[MediaWiki-commits] [Gerrit] ssl_ciphersuite: autodetect apache, too - change (operations/puppet)

BBlack (Code Review) Wed, 20 Apr 2016 13:04:58 -0700

BBlack has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/284518


Change subject: ssl_ciphersuite: autodetect apache, too
......................................................................

ssl_ciphersuite: autodetect apache, too

This worked for nginx, do it for apache versioning too and
refactor things around that.  This way we don't forget to update
the ssl_ciphersuite() server during jessie upgrades and such.

Change-Id: I851580f72a9d38b5fed92a5f706151d04912e745
---
M manifests/role/icinga.pp
M manifests/role/requesttracker.pp
M manifests/role/servermon.pp
M manifests/role/tendril.pp
M modules/ganglia/manifests/web.pp
M modules/gerrit/manifests/proxy.pp
M modules/librenms/manifests/web.pp
M modules/mailman/manifests/webui.pp
M modules/puppetmaster/manifests/passenger.pp
M modules/role/manifests/labs/openstack/nova.pp
M modules/statistics/manifests/web.pp
M modules/toolserver_legacy/manifests/init.pp
M modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
13 files changed, 33 insertions(+), 40 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/18/284518/1

diff --git a/manifests/role/icinga.pp b/manifests/role/icinga.pp
index 84cf8b1..8e9f88a 100644
--- a/manifests/role/icinga.pp
+++ b/manifests/role/icinga.pp
@@ -41,7 +41,7 @@
         include icinga::ircbot
     }
 
-    $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
+    $ssl_settings = ssl_ciphersuite('apache', 'compat', '365')
     sslcert::certificate { 'icinga.wikimedia.org': }
 
     monitoring::service { 'https':
diff --git a/manifests/role/requesttracker.pp b/manifests/role/requesttracker.pp
index b863f41..c096757 100644
--- a/manifests/role/requesttracker.pp
+++ b/manifests/role/requesttracker.pp
@@ -7,7 +7,7 @@
 
     sslcert::certificate { 'rt.wikimedia.org': }
 
-    $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
+    $ssl_settings = ssl_ciphersuite('apache', 'compat', '365')
 
     class { '::requesttracker':
         apache_site => 'rt.wikimedia.org',
diff --git a/manifests/role/servermon.pp b/manifests/role/servermon.pp
index fee7108..8ed5cb0 100644
--- a/manifests/role/servermon.pp
+++ b/manifests/role/servermon.pp
@@ -31,7 +31,7 @@
     include passwords::ldap::wmf_cluster
     $proxypass = $passwords::ldap::wmf_cluster::proxypass
 
-    $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
+    $ssl_settings = ssl_ciphersuite('apache', 'compat')
 
     class { '::servermon':
         ensure      => 'present',
diff --git a/manifests/role/tendril.pp b/manifests/role/tendril.pp
index 6e7038c..e2b8861 100644
--- a/manifests/role/tendril.pp
+++ b/manifests/role/tendril.pp
@@ -6,7 +6,7 @@
     system::role { 'role::tendril': description => 'tendril server' }
 
     sslcert::certificate { 'tendril.wikimedia.org': }
-    $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
+    $ssl_settings = ssl_ciphersuite('apache', 'compat', '365')
 
     monitoring::service { 'https-tendril':
         description   => 'HTTPS-tendril',
diff --git a/modules/ganglia/manifests/web.pp b/modules/ganglia/manifests/web.pp
index e29a6d4..66d7bd8 100644
--- a/modules/ganglia/manifests/web.pp
+++ b/modules/ganglia/manifests/web.pp
@@ -15,7 +15,7 @@
     $ganglia_ssl_cert = '/etc/ssl/localcerts/ganglia.wikimedia.org.crt'
     $ganglia_ssl_chain = '/etc/ssl/localcerts/ganglia.wikimedia.org.chain.crt'
     $ganglia_ssl_key = '/etc/ssl/private/ganglia.wikimedia.org.key'
-    $ssl_settings = ssl_ciphersuite('apache-2.4', 'compat', '365')
+    $ssl_settings = ssl_ciphersuite('apache', 'compat', '365')
     # Apache's docroot. Used for populating robots.txt
     $doc_root = '/var/www'
 
diff --git a/modules/gerrit/manifests/proxy.pp 
b/modules/gerrit/manifests/proxy.pp
index 79930bd..65621b8 100644
--- a/modules/gerrit/manifests/proxy.pp
+++ b/modules/gerrit/manifests/proxy.pp
@@ -2,7 +2,7 @@
 $ssl_cert    = '',
 $ssl_cert_key= '') {
 
-    $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
+    $ssl_settings = ssl_ciphersuite('apache', 'compat', '365')
 
     apache::site { 'gerrit.wikimedia.org':
         content => template('gerrit/gerrit.wikimedia.org.erb'),
diff --git a/modules/librenms/manifests/web.pp 
b/modules/librenms/manifests/web.pp
index 3bc5197..4599d07 100644
--- a/modules/librenms/manifests/web.pp
+++ b/modules/librenms/manifests/web.pp
@@ -7,11 +7,7 @@
 
     include ::apache::mod::ssl
 
-    if os_version('debian >= jessie || ubuntu >= trusty') {
-        $ssl_settings = ssl_ciphersuite('apache-2.4', 'compat', '365')
-    } else {
-        $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
-    }
+    $ssl_settings = ssl_ciphersuite('apache', 'compat', '365')
 
     apache::site { $sitename:
         content => template('librenms/apache.conf.erb'),
diff --git a/modules/mailman/manifests/webui.pp 
b/modules/mailman/manifests/webui.pp
index 4a3ff3e..cabbe72 100644
--- a/modules/mailman/manifests/webui.pp
+++ b/modules/mailman/manifests/webui.pp
@@ -11,11 +11,7 @@
 
     $lists_servername = hiera('mailman::lists_servername')
 
-    if os_version ( 'debian >= jessie') {
-        $ssl_settings = ssl_ciphersuite('apache-2.4', 'mid', '365')
-    } else {
-        $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
-    }
+    $ssl_settings = ssl_ciphersuite('apache', 'mid', '365')
 
     apache::site { 'lists.wikimedia.org':
         content => template('mailman/lists.wikimedia.org.erb'),
diff --git a/modules/puppetmaster/manifests/passenger.pp 
b/modules/puppetmaster/manifests/passenger.pp
index d1ea396..c5a3869 100644
--- a/modules/puppetmaster/manifests/passenger.pp
+++ b/modules/puppetmaster/manifests/passenger.pp
@@ -25,7 +25,7 @@
         ensure => present,
     }
 
-    $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
+    $ssl_settings = ssl_ciphersuite('apache', 'compat')
 
     apache::site { 'puppetmaster.wikimedia.org':
         content => template('puppetmaster/puppetmaster.erb'),
diff --git a/modules/role/manifests/labs/openstack/nova.pp 
b/modules/role/manifests/labs/openstack/nova.pp
index acc50d3..880b71c 100644
--- a/modules/role/manifests/labs/openstack/nova.pp
+++ b/modules/role/manifests/labs/openstack/nova.pp
@@ -66,7 +66,7 @@
         check_command => "check_ssl_http!${certificate}",
     }
 
-    $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
+    $ssl_settings = ssl_ciphersuite('apache', 'compat', '365')
 
     ferm::service { 'wikitech_http':
         proto => 'tcp',
diff --git a/modules/statistics/manifests/web.pp 
b/modules/statistics/manifests/web.pp
index 1633da5..60870aa 100644
--- a/modules/statistics/manifests/web.pp
+++ b/modules/statistics/manifests/web.pp
@@ -5,7 +5,7 @@
 class statistics::web {
     Class['::statistics'] -> Class['::statistics::web']
 
-    $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat', '365')
+    $ssl_settings = ssl_ciphersuite('apache', 'compat', '365')
 
     # make sure /var/log/apache2 is readable by wikidevs for debugging.
     # This won't make the actual log files readable, only the directory.
diff --git a/modules/toolserver_legacy/manifests/init.pp 
b/modules/toolserver_legacy/manifests/init.pp
index 8f259e2..06e4b3f 100644
--- a/modules/toolserver_legacy/manifests/init.pp
+++ b/modules/toolserver_legacy/manifests/init.pp
@@ -9,7 +9,7 @@
     include ::apache
     include ::apache::mod::rewrite
 
-    $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
+    $ssl_settings = ssl_ciphersuite('apache', 'compat')
 
     system::role { 'toolserver_legacy': description => 'Toolserver legacy 
server' }
 
diff --git a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb 
b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
index 2d8b603..1da16cc 100644
--- a/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
+++ b/modules/wmflib/lib/puppet/parser/functions/ssl_ciphersuite.rb
@@ -1,4 +1,4 @@
-# == Function: ssl_ciphersuite( string $servercode, string $encryption_type, 
int $hsts_days )
+# == Function: ssl_ciphersuite( string $server, string $encryption_type, int 
$hsts_days )
 #
 # Outputs the ssl configuration directives for use with either Nginx
 # or Apache using our selection of ciphers and SSL options.
@@ -7,9 +7,7 @@
 #
 # Takes three arguments:
 #
-# - The servercode, or which browser-version combination to
-#   support. At the moment only 'apache-2.2', 'apache-2.4' and 'nginx'
-#   are supported.
+# - The server to configure for: 'apache' or 'nginx'
 # - The compatibility mode, trades security vs compatibility.
 #   Note that due to POODLE, SSLv3 is universally disabled and none of these
 #   options are compatible with SSLv3-only clients such as IE6/XP.
@@ -41,7 +39,7 @@
 #
 # == Examples
 #
-#     ssl_ciphersuite('apache-2.4', 'compat')
+#     ssl_ciphersuite('apache', 'compat')
 #     ssl_ciphersuite('nginx', 'strong')
 #
 # == License
@@ -135,15 +133,15 @@
               :doc  => <<-END
 Outputs the ssl configuration part of the webserver config.
 Function parameters are:
- servercode - either nginx, apache-2.2 or apache-2.4
+ server - either nginx or apache
  encryption_type - strong, mid, or compat
  hsts_days  - how many days should the STS header live. If not expressed, HSTS 
will
               be disabled
 
 Examples:
 
-   ssl_ciphersuite('apache-2.4', 'compat') # Compatible config for apache 2.4
-   ssl_ciphersuite('apache-2.4', 'mid') # PFS-only for apache2.4
+   ssl_ciphersuite('apache', 'compat') # Compatible config for apache
+   ssl_ciphersuite('apache', 'mid') # PFS-only for apache
    ssl_ciphersuite('nginx', 'strong', '365') # PFS-only, AEAD-only, 
TLSv1.2-only
 END
               ) do |args|
@@ -154,19 +152,22 @@
       fail(ArgumentError, 'ssl_ciphersuite() requires at least 2 arguments')
     end
 
-    servercode = args.shift
-    case servercode
-    when 'apache-2.4' then
-      server = 'apache'
-      server_version = 24
-    when 'apache-2.2' then
-      server = 'apache'
-      server_version = 22
+    server = args.shift
+    case server
+    when 'apache' then
+      if function_os_version(['debian >= jessie || ubuntu >= trusty'])
+        server_version = 24
+      else
+        server_version = 22
+      end
     when 'nginx' then
-      server = 'nginx'
-      server_version = nil
+      if function_os_version(['debian >= jessie'])
+        server_version = 19
+      else
+        server_version = 11
+      end
     else
-      fail(ArgumentError, "ssl_ciphersuite(): unknown server string 
'#{servercode}'")
+      fail(ArgumentError, "ssl_ciphersuite(): unknown server string 
'#{server}'")
     end
 
     ciphersuite = args.shift
@@ -230,7 +231,7 @@
       end
       unless hsts_days.nil?
         hsts_seconds = hsts_days * 86400
-        if function_os_version(['debian >= jessie'])
+        if server_version >= 18
             output.push("add_header Strict-Transport-Security 
\"max-age=#{hsts_seconds}\" always;")
         else
             output.push("add_header Strict-Transport-Security 
\"max-age=#{hsts_seconds}\";")

-- 
To view, visit https://gerrit.wikimedia.org/r/284518
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I851580f72a9d38b5fed92a5f706151d04912e745
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <bbl...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] ssl_ciphersuite: autodetect apache, too - change (operations/puppet)

Reply via email to