Adds nginx::ssl

diff --git a/manifests/init.pp b/manifests/init.pp
index ec5e115f4558d9b64c43a2dbe4dd5746bd373a9b..c83bad3fcd8da932b5b8005ce2718aaec3186e0e 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -17,12 +17,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 class nginx inherits nginx::base {
-  include ssl
-
-  # See https://weakdh.org/
-  ssl::dhparams { 'nginx-2048':
-    notify  => Service['nginx'],
-  }
+  class { 'nginx::ssl': }
 
   # Default site
   nginx::site { "default":

diff --git a/manifests/ssl.pp b/manifests/ssl.pp
new file mode 100644 (file)
index 0000000..6e4af14
--- /dev/null
+++ b/manifests/ssl.pp
@@ -0,0 +1,19 @@
+class nginx::ssl(
+  $session_timeout = '5m'
+) {
+  include ssl
+
+  # See https://weakdh.org/
+  ssl::dhparams { 'nginx-2048':
+    notify  => Service['nginx'],
+  }
+
+  nginx::config {
+    # SSL
+    'ssl_session_timeout':       value => "ssl_session_timeout ${session_timeout};";
+    'ssl_protocols':             value => 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2;';
+    'ssl_ciphers':               value => 'ssl_ciphers ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA;';
+    'ssl_prefer_server_ciphers': value => 'ssl_prefer_server_ciphers on;';
+    'ssl_dhparam':               value => 'ssl_dhparam /etc/ssl/dhparams/dhparams_2048.pem;';
+  }
+}