added control for nagios_ssl vhost

2017-07-23 11:54:58 +01:00
parent 98711530f9
commit d337cae1e5
4 changed files with 75 additions and 6 deletions
--- a/README.md
+++ b/README.md
@@ -23,6 +23,7 @@ Nagios is a powerful open source software solution for monitoring your IT enviro
  * [Optional Parameters](#optional-parameters)
 * [PuppetDB]
 * [SELINUX](#selinux)
+* [Certbot](#certbot)
 * [Known Problems](#known-problems)
 * [Support](#support)
 * [Tests](#tests)
@@ -104,6 +105,13 @@ A working instance of PuppetDBconnected to the Puppet master is required for thi
 ### SELINUX
 All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.

+### Certbot
+This module can optionally setup [certbot](https://certbot.eff.org/) TLS certificate management for the frontend GUI. In order to do so, set `ng_enable_certbot` to true (default).  Effectively, this will manage the certs before even installing Nagios, so there will be no problems with the Nagios showing up with a self-signed certificate.
+Once enabled, the module will go and try to obtain a certificate automatically. For this to work, you need to have proper DNS resolution set up for your domain / nagios server.
+
+### httpd vHost files
+by Default, Nagios creates its own nagios.conf file, which is not a vhost file and relies on the main ssd.conf. However, as Nagios might be running on a regular web server with various other web instances (not recommended through), we will not want to manage ssl.conf directly, hence the module creates a vhost for the ssl host.
+
 ### Known Problems

 ### Support
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -381,6 +381,8 @@ $ng_unless_get_cert   = 'cd_nagios/certbot/unless_get_cert.erb'
 $ng_unless_renew_erb  = 'cd_nagios/certbot/unless_renew_cert.erb'
 $ng_index_html_file   = '/var/www/html/index.html'
 $ng_index_html_erb    = 'cd_nagios/httpd/index_html.erb'
+$ng_ssl_vhost_file    = '/etc/httpd/conf.d/nagios_ssl.conf'
+$ng_ssl_vhost_erb     = 'cd_nagios/httpd/nagios_ssl_vhost.erb'

 # certbot
 $ng_certbot_main_dir  = '/etc/letsencrypt'
--- a/manifests/server/files.pp
+++ b/manifests/server/files.pp
@@ -85,12 +85,11 @@ class cd_nagios::server::files (
      notify    =>  Service[$ae_service],
    }

+    if $ng_use_https == true {

-    if $ng_http_https_fw == true {
-
-      file { $ng_forward_conf:
+      file { $ng_ssl_vhost_file:
        ensure    =>  file,
-        path      =>  $ng_forward_conf,
+        path      =>  $ng_ssl_vhost_file,
        owner     =>  'root',
        group     =>  'root',
        mode      =>  '0644',
@@ -98,11 +97,27 @@ class cd_nagios::server::files (
        selrole   =>  object_r,
        seltype   =>  httpd_config_t,
        seluser   =>  system_u,
-        content   =>  template($ng_forward_conf_erb),
+        content   =>  template($ng_ssl_vhost_erb),
        notify    =>  Service[$ae_service],
      }
-    }

+      if $ng_http_https_fw == true {
+
+        file { $ng_forward_conf:
+          ensure    =>  file,
+          path      =>  $ng_forward_conf,
+          owner     =>  'root',
+          group     =>  'root',
+          mode      =>  '0644',
+          selrange  =>  s0,
+          selrole   =>  object_r,
+          seltype   =>  httpd_config_t,
+          seluser   =>  system_u,
+          content   =>  template($ng_forward_conf_erb),
+          notify    =>  Service[$ae_service],
+        }
+      }
+    }

    if $ng_enable_index == true {

--- a/templates/httpd/nagios_ssl_vhost.erb
+++ b/templates/httpd/nagios_ssl_vhost.erb
@@ -0,0 +1,44 @@
+###############################################################################
+#####  virtual_host file created by puppet, changes will be overwritten  ######
+###############################################################################
+
+<VirtualHost *:443>
+
+    ServerAdmin root@localhost
+    DocumentRoot /var/www/html
+    ServerName <%= @ng_webserver_name %>
+    DirectoryIndex index.html
+    ErrorLog /var/log/httpd/nagios_ssl_error_log
+#    ErrorLog syslog:local1
+    TransferLog /var/log/httpd/nagios_ssl_transfer_log
+    LogLevel warn
+
+    SSLEngine on
+    SSLProtocol all -SSLv2 -SSLv3
+    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
+
+<% if @js_use_certbot == true -%>
+    SSLCertificateFile <%= @js_certbot_live %>/<%= @ng_webserver_name %>/cert.pem
+    SSLCertificateKeyFile <%= @js_certbot_live %>/<%= @ng_webserver_name %>/privkey.pem
+    SSLCACertificateFile <%= @js_certbot_live %>/<%= @ng_webserver_name %>/fullchain.pem
+<% elsif @js_use_certbot != true -%>
+    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+    #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+<% end -%>
+    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
+    SSLOptions +StdEnvVars
+    </Files>
+    <Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+    </Directory>
+
+    SetEnvIf User-Agent ".*MSIE.*" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+
+     CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+</VirtualHost>