From b40a76cd0429320d17df1d521585fe89b8d700b8 Mon Sep 17 00:00:00 2001 From: Tim Meusel Date: Sat, 7 Jul 2018 15:19:34 +0200 Subject: [PATCH] dont deploy "ssl on" on nginx 1.15 or newer fixes #1224. the option 'ssl on' within a server block is deprecated since nginx 1.15.0. --- manifests/init.pp | 1 + manifests/params.pp | 8 +++++ manifests/resource/server.pp | 4 ++- spec/defines/resource_server_spec.rb | 37 ++++++++++++++++++++++++ templates/server/server_ssl_settings.erb | 3 +- 5 files changed, 51 insertions(+), 2 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index 66c5e1bb6..e0d2fb3b4 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -170,6 +170,7 @@ $nginx_servers = {}, $nginx_servers_defaults = {}, Boolean $purge_passenger_repo = true, + Boolean $add_listen_directive = $nginx::params::add_listen_directive, ### END Hiera Lookups ### ) inherits nginx::params { diff --git a/manifests/params.pp b/manifests/params.pp index 9c515fc3c..c8796ad1b 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -121,5 +121,13 @@ $sites_available_group = $_module_parameters['root_group'] $sites_available_mode = '0644' $super_user = true + if fact('nginx_version') { + $add_listen_directive = versioncmp(fact('nginx_version'), '1.15.0') ? { + -1 => true, + default => false, + } + } else { + $add_listen_directive = true + } ### END Referenced Variables } diff --git a/manifests/resource/server.pp b/manifests/resource/server.pp index d6853c684..c9e62df4e 100644 --- a/manifests/resource/server.pp +++ b/manifests/resource/server.pp @@ -127,6 +127,7 @@ # [*error_pages*] - Hash: setup errors pages, hash key is the http code and hash value the page # [*locations*] - Hash of servers resources used by this server # [*locations_defaults*] - Hash of location default settings +# [*add_listen_directive*] - Boolean to determine if we should add 'ssl on;' to th vhost or not. defaults to true for nginx 1.14 and older, otherwise false # Actions: # # Requires: @@ -260,7 +261,8 @@ String $maintenance_value = 'return 503', $error_pages = undef, Hash $locations = {}, - Hash $locations_defaults = {} + Hash $locations_defaults = {}, + Boolean $add_listen_directive = $nginx::add_listen_directive, ) { if ! defined(Class['nginx']) { diff --git a/spec/defines/resource_server_spec.rb b/spec/defines/resource_server_spec.rb index bf2784a08..8a98acf60 100644 --- a/spec/defines/resource_server_spec.rb +++ b/spec/defines/resource_server_spec.rb @@ -425,6 +425,43 @@ end describe 'server_ssl_header template content' do + context 'without a value for the nginx_version fact do' do + let :facts do + facts[:nginx_version] ? facts.delete(:nginx_version) : facts + end + let :params do + default_params.merge( + :ssl => true, + :ssl_key => 'dummy.key', + :ssl_cert => 'dummy.crt') + end + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ ssl on;}) } + end + context 'with fact nginx_version=1.14.1' do + let :facts do + facts.merge(:nginx_version => '1.14.1') + end + let :params do + default_params.merge( + :ssl => true, + :ssl_key => 'dummy.key', + :ssl_cert => 'dummy.crt') + end + it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ ssl on;}) } + end + + context 'with fact nginx_version=1.15.1'do + let :facts do + facts.merge(:nginx_version => '1.15.1') + end + let :params do + default_params.merge( + :ssl => true, + :ssl_key => 'dummy.key', + :ssl_cert => 'dummy.crt') + end + it { is_expected.not_to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ ssl on;}) } + end [ { title: 'should not contain www to non-www rewrite', diff --git a/templates/server/server_ssl_settings.erb b/templates/server/server_ssl_settings.erb index 2cbc36a7f..0c8b041ec 100644 --- a/templates/server/server_ssl_settings.erb +++ b/templates/server/server_ssl_settings.erb @@ -1,5 +1,6 @@ +<% if @add_listen_directive -%> ssl on; - +<% end -%> <% if @ssl_cert -%> ssl_certificate <%= @ssl_cert %>; <% end -%>