+
+
All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.
+This module can optionally setup certbot TLS certificate management for
+the frontend GUI. In order to do so, set ng_enable_certbot to
+true (default). Effectively, this will manage the certs before even
+installing Nagios, so there will be no problems with the Nagios showing up
+with a self-signed certificate.
+Once enabled, the module will go and try to
+obtain a certificate automatically. For this to work, you need to have
+proper DNS resolution set up for your domain / nagios server.
by Default, Nagios creates its own nagios.conf file, which is not a vhost +file and relies on the main ssd.conf. However, as Nagios might be running +on a regular web server with various other web instances (not recommended +through), we will not want to manage ssl.conf directly, hence the module +creates a vhost for the ssl host.
+All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.
+This module can optionally setup certbot TLS certificate management for
+the frontend GUI. In order to do so, set ng_enable_certbot to
+true (default). Effectively, this will manage the certs before even
+installing Nagios, so there will be no problems with the Nagios showing up
+with a self-signed certificate.
+Once enabled, the module will go and try to
+obtain a certificate automatically. For this to work, you need to have
+proper DNS resolution set up for your domain / nagios server.
by Default, Nagios creates its own nagios.conf file, which is not a vhost +file and relies on the main ssd.conf. However, as Nagios might be running +on a regular web server with various other web instances (not recommended +through), we will not want to manage ssl.conf directly, hence the module +creates a vhost for the ssl host.
+# File 'manifests/params.pp', line 216 @@ -2342,6 +2344,8 @@ $ng_unless_get_cert = 'cd_nagios/certbot/unless_get_cert.erb' $ng_unless_renew_erb = 'cd_nagios/certbot/unless_renew_cert.erb' $ng_index_html_file = '/var/www/html/index.html' $ng_index_html_erb = 'cd_nagios/httpd/index_html.erb' +$ng_ssl_vhost_file = '/etc/httpd/conf.d/nagios_ssl.conf' +$ng_ssl_vhost_erb = 'cd_nagios/httpd/nagios_ssl_vhost.erb' # certbot $ng_certbot_main_dir = '/etc/letsencrypt' @@ -2361,7 +2365,7 @@ $ng_certbot_cert = "${ng_certbot_archive}/${ng_webserver_name}/cert1.p diff --git a/doc/puppet_classes/cd_nagios_3A_3Aselinux_3A_3Aconfig.html b/doc/puppet_classes/cd_nagios_3A_3Aselinux_3A_3Aconfig.html index c0843da..275144b 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Aselinux_3A_3Aconfig.html +++ b/doc/puppet_classes/cd_nagios_3A_3Aselinux_3A_3Aconfig.html @@ -249,7 +249,7 @@ class cd_nagios::selinux::config ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aaccess_rules.html b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aaccess_rules.html index 2f6981d..40639cc 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aaccess_rules.html +++ b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aaccess_rules.html @@ -195,7 +195,7 @@ class cd_nagios::server::access_rules ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Afiles.html b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Afiles.html index d062da9..2afb0f2 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Afiles.html +++ b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Afiles.html @@ -230,7 +230,22 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/. 121 122 123 -124+124 +125 +126 +127 +128 +129 +130 +131 +132 +133 +134 +135 +136 +137 +138 +139
# File 'manifests/server/files.pp', line 23 @@ -300,12 +315,11 @@ class cd_nagios::server::files ( notify => Service[$ae_service], } + if $ng_use_https == true { - if $ng_http_https_fw == true { - - file { $ng_forward_conf: + file { $ng_ssl_vhost_file: ensure => file, - path => $ng_forward_conf, + path => $ng_ssl_vhost_file, owner => 'root', group => 'root', mode => '0644', @@ -313,11 +327,27 @@ class cd_nagios::server::files ( selrole => object_r, seltype => httpd_config_t, seluser => system_u, - content => template($ng_forward_conf_erb), + content => template($ng_ssl_vhost_erb), notify => Service[$ae_service], } - } + if $ng_http_https_fw == true { + + file { $ng_forward_conf: + ensure => file, + path => $ng_forward_conf, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => httpd_config_t, + seluser => system_u, + content => template($ng_forward_conf_erb), + notify => Service[$ae_service], + } + } + } if $ng_enable_index == true { @@ -344,7 +374,7 @@ class cd_nagios::server::files ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aservice.html b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aservice.html index ed9e39c..c19f834 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aservice.html +++ b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aservice.html @@ -174,7 +174,7 @@ class cd_nagios::server::service ( diff --git a/doc/puppet_defined_types/cd_nagios_3A_3Aserver_3A_3Aaccess.html b/doc/puppet_defined_types/cd_nagios_3A_3Aserver_3A_3Aaccess.html index eedf5fd..a46c559 100644 --- a/doc/puppet_defined_types/cd_nagios_3A_3Aserver_3A_3Aaccess.html +++ b/doc/puppet_defined_types/cd_nagios_3A_3Aserver_3A_3Aaccess.html @@ -220,7 +220,7 @@ $ng_service = $::cd_nagios::params::ng_service diff --git a/doc/top-level-namespace.html b/doc/top-level-namespace.html index 72c7cc5..75810c9 100644 --- a/doc/top-level-namespace.html +++ b/doc/top-level-namespace.html @@ -90,7 +90,7 @@ diff --git a/manifests/main/config.pp b/manifests/main/config.pp index cfde7ec..a5ff466 100644 --- a/manifests/main/config.pp +++ b/manifests/main/config.pp @@ -28,15 +28,15 @@ class cd_nagios::main::config ( # manage server configuration if $::fqdn == $ng_nagios_server { -# include cd_nagios::server::service + include cd_nagios::server::service if $ng_include_fw == true { include cd_nagios::firewall::iptables } -# if $ng_use_selinux_tools == true { -# include cd_nagios::selinux::config -# } + if $ng_use_selinux_tools == true { + include cd_nagios::selinux::config + } if $ng_enable_certbot == true { require cd_nagios::certbot::certs diff --git a/manifests/params.pp b/manifests/params.pp index a9ec8f6..ba47b10 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -381,6 +381,8 @@ $ng_unless_get_cert = 'cd_nagios/certbot/unless_get_cert.erb' $ng_unless_renew_erb = 'cd_nagios/certbot/unless_renew_cert.erb' $ng_index_html_file = '/var/www/html/index.html' $ng_index_html_erb = 'cd_nagios/httpd/index_html.erb' +$ng_ssl_vhost_file = '/etc/httpd/conf.d/nagios_ssl.conf' +$ng_ssl_vhost_erb = 'cd_nagios/httpd/nagios_ssl_vhost.erb' # certbot $ng_certbot_main_dir = '/etc/letsencrypt' diff --git a/manifests/server/files.pp b/manifests/server/files.pp index 75cf691..d79bb71 100644 --- a/manifests/server/files.pp +++ b/manifests/server/files.pp @@ -85,12 +85,11 @@ class cd_nagios::server::files ( notify => Service[$ae_service], } + if $ng_use_https == true { - if $ng_http_https_fw == true { - - file { $ng_forward_conf: + file { $ng_ssl_vhost_file: ensure => file, - path => $ng_forward_conf, + path => $ng_ssl_vhost_file, owner => 'root', group => 'root', mode => '0644', @@ -98,11 +97,27 @@ class cd_nagios::server::files ( selrole => object_r, seltype => httpd_config_t, seluser => system_u, - content => template($ng_forward_conf_erb), + content => template($ng_ssl_vhost_erb), notify => Service[$ae_service], } - } + if $ng_http_https_fw == true { + + file { $ng_forward_conf: + ensure => file, + path => $ng_forward_conf, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => httpd_config_t, + seluser => system_u, + content => template($ng_forward_conf_erb), + notify => Service[$ae_service], + } + } + } if $ng_enable_index == true { diff --git a/templates/httpd/nagios_ssl_vhost.erb b/templates/httpd/nagios_ssl_vhost.erb new file mode 100644 index 0000000..dd3e985 --- /dev/null +++ b/templates/httpd/nagios_ssl_vhost.erb @@ -0,0 +1,44 @@ +############################################################################### +##### virtual_host file created by puppet, changes will be overwritten ###### +############################################################################### + ++ + ServerAdmin root@localhost + DocumentRoot /var/www/html + ServerName <%= @ng_webserver_name %> + DirectoryIndex index.html + ErrorLog /var/log/httpd/nagios_ssl_error_log +# ErrorLog syslog:local1 + TransferLog /var/log/httpd/nagios_ssl_transfer_log + LogLevel warn + + SSLEngine on + SSLProtocol all -SSLv2 -SSLv3 + SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" + +<% if @js_use_certbot == true -%> + SSLCertificateFile <%= @js_certbot_live %>/<%= @ng_webserver_name %>/cert.pem + SSLCertificateKeyFile <%= @js_certbot_live %>/<%= @ng_webserver_name %>/privkey.pem + SSLCACertificateFile <%= @js_certbot_live %>/<%= @ng_webserver_name %>/fullchain.pem +<% elsif @js_use_certbot != true -%> + SSLCertificateFile /etc/pki/tls/certs/localhost.crt + SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt +<% end -%> + + SSLOptions +StdEnvVars + ++ SSLOptions +StdEnvVars + + + SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + + + CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +