From d337cae1e588d61fd908fde2f93caf9538b4a7b2 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Sun, 23 Jul 2017 11:54:58 +0100 Subject: [PATCH 1/3] added control for nagios_ssl vhost --- README.md | 8 +++++ manifests/params.pp | 2 ++ manifests/server/files.pp | 27 +++++++++++++---- templates/httpd/nagios_ssl_vhost.erb | 44 ++++++++++++++++++++++++++++ 4 files changed, 75 insertions(+), 6 deletions(-) create mode 100644 templates/httpd/nagios_ssl_vhost.erb diff --git a/README.md b/README.md index 6bf0ba9..ee78d59 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,7 @@ Nagios is a powerful open source software solution for monitoring your IT enviro * [Optional Parameters](#optional-parameters) * [PuppetDB] * [SELINUX](#selinux) +* [Certbot](#certbot) * [Known Problems](#known-problems) * [Support](#support) * [Tests](#tests) @@ -104,6 +105,13 @@ A working instance of PuppetDBconnected to the Puppet master is required for thi ### SELINUX All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored. +### Certbot +This module can optionally setup [certbot](https://certbot.eff.org/) TLS certificate management for the frontend GUI. In order to do so, set `ng_enable_certbot` to true (default). Effectively, this will manage the certs before even installing Nagios, so there will be no problems with the Nagios showing up with a self-signed certificate. +Once enabled, the module will go and try to obtain a certificate automatically. For this to work, you need to have proper DNS resolution set up for your domain / nagios server. + +### httpd vHost files +by Default, Nagios creates its own nagios.conf file, which is not a vhost file and relies on the main ssd.conf. However, as Nagios might be running on a regular web server with various other web instances (not recommended through), we will not want to manage ssl.conf directly, hence the module creates a vhost for the ssl host. + ### Known Problems ### Support diff --git a/manifests/params.pp b/manifests/params.pp index a9ec8f6..ba47b10 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -381,6 +381,8 @@ $ng_unless_get_cert = 'cd_nagios/certbot/unless_get_cert.erb' $ng_unless_renew_erb = 'cd_nagios/certbot/unless_renew_cert.erb' $ng_index_html_file = '/var/www/html/index.html' $ng_index_html_erb = 'cd_nagios/httpd/index_html.erb' +$ng_ssl_vhost_file = '/etc/httpd/conf.d/nagios_ssl.conf' +$ng_ssl_vhost_erb = 'cd_nagios/httpd/nagios_ssl_vhost.erb' # certbot $ng_certbot_main_dir = '/etc/letsencrypt' diff --git a/manifests/server/files.pp b/manifests/server/files.pp index 75cf691..d79bb71 100644 --- a/manifests/server/files.pp +++ b/manifests/server/files.pp @@ -85,12 +85,11 @@ class cd_nagios::server::files ( notify => Service[$ae_service], } + if $ng_use_https == true { - if $ng_http_https_fw == true { - - file { $ng_forward_conf: + file { $ng_ssl_vhost_file: ensure => file, - path => $ng_forward_conf, + path => $ng_ssl_vhost_file, owner => 'root', group => 'root', mode => '0644', @@ -98,11 +97,27 @@ class cd_nagios::server::files ( selrole => object_r, seltype => httpd_config_t, seluser => system_u, - content => template($ng_forward_conf_erb), + content => template($ng_ssl_vhost_erb), notify => Service[$ae_service], } - } + if $ng_http_https_fw == true { + + file { $ng_forward_conf: + ensure => file, + path => $ng_forward_conf, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => httpd_config_t, + seluser => system_u, + content => template($ng_forward_conf_erb), + notify => Service[$ae_service], + } + } + } if $ng_enable_index == true { diff --git a/templates/httpd/nagios_ssl_vhost.erb b/templates/httpd/nagios_ssl_vhost.erb new file mode 100644 index 0000000..dd3e985 --- /dev/null +++ b/templates/httpd/nagios_ssl_vhost.erb @@ -0,0 +1,44 @@ +############################################################################### +##### virtual_host file created by puppet, changes will be overwritten ###### +############################################################################### + + + + ServerAdmin root@localhost + DocumentRoot /var/www/html + ServerName <%= @ng_webserver_name %> + DirectoryIndex index.html + ErrorLog /var/log/httpd/nagios_ssl_error_log +# ErrorLog syslog:local1 + TransferLog /var/log/httpd/nagios_ssl_transfer_log + LogLevel warn + + SSLEngine on + SSLProtocol all -SSLv2 -SSLv3 + SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" + +<% if @js_use_certbot == true -%> + SSLCertificateFile <%= @js_certbot_live %>/<%= @ng_webserver_name %>/cert.pem + SSLCertificateKeyFile <%= @js_certbot_live %>/<%= @ng_webserver_name %>/privkey.pem + SSLCACertificateFile <%= @js_certbot_live %>/<%= @ng_webserver_name %>/fullchain.pem +<% elsif @js_use_certbot != true -%> + SSLCertificateFile /etc/pki/tls/certs/localhost.crt + SSLCertificateKeyFile /etc/pki/tls/private/localhost.key + #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt +<% end -%> + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + SetEnvIf User-Agent ".*MSIE.*" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + + + CustomLog logs/ssl_request_log \ + "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + + From f4d17ac803a0324a99f1265b65c0667bd3b1a526 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Sun, 23 Jul 2017 11:58:27 +0100 Subject: [PATCH 2/3] added control for nagios_ssl vhost --- manifests/main/config.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/manifests/main/config.pp b/manifests/main/config.pp index cfde7ec..a5ff466 100644 --- a/manifests/main/config.pp +++ b/manifests/main/config.pp @@ -28,15 +28,15 @@ class cd_nagios::main::config ( # manage server configuration if $::fqdn == $ng_nagios_server { -# include cd_nagios::server::service + include cd_nagios::server::service if $ng_include_fw == true { include cd_nagios::firewall::iptables } -# if $ng_use_selinux_tools == true { -# include cd_nagios::selinux::config -# } + if $ng_use_selinux_tools == true { + include cd_nagios::selinux::config + } if $ng_enable_certbot == true { require cd_nagios::certbot::certs From f0067d9e351ad5f02de9c8a5ac7f77d2fe5af373 Mon Sep 17 00:00:00 2001 From: Jenkins Server Date: Sun, 23 Jul 2017 12:58:37 +0200 Subject: [PATCH 3/3] recommit for updates in build 56 --- CHANGELOG.md | 10 ++++ REPOSTRUCTURE.md | 3 +- doc/_index.html | 2 +- doc/file.README.html | 24 +++++++++- doc/index.html | 24 +++++++++- doc/puppet_classes/cd_nagios.html | 2 +- .../cd_nagios_3A_3Acertbot_3A_3Acerts.html | 2 +- .../cd_nagios_3A_3Aclient_3A_3Atarget.html | 2 +- ...cd_nagios_3A_3Afirewall_3A_3Aiptables.html | 2 +- .../cd_nagios_3A_3Amain_3A_3Aconfig.html | 10 ++-- .../cd_nagios_3A_3Amain_3A_3Adirs.html | 2 +- .../cd_nagios_3A_3Amain_3A_3Ainstall.html | 2 +- .../cd_nagios_3A_3Amain_3A_3Auser.html | 2 +- doc/puppet_classes/cd_nagios_3A_3Aparams.html | 8 +++- .../cd_nagios_3A_3Aselinux_3A_3Aconfig.html | 2 +- ..._nagios_3A_3Aserver_3A_3Aaccess_rules.html | 2 +- .../cd_nagios_3A_3Aserver_3A_3Afiles.html | 46 +++++++++++++++---- .../cd_nagios_3A_3Aserver_3A_3Aservice.html | 2 +- .../cd_nagios_3A_3Aserver_3A_3Aaccess.html | 2 +- doc/top-level-namespace.html | 2 +- 20 files changed, 120 insertions(+), 31 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 10da361..a8f7f5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,16 @@ Changelog of Git Changelog.

No issue

+b58dd8426596bdc Jenkins Server 2017-07-23 10:18:44 +

+

recommit for updates in build 54

+ +

+98711530f982aa2 Arne Teuke 2017-07-23 10:18:25 +

+

cert creation works

+ +

9547dbb7a7e32d0 Jenkins Server 2017-07-23 10:08:29

recommit for updates in build 53

diff --git a/REPOSTRUCTURE.md b/REPOSTRUCTURE.md index c945adf..9dd9829 100644 --- a/REPOSTRUCTURE.md +++ b/REPOSTRUCTURE.md @@ -62,6 +62,7 @@ | | |-- forward_conf.erb | | |-- index_html.erb | | |-- nagios_conf.erb +| | |-- nagios_ssl_vhost.erb | | `-- welcome_conf.erb | |-- nagios | | |-- cgi_cfg.erb @@ -79,4 +80,4 @@ |-- README.md `-- REPOSTRUCTURE.md -18 directories, 61 files +18 directories, 62 files diff --git a/doc/_index.html b/doc/_index.html index 97ed2bf..ead80f2 100644 --- a/doc/_index.html +++ b/doc/_index.html @@ -186,7 +186,7 @@ diff --git a/doc/file.README.html b/doc/file.README.html index 86cc550..b74e9d0 100644 --- a/doc/file.README.html +++ b/doc/file.README.html @@ -110,6 +110,8 @@ Structure

  • SELINUX

  • +

    Certbot

    +

  • Known Problems

  • Support

    @@ -249,6 +251,26 @@ is available to automate this task for you as well within a few minutes.

    All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.

    +

    Certbot

    + +

    This module can optionally setup certbot TLS certificate management for +the frontend GUI. In order to do so, set ng_enable_certbot to +true (default). Effectively, this will manage the certs before even +installing Nagios, so there will be no problems with the Nagios showing up +with a self-signed certificate. +Once enabled, the module will go and try to +obtain a certificate automatically. For this to work, you need to have +proper DNS resolution set up for your domain / nagios server.

    + +

    httpd vHost files

    + +

    by Default, Nagios creates its own nagios.conf file, which is not a vhost +file and relies on the main ssd.conf. However, as Nagios might be running +on a regular web server with various other web instances (not recommended +through), we will not want to manage ssl.conf directly, hence the module +creates a vhost for the ssl host.

    +

    Known Problems

    Support

    @@ -304,7 +326,7 @@ environments.

    diff --git a/doc/index.html b/doc/index.html index e522fbf..e4b3cfd 100644 --- a/doc/index.html +++ b/doc/index.html @@ -110,6 +110,8 @@ Structure

  • SELINUX

  • +

    Certbot

    +

  • Known Problems

  • Support

    @@ -249,6 +251,26 @@ is available to automate this task for you as well within a few minutes.

    All files and directories are configured with correct selinux context. If selinux is disabled, these contexts are ignored.

    +

    Certbot

    + +

    This module can optionally setup certbot TLS certificate management for +the frontend GUI. In order to do so, set ng_enable_certbot to +true (default). Effectively, this will manage the certs before even +installing Nagios, so there will be no problems with the Nagios showing up +with a self-signed certificate. +Once enabled, the module will go and try to +obtain a certificate automatically. For this to work, you need to have +proper DNS resolution set up for your domain / nagios server.

    + +

    httpd vHost files

    + +

    by Default, Nagios creates its own nagios.conf file, which is not a vhost +file and relies on the main ssd.conf. However, as Nagios might be running +on a regular web server with various other web instances (not recommended +through), we will not want to manage ssl.conf directly, hence the module +creates a vhost for the ssl host.

    +

    Known Problems

    Support

    @@ -304,7 +326,7 @@ environments.

    diff --git a/doc/puppet_classes/cd_nagios.html b/doc/puppet_classes/cd_nagios.html index 8a1bb57..f5b1bfc 100644 --- a/doc/puppet_classes/cd_nagios.html +++ b/doc/puppet_classes/cd_nagios.html @@ -139,7 +139,7 @@ class cd_nagios { diff --git a/doc/puppet_classes/cd_nagios_3A_3Acertbot_3A_3Acerts.html b/doc/puppet_classes/cd_nagios_3A_3Acertbot_3A_3Acerts.html index 09347d7..8f1c36d 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Acertbot_3A_3Acerts.html +++ b/doc/puppet_classes/cd_nagios_3A_3Acertbot_3A_3Acerts.html @@ -230,7 +230,7 @@ class cd_nagios::certbot::certs ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Aclient_3A_3Atarget.html b/doc/puppet_classes/cd_nagios_3A_3Aclient_3A_3Atarget.html index e36bc26..d25f7b4 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Aclient_3A_3Atarget.html +++ b/doc/puppet_classes/cd_nagios_3A_3Aclient_3A_3Atarget.html @@ -368,7 +368,7 @@ class cd_nagios::client::target ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Afirewall_3A_3Aiptables.html b/doc/puppet_classes/cd_nagios_3A_3Afirewall_3A_3Aiptables.html index a16184a..26b0fe5 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Afirewall_3A_3Aiptables.html +++ b/doc/puppet_classes/cd_nagios_3A_3Afirewall_3A_3Aiptables.html @@ -207,7 +207,7 @@ class cd_nagios::firewall::iptables ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Aconfig.html b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Aconfig.html index 2b01275..be35fa3 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Aconfig.html +++ b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Aconfig.html @@ -168,15 +168,15 @@ class cd_nagios::main::config ( # manage server configuration if $::fqdn == $ng_nagios_server { -# include cd_nagios::server::service + include cd_nagios::server::service if $ng_include_fw == true { include cd_nagios::firewall::iptables } -# if $ng_use_selinux_tools == true { -# include cd_nagios::selinux::config -# } + if $ng_use_selinux_tools == true { + include cd_nagios::selinux::config + } if $ng_enable_certbot == true { require cd_nagios::certbot::certs @@ -195,7 +195,7 @@ class cd_nagios::main::config ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Adirs.html b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Adirs.html index 7a454f9..08762f0 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Adirs.html +++ b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Adirs.html @@ -468,7 +468,7 @@ class cd_nagios::main::dirs ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Ainstall.html b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Ainstall.html index bd432bc..a65ded6 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Ainstall.html +++ b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Ainstall.html @@ -235,7 +235,7 @@ class cd_nagios::main::install ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Auser.html b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Auser.html index ba97395..2a0c1b1 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Auser.html +++ b/doc/puppet_classes/cd_nagios_3A_3Amain_3A_3Auser.html @@ -200,7 +200,7 @@ class cd_nagios::main::user ( diff --git a/doc/puppet_classes/cd_nagios_3A_3Aparams.html b/doc/puppet_classes/cd_nagios_3A_3Aparams.html index 6e128cd..80f5d10 100644 --- a/doc/puppet_classes/cd_nagios_3A_3Aparams.html +++ b/doc/puppet_classes/cd_nagios_3A_3Aparams.html @@ -2169,7 +2169,9 @@ required for certbot and used in the web templates.

    392 393 394 -395 +395 +396 +397 
    # File 'manifests/params.pp', line 216
@@ -2342,6 +2344,8 @@ $ng_unless_get_cert   = 'cd_nagios/certbot/unless_get_cert.erb'
 $ng_unless_renew_erb  = 'cd_nagios/certbot/unless_renew_cert.erb'
 $ng_index_html_file   = '/var/www/html/index.html'
 $ng_index_html_erb    = 'cd_nagios/httpd/index_html.erb'
+$ng_ssl_vhost_file    = '/etc/httpd/conf.d/nagios_ssl.conf'
+$ng_ssl_vhost_erb     = 'cd_nagios/httpd/nagios_ssl_vhost.erb'
 
 # certbot
 $ng_certbot_main_dir  = '/etc/letsencrypt'
@@ -2361,7 +2365,7 @@ $ng_certbot_cert      = "${ng_certbot_archive}/${ng_webserver_name}/cert1.p
 
 
       
diff --git a/doc/puppet_classes/cd_nagios_3A_3Aselinux_3A_3Aconfig.html b/doc/puppet_classes/cd_nagios_3A_3Aselinux_3A_3Aconfig.html
index c0843da..275144b 100644
--- a/doc/puppet_classes/cd_nagios_3A_3Aselinux_3A_3Aconfig.html
+++ b/doc/puppet_classes/cd_nagios_3A_3Aselinux_3A_3Aconfig.html
@@ -249,7 +249,7 @@ class cd_nagios::selinux::config (
 
 
       
diff --git a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aaccess_rules.html b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aaccess_rules.html
index 2f6981d..40639cc 100644
--- a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aaccess_rules.html
+++ b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aaccess_rules.html
@@ -195,7 +195,7 @@ class cd_nagios::server::access_rules (
 
 
       
diff --git a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Afiles.html b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Afiles.html
index d062da9..2afb0f2 100644
--- a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Afiles.html
+++ b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Afiles.html
@@ -230,7 +230,22 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.
    
 121
 122
 123
-124
    +124 +125 +126 +127 +128 +129 +130 +131 +132 +133 +134 +135 +136 +137 +138 +139 
    # File 'manifests/server/files.pp', line 23
@@ -300,12 +315,11 @@ class cd_nagios::server::files (
       notify    =>  Service[$ae_service],
     }
 
+    if $ng_use_https == true {
 
-    if $ng_http_https_fw == true {
-
-      file { $ng_forward_conf:
+      file { $ng_ssl_vhost_file:
         ensure    =>  file,
-        path      =>  $ng_forward_conf,
+        path      =>  $ng_ssl_vhost_file,
         owner     =>  'root',
         group     =>  'root',
         mode      =>  '0644',
@@ -313,11 +327,27 @@ class cd_nagios::server::files (
         selrole   =>  object_r,
         seltype   =>  httpd_config_t,
         seluser   =>  system_u,
-        content   =>  template($ng_forward_conf_erb),
+        content   =>  template($ng_ssl_vhost_erb),
         notify    =>  Service[$ae_service],
       }
-    }
 
+      if $ng_http_https_fw == true {
+
+        file { $ng_forward_conf:
+          ensure    =>  file,
+          path      =>  $ng_forward_conf,
+          owner     =>  'root',
+          group     =>  'root',
+          mode      =>  '0644',
+          selrange  =>  s0,
+          selrole   =>  object_r,
+          seltype   =>  httpd_config_t,
+          seluser   =>  system_u,
+          content   =>  template($ng_forward_conf_erb),
+          notify    =>  Service[$ae_service],
+        }
+      }
+    }
 
     if $ng_enable_index == true {
 
@@ -344,7 +374,7 @@ class cd_nagios::server::files (
 
 
       
diff --git a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aservice.html b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aservice.html
index ed9e39c..c19f834 100644
--- a/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aservice.html
+++ b/doc/puppet_classes/cd_nagios_3A_3Aserver_3A_3Aservice.html
@@ -174,7 +174,7 @@ class cd_nagios::server::service (
 
 
       
diff --git a/doc/puppet_defined_types/cd_nagios_3A_3Aserver_3A_3Aaccess.html b/doc/puppet_defined_types/cd_nagios_3A_3Aserver_3A_3Aaccess.html
index eedf5fd..a46c559 100644
--- a/doc/puppet_defined_types/cd_nagios_3A_3Aserver_3A_3Aaccess.html
+++ b/doc/puppet_defined_types/cd_nagios_3A_3Aserver_3A_3Aaccess.html
@@ -220,7 +220,7 @@ $ng_service       = $::cd_nagios::params::ng_service
 
 
       
diff --git a/doc/top-level-namespace.html b/doc/top-level-namespace.html
index 72c7cc5..75810c9 100644
--- a/doc/top-level-namespace.html
+++ b/doc/top-level-namespace.html
@@ -90,7 +90,7 @@