Skip to content

Commit

Permalink
configure unix socket on ssl vhost
Browse files Browse the repository at this point in the history
  • Loading branch information
ymartin-ovh committed Aug 13, 2024
1 parent 12d6b62 commit 55270b1
Show file tree
Hide file tree
Showing 2 changed files with 126 additions and 0 deletions.
108 changes: 108 additions & 0 deletions spec/acceptance/nginx_server_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -264,4 +264,112 @@ class { 'nginx': }
end
end
end

context 'should run with unix socket' do
it 'configures a nginx server' do
pp = "
class { 'nginx': }
nginx::resource::server { 'www.puppetlabs.com':
ensure => present,
www_root => '/var/www/www.puppetlabs.com',
listen_unix_socket_enable => true,
listen_unix_socket => '/var/run/nginx.sock'
}
host { 'www.puppetlabs.com': ip => '127.0.0.1', }
file { ['/var/www','/var/www/www.puppetlabs.com']: ensure => directory }
file { '/var/www/www.puppetlabs.com/index.html': ensure => file, content => 'Hello from www\n', }
"

apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: true)
end

describe file('/etc/nginx/sites-available/www.puppetlabs.com.conf') do
it { is_expected.to be_file }
it { is_expected.to contain 'www.puppetlabs.com' }
end

describe file('/etc/nginx/sites-enabled/www.puppetlabs.com.conf') do
it { is_expected.to be_linked_to '/etc/nginx/sites-available/www.puppetlabs.com.conf' }
end

describe service('nginx') do
it { is_expected.to be_running }
end

describe port(80) do
it { is_expected.to be_listening }
end

describe file('/var/run/nginx.sock') do
it { is_expected.to be_socket }
end

it 'answers to www.puppetlabs.com and responds with "Hello from www"' do
shell('/usr/bin/curl --unix-socket /var/run/nginx.sock http://www.puppetlabs.com') do |r|
expect(r.stdout).to eq("Hello from www\n")
end
end

it 'answers to www.puppetlabs.com without error' do
shell('/usr/bin/curl --unix-socket /var/run/nginx.sock --fail http://www.puppetlabs.com') do |r|
expect(r.exit_code).to be_zero
end
end
end

context 'should run with unix socket with SSL' do
it 'configures a nginx SSL server' do
pp = "
class { 'nginx': }
nginx::resource::server { 'www.puppetlabs.com':
ensure => present,
ssl => true,
ssl_cert => '/etc/pki/tls/certs/blah.cert',
ssl_key => '/etc/pki/tls/private/blah.key',
www_root => '/var/www/www.puppetlabs.com',
listen_port => 443,
ssl_port => 443,
listen_unix_socket_enable => true,
listen_unix_socket => '/var/run/nginx.sock'
}
host { 'www.puppetlabs.com': ip => '127.0.0.1', }
file { ['/var/www','/var/www/www.puppetlabs.com']: ensure => directory }
file { '/var/www/www.puppetlabs.com/index.html': ensure => file, content => 'Hello from www\n', }
"

apply_manifest(pp, catch_failures: true)
end

describe service('nginx') do
it { is_expected.to be_running }
end

describe port(443) do
it { is_expected.to be_listening }
end

describe file('/var/run/nginx.sock') do

Check failure on line 352 in spec/acceptance/nginx_server_spec.rb

View workflow job for this annotation

GitHub Actions / Puppet / Static validations

RSpec/RepeatedExampleGroupDescription: Repeated describe block description on line(s) [357] (https://www.rubydoc.info/gems/rubocop-rspec/RuboCop/Cop/RSpec/RepeatedExampleGroupDescription)
it { is_expected.to be_socket }
end

# curl on centos7 does not support curl --unix-socket with https:// addresses :(
describe file('/var/run/nginx.sock') do

Check failure on line 357 in spec/acceptance/nginx_server_spec.rb

View workflow job for this annotation

GitHub Actions / Puppet / Static validations

RSpec/RepeatedExampleGroupDescription: Repeated describe block description on line(s) [352] (https://www.rubydoc.info/gems/rubocop-rspec/RuboCop/Cop/RSpec/RepeatedExampleGroupDescription)
it { is_expected.to be_socket }
end

it 'answers to https://www.puppetlabs.com with "Hello from www"' do
# use --insecure because it's a self-signed cert
shell('/usr/bin/curl --insecure https://www.puppetlabs.com:443') do |r|
expect(r.stdout).to eq("Hello from www\n")
end
end

it 'answers to https://www.puppetlabs.com without error' do
# use --insecure because it's a self-signed cert
shell('/usr/bin/curl --fail --insecure https://www.puppetlabs.com:443') do |r|
expect(r.exit_code).to eq(0)
end
end
end
end
18 changes: 18 additions & 0 deletions templates/server/server_ssl_header.erb
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,15 @@ server {
<%- else -%>
listen <%= @listen_ip %>:<%= @ssl_port %> <% if @ssl_listen_option %>ssl<% end %><% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.25.1']) < 0 && @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_options %> <%= @listen_options %><% end %>;
<%- end -%>
<%- if @listen_unix_socket_enable -%>
<%- if @listen_unix_socket.is_a?(Array) then -%>
<%- @listen_unix_socket.each do |unix_socket| -%>
listen unix:<%= unix_socket %> <% if @ssl_listen_option %>ssl<% end %><% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.25.1']) < 0 && @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_unix_socket_options %> <%= @listen_unix_socket_options %><% end %>;
<%- end -%>
<%- else -%>
listen unix:<%= @listen_unix_socket %> <% if @ssl_listen_option %>ssl<% end %><% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.25.1']) < 0 && @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_unix_socket_options %> <%= @listen_unix_socket_options %><% end %>;
<%- end -%>
<%- end -%>
<%= scope.function_template(["nginx/server/server_ssl_ipv6_listen.erb"]) %>
<%- if @rewrite_www_to_non_www -%>
server_name www.<%= s.gsub(/^www\./, '') %>;
Expand Down Expand Up @@ -53,6 +62,15 @@ server {
<%- else -%>
listen <%= @listen_ip %>:<%= @ssl_port %> <% if @ssl_listen_option %>ssl<% end %><% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.25.1']) < 0 && @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_options %> <%= @listen_options %><% end %>;
<%- end -%>
<%- if @listen_unix_socket_enable -%>
<%- if @listen_unix_socket.is_a?(Array) then -%>
<%- @listen_unix_socket.each do |unix_socket| -%>
listen unix:<%= unix_socket %> <% if @ssl_listen_option %>ssl<% end %><% if @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_unix_socket_options %> <%= @listen_unix_socket_options %><% end %>;
<%- end -%>
<%- else -%>
listen unix:<%= @listen_unix_socket %> <% if @ssl_listen_option %>ssl<% end %><% if @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_unix_socket_options %> <%= @listen_unix_socket_options %><% end %>;
<%- end -%>
<%- end -%>
<%= scope.function_template(["nginx/server/server_ssl_ipv6_listen.erb"]) %>
<%- if @rewrite_www_to_non_www -%>
server_name <%= @server_name.join(" ").gsub(/(^| )(www\.)?(?=[a-z0-9])/, '') %>;
Expand Down

0 comments on commit 55270b1

Please sign in to comment.