Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure unix socket on ssl vhost #1463

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 104 additions & 0 deletions spec/acceptance/nginx_server_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -264,4 +264,108 @@ class { 'nginx': }
end
end
end

context 'should run with unix socket' do
it 'configures a nginx server' do
pp = "
class { 'nginx': }
nginx::resource::server { 'www.puppetlabs.com':
ensure => present,
www_root => '/var/www/www.puppetlabs.com',
listen_unix_socket_enable => true,
listen_unix_socket => '/var/run/nginx.sock'
}
host { 'www.puppetlabs.com': ip => '127.0.0.1', }
file { ['/var/www','/var/www/www.puppetlabs.com']: ensure => directory }
file { '/var/www/www.puppetlabs.com/index.html': ensure => file, content => 'Hello from www\n', }
"

apply_manifest(pp, catch_failures: true)
apply_manifest(pp, catch_changes: true)
end

describe file('/etc/nginx/sites-available/www.puppetlabs.com.conf') do
it { is_expected.to be_file }
it { is_expected.to contain 'www.puppetlabs.com' }
end

describe file('/etc/nginx/sites-enabled/www.puppetlabs.com.conf') do
it { is_expected.to be_linked_to '/etc/nginx/sites-available/www.puppetlabs.com.conf' }
end

describe service('nginx') do
it { is_expected.to be_running }
end

describe port(80) do
it { is_expected.to be_listening }
end

describe file('/var/run/nginx.sock') do
it { is_expected.to be_socket }
end

it 'answers to www.puppetlabs.com and responds with "Hello from www"' do
shell('/usr/bin/curl --unix-socket /var/run/nginx.sock http://www.puppetlabs.com') do |r|
expect(r.stdout).to eq("Hello from www\n")
end
end

it 'answers to www.puppetlabs.com without error' do
shell('/usr/bin/curl --unix-socket /var/run/nginx.sock --fail http://www.puppetlabs.com') do |r|
expect(r.exit_code).to be_zero
end
end
end

context 'should run with unix socket with SSL' do
it 'configures a nginx SSL server' do
pp = "
class { 'nginx': }
nginx::resource::server { 'www.puppetlabs.com':
ensure => present,
ssl => true,
ssl_cert => '/etc/pki/tls/certs/blah.cert',
ssl_key => '/etc/pki/tls/private/blah.key',
www_root => '/var/www/www.puppetlabs.com',
listen_port => 443,
ssl_port => 443,
listen_unix_socket_enable => true,
listen_unix_socket => '/var/run/nginx.sock'
}
host { 'www.puppetlabs.com': ip => '127.0.0.1', }
file { ['/var/www','/var/www/www.puppetlabs.com']: ensure => directory }
file { '/var/www/www.puppetlabs.com/index.html': ensure => file, content => 'Hello from www\n', }
"

apply_manifest(pp, catch_failures: true)
end

describe service('nginx') do
it { is_expected.to be_running }
end

describe port(443) do
it { is_expected.to be_listening }
end

# curl on centos7 does not support curl --unix-socket with https:// addresses :(
describe file('/var/run/nginx.sock') do
it { is_expected.to be_socket }
end

it 'answers to https://www.puppetlabs.com with "Hello from www"' do
# use --insecure because it's a self-signed cert
shell('/usr/bin/curl --insecure https://www.puppetlabs.com:443') do |r|
expect(r.stdout).to eq("Hello from www\n")
end
end

it 'answers to https://www.puppetlabs.com without error' do
# use --insecure because it's a self-signed cert
shell('/usr/bin/curl --fail --insecure https://www.puppetlabs.com:443') do |r|
expect(r.exit_code).to eq(0)
end
end
end
end
18 changes: 18 additions & 0 deletions templates/server/server_ssl_header.erb
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,15 @@ server {
<%- else -%>
listen <%= @listen_ip %>:<%= @ssl_port %> <% if @ssl_listen_option %>ssl<% end %><% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.25.1']) < 0 && @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_options %> <%= @listen_options %><% end %>;
<%- end -%>
<%- if @listen_unix_socket_enable -%>
<%- if @listen_unix_socket.is_a?(Array) then -%>
<%- @listen_unix_socket.each do |unix_socket| -%>
listen unix:<%= unix_socket %> <% if @ssl_listen_option %>ssl<% end %><% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.25.1']) < 0 && @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_unix_socket_options %> <%= @listen_unix_socket_options %><% end %>;
<%- end -%>
<%- else -%>
listen unix:<%= @listen_unix_socket %> <% if @ssl_listen_option %>ssl<% end %><% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.25.1']) < 0 && @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_unix_socket_options %> <%= @listen_unix_socket_options %><% end %>;
<%- end -%>
<%- end -%>
<%= scope.function_template(["nginx/server/server_ssl_ipv6_listen.erb"]) %>
<%- if @rewrite_www_to_non_www -%>
server_name www.<%= s.gsub(/^www\./, '') %>;
Expand Down Expand Up @@ -53,6 +62,15 @@ server {
<%- else -%>
listen <%= @listen_ip %>:<%= @ssl_port %> <% if @ssl_listen_option %>ssl<% end %><% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.25.1']) < 0 && @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_options %> <%= @listen_options %><% end %>;
<%- end -%>
<%- if @listen_unix_socket_enable -%>
<%- if @listen_unix_socket.is_a?(Array) then -%>
<%- @listen_unix_socket.each do |unix_socket| -%>
listen unix:<%= unix_socket %> <% if @ssl_listen_option %>ssl<% end %><% if @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_unix_socket_options %> <%= @listen_unix_socket_options %><% end %>;
<%- end -%>
<%- else -%>
listen unix:<%= @listen_unix_socket %> <% if @ssl_listen_option %>ssl<% end %><% if @http2 == 'on' %> http2<% end %><% if @spdy == 'on' %> spdy<% end %><% if @listen_unix_socket_options %> <%= @listen_unix_socket_options %><% end %>;
<%- end -%>
<%- end -%>
<%= scope.function_template(["nginx/server/server_ssl_ipv6_listen.erb"]) %>
<%- if @rewrite_www_to_non_www -%>
server_name <%= @server_name.join(" ").gsub(/(^| )(www\.)?(?=[a-z0-9])/, '') %>;
Expand Down
Loading