# profiles::nginx:simpleproxy # # only one simpleproxy per host, for anything more advanced, use nginx class class profiles::nginx::simpleproxy ( Stdlib::Fqdn $nginx_vhost = 'localhost', Array[Stdlib::Host] $nginx_aliases = [], Stdlib::Port $nginx_port = 80, Stdlib::Port $nginx_ssl_port = 443, Enum['http','https','both'] $nginx_listen_mode = 'https', Enum['puppet', 'vault'] $nginx_cert_type = 'vault', Enum['http','https'] $proxy_scheme = 'http', Stdlib::Port $proxy_port = 80, Stdlib::Host $proxy_host = $facts['networking']['ip'], String $proxy_path = '/', Boolean $use_default_location = true, Hash $locations = {}, ) { # if nginx_version isnt set, install nginx if ! $facts['nginx_version'] { package {'nginx': ensure => 'present', } # else, configure simple proxy }else{ # build the proxyurl from proxy_* variables $proxyurl = "${proxy_scheme}://${proxy_host}:${proxy_port}${proxy_path}" # set the server_names $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases) # select the certificates to use based on cert type case $nginx_cert_type { 'puppet': { $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" } 'vault': { $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' $selected_ssl_key = '/etc/pki/tls/vault/private.key' } default: { # enum param prevents this ever being reached } } # set variables based on the listen_mode case $nginx_listen_mode { 'http': { $enable_ssl = false $ssl_cert = undef $ssl_key = undef $listen_port = $nginx_port $listen_ssl_port = undef $extras_hash = {} } 'https': { $enable_ssl = true $ssl_cert = $selected_ssl_cert $ssl_key = $selected_ssl_key $listen_port = $nginx_ssl_port $listen_ssl_port = $nginx_ssl_port $extras_hash = { 'subscribe' => [File[$ssl_cert], File[$ssl_key]], } } 'both': { $enable_ssl = true $ssl_cert = $selected_ssl_cert $ssl_key = $selected_ssl_key $listen_port = $nginx_port $listen_ssl_port = $nginx_ssl_port $extras_hash = { 'subscribe' => [File[$ssl_cert], File[$ssl_key]], } } default: { # enum param prevents this ever being reached } } # define the default parameters for the nginx server $defaults = { 'listen_port' => $listen_port, 'server_name' => $server_names, 'use_default_location' => $use_default_location, 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", 'autoindex' => 'on', 'ssl' => $enable_ssl, 'ssl_cert' => $ssl_cert, 'ssl_key' => $ssl_key, 'ssl_port' => $listen_ssl_port, 'proxy' => $proxyurl, } # merge the hashes conditionally $nginx_parameters = merge($defaults, $extras_hash) mkdir::p {'/var/cache/nginx': before => Class['nginx'], } # manage the nginx class class { 'nginx': proxy_cache_path => { '/var/cache/nginx/cache' => 'cache:128m', }, proxy_cache_levels => '1:2', proxy_cache_keys_zone => 'cache:128m', proxy_cache_max_size => '1024m', proxy_cache_inactive => '10m', proxy_temp_path => '/var/cache/nginx/cache_temp', service_manage => false, manage_repo => false, } # create the nginx vhost with the merged parameters create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) # create nginx locations if $use_default_location == false { create_resources('nginx::resource::location', $locations) } # manage selinux if $::facts['os']['selinux']['config_mode'] == 'enforcing' { # make sure nginx can reverse proxy selboolean { 'httpd_can_network_connect': persistent => true, value => 'on', } } service { 'nginx': ensure => true, enable => true, subscribe => [ File[$selected_ssl_cert], File[$selected_ssl_key], Nginx::Resource::Server[$nginx_vhost] ], } } }