_key %>; + ssl on; + + ssl_certificate <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= name.gsub(' ', '_') %>.crt; + ssl_certificate_key <%= scope.lookupvar('nginx::params::nx_conf_dir') %>/<%= name.gsub(' ', '_') %>.key; ssl_session_cache shared:SSL:10m; - ssl_session_timeout 10m; - ssl_ciphers RC4:HIGH:!aNULL:!MD5; + ssl_session_timeout 5m; + ssl_ciphers RC4:HIGH:!aNULL:!MD5; + ssl_protocols SSLv3 TLSv1; ssl_prefer_server_ciphers on; - <% if scope.lookupvar('nginx::params::nx_ssl_stapling') == 'on' %>ssl_stapling on;<% end %> - <% if scope.lookupvar('nginx::params::nx_spdy') == 'on' %>spdy_headers_comp 1;<% end %> - <% proxy_set_header.each do |header| %> - proxy_set_header <%= header %>;<% end %> +<% if auth_basic != :undef -%> + auth_basic "<%= auth_basic %>"; +<% end -%> +<% if auth_basic_user_file != :undef -%> + auth_basic_user_file <%= auth_basic_user_file %>; +<% end -%>