Allow to configure advanced SSL options
This patch allows to configure advanced ssl options like:
ssl_crl
ssl_dhparam
ssl_stapling_responder
ssl_stapling_verify
ssl_verify_client
...and others
The whole list of options may be found in nginx/files/_ssl.conf
Theirs description:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html
The 'mode' trigger is deprecated and will be removed in future together
with _ssl_normal.conf and _ssl_secure.conf. All options should be
set from reclass directly.
The following options changed theirs types (for backward compatibility
new type will be applied only when mode is set to != secure)
ssl_ciphers, ssl_ecdh_curve - was string, become list
Please read README for more details
Added kitchen tests
Related-PROD: PROD-19154
Change-Id: I03e735af6ff6794610e00d745d5a7054fb02186a
diff --git a/.kitchen.yml b/.kitchen.yml
index b657514..64dea14 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -79,4 +79,9 @@
provisioner:
pillars-from-files:
nginx.sls: tests/pillar/stats.sls
+
+ - name: proxy_with_ssl
+ provisioner:
+ pillars-from-files:
+ nginx.sls: tests/pillar/proxy_with_ssl.sls
# vim: ft=yaml sw=2 ts=2 sts=2 tw=125
diff --git a/.travis.yml b/.travis.yml
index 1bdd382..ff193ee 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -24,6 +24,7 @@
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2016.3 SUITE=redirect
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2016.3 SUITE=static
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2016.3 SUITE=stats
+ - PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2016.3 SUITE=proxy-with-ssl
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=horizon-no-ssl
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=horizon-with-ssl
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=proxy
@@ -31,6 +32,7 @@
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=redirect
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=static
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=stats
+ - PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=proxy-with-ssl
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=horizon-no-ssl
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=horizon-with-ssl
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=proxy
@@ -38,6 +40,7 @@
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=redirect
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=static
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=stats
+ - PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=proxy-with-ssl
# - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2017.7 SUITE=horizon-no-ssl
# - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2017.7 SUITE=horizon-with-ssl
# - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2017.7 SUITE=proxy
diff --git a/README.rst b/README.rst
index 4eadf2b..6c50317 100644
--- a/README.rst
+++ b/README.rst
@@ -378,6 +378,81 @@
key_file: /etc/ssl/private/mykey.key
cert_file: /etc/ssl/cert/mycert.crt
+Advanced SSL configuration, more information about SSL option may be found
+at http://nginx.org/en/docs/http/ngx_http_ssl_module.html
+!Note that prior to nginx 1.11.0 only one type of ecdh curve can be applied in ssl_ecdh_curve directive
+!!Please note that if mode = 'secure' or mode = 'normal' and 'ciphers' or 'protocols' are set - they should have
+type "string", if mode = 'manual', their type should be "dict" (like shown below)
+
+.. code-block:: yaml
+
+ nginx:
+ server:
+ enabled: true
+ site:
+ mysite:
+ ssl:
+ enabled: true
+ mode: 'manual'
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.crt
+ chain_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}-with-chain.crt
+ protocols:
+ TLS1:
+ name: 'TLSv1'
+ enabled: True
+ TLS1_1:
+ name: 'TLSv1.1'
+ enabled: True
+ TLS1_2:
+ name: 'TLSv1.2'
+ enabled: False
+ ciphers:
+ ECDHE_RSA_AES256_GCM_SHA384:
+ name: 'ECDHE-RSA-AES256-GCM-SHA384'
+ enabled: True
+ ECDHE_ECDSA_AES256_GCM_SHA384:
+ name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
+ enabled: True
+ buffer_size: '16k'
+ crl:
+ file: '/etc/ssl/crl.pem'
+ enabled: False
+ dhparam:
+ enabled: True
+ numbits: 2048
+ ecdh_curve:
+ secp384r1:
+ name: 'secp384r1'
+ enabled: False
+ secp521r1:
+ name: 'secp521r1'
+ enabled: True
+ password_file:
+ content: 'testcontent22'
+ enabled: True
+ file: '/etc/ssl/password.key'
+ prefer_server_ciphers: 'on'
+ ticket_key:
+ enabled: True
+ numbytes: 48
+ resolver:
+ address: '127.0.0.1'
+ valid_seconds: '500'
+ timeout_seconds: '60'
+ session_tickets: 'on'
+ stapling: 'off'
+ stapling_file: '/path/to/stapling/file'
+ stapling_responder: 'http://ocsp.example.com/'
+ stapling_verify: 'on'
+ verify_client: 'on'
+ client_certificate:
+ file: '/etc/ssl/client_cert.pem'
+ enabled: False
+ verify_depth: 1
+ session_cache: 'shared:SSL:15m'
+ session_timeout: '15m'
+
Nginx stats server (required by collectd nginx plugin)
.. code-block:: yaml
@@ -394,27 +469,6 @@
name: 127.0.0.1
port: 8888
-Change nginx server ssl protocol options in openstack/proxy.yml
-
-.. code-block:: yaml
- nginx:
- server:
- site:
- site01:
- enabled: true
- name: site01
- host:
- name: site01.domain.com
- ssl:
- enabled: true
- key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.key
- cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}.crt
- chain_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:proxy:common_name}-with-chain.crt
- protocols: TLSv1 TLSv1.1 TLSv1.2
- ciphers: "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
- prefer_server_ciphers: true
- ecdh_curve: secp521r1
-
More Information
================
diff --git a/nginx/files/_ssl.conf b/nginx/files/_ssl.conf
index f073653..ac188f1 100644
--- a/nginx/files/_ssl.conf
+++ b/nginx/files/_ssl.conf
@@ -8,33 +8,122 @@
ssi on;
ssl on;
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
-
- {%- if site.ssl.engine is not defined %}
+ ssl_session_cache {{ site.ssl.get('session_cache', 'shared:SSL:10m') }};
+ ssl_session_timeout {{ site.ssl.get('session_timeout', '10m') }};
+ {%- if site.ssl.engine is not defined %}
ssl_certificate_key {{ key_file }};
- {%- if site.ssl.chain is defined or site.ssl.authority is defined %}
+ {%- if site.ssl.chain is defined or site.ssl.authority is defined %}
ssl_certificate {{ chain_file }};
- {%- else %}
+ {%- else %}
ssl_certificate {{ cert_file }};
- {%- endif %}
+ {%- endif %}
- {%- elif site.ssl.engine == 'letsencrypt' %}
+ {%- elif site.ssl.engine == 'letsencrypt' %}
- {%- set cert = site.ssl.get("certificate", site.host.name) %}
+ {%- set cert = site.ssl.get("certificate", site.host.name) %}
ssl_certificate /etc/letsencrypt/live/{{ cert }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ cert }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ cert }}/fullchain.pem;
- {%- include "nginx/files/_letsencrypt.conf" %}
+ {%- include "nginx/files/_letsencrypt.conf" %}
- {%- elif site.ssl.engine == 'salt' %}
+ {%- elif site.ssl.engine == 'salt' %}
ssl_certificate_key {{ key_file }};
ssl_certificate {{ chain_file }};
- {%- endif %}
+ {%- endif %}
- {%- set ssl_mode = site.ssl.get('mode', 'secure') %}
- {%- include "nginx/files/_ssl_"+ssl_mode+".conf" %}
+ {%- if site.ssl.get('mode', 'secure') not in ["secure", "normal"] %}
+ {%- if site.ssl.protocols is defined %}
+ {%- set _protocols = [] %}
+ {%- for protocol_name, protocols in site.ssl.get('protocols', {}).iteritems() %}
+ {%- if protocols.get('enabled', False) %}
+ {%- do _protocols.append(protocols.name) %}
+ {%- endif %}
+ {%- endfor %}
+ ssl_protocols {{ ' '.join(_protocols) }};
+ {%- endif %}
+ {%- if site.ssl.ciphers is defined %}
+ {%- set _ciphers = [] %}
+ {%- for cipher_name, ciphers in site.ssl.get('ciphers', {}).iteritems() %}
+ {%- if ciphers.get('enabled', False) %}
+ {%- do _ciphers.append(ciphers.name) %}
+ {%- endif %}
+ {%- endfor %}
+ ssl_ciphers {{ ':'.join(_ciphers) }};
+ {%- endif %}
+ {%- if site.ssl.prefer_server_ciphers is defined %}
+ ssl_prefer_server_ciphers {{ site.ssl.prefer_server_ciphers }};
+ {%- endif %}
+ {%- if site.ssl.buffer_size is defined %}
+ ssl_buffer_size {{ site.ssl.buffer_size }};
+ {%- endif %}
+ {%- if site.ssl.get('crl', {'enabled': False}).enabled and site.ssl.crl.file is defined %}
+ ssl_crl {{ site.ssl.crl.file }};
+ {%- endif %}
+ {%- if site.ssl.get('dhparam', {'enabled': False}).enabled %}
+ ssl_dhparam /etc/ssl/dhparams_{{ site_name }}.pem;
+ {%- endif %}
+ {%- if site.ssl.ecdh_curve is defined %}
+ {%- set _ecdh_curve = [] %}
+ {%- for ecdh_curve_name, ecdh_curve in site.ssl.get('ecdh_curve', {}).iteritems() %}
+ {%- if ecdh_curve.get('enabled', False) %}
+ {%- do _ecdh_curve.append(ecdh_curve.name) %}
+ {%- endif %}
+ {%- endfor %}
+ ssl_ecdh_curve {{ ':'.join(_ecdh_curve) }};
+ {%- endif %}
+ {%- if site.ssl.password_file is defined and site.ssl.get('password_file', {'enabled': False}).enabled %}
+ {%- if site.ssl.password_file.content is defined and site.ssl.password_file.file is not defined %}
+ ssl_password_file /etc/ssl/password_{{ site_name }}.key;
+ {%- endif %}
+ {%- if site.ssl.password_file.file is defined %}
+ ssl_password_file {{ site.ssl.password_file.file }};
+ {%- endif %}
+ {%- endif %}
+ {%- if site.ssl.get('ticket_key', {'enabled': False}).enabled %}
+ ssl_session_ticket_key /etc/ssl/ticket_{{ site_name }}.key;
+ {%- endif %}
+ {%- if site.ssl.session_tickets is defined %}
+ ssl_session_tickets {{ site.ssl.session_tickets }};
+ {%- endif %}
+ {%- if site.ssl.stapling is defined %}
+ ssl_stapling {{ site.ssl.stapling }};
+ {%- endif %}
+ {%- if site.ssl.resolver is defined %}
+ {%- if site.ssl.resolver.valid_seconds is defined %}
+ resolver {{ site.ssl.resolver.address }} valid={{ site.ssl.resolver.valid_seconds }}s;
+ {%- else %}
+ resolver {{ site.ssl.resolver }};
+ {%- endif %}
+ {%- if site.ssl.resolver.timeout_seconds is defined %}
+ resolver_timeout {{ site.ssl.resolver.timeout_seconds }}s;
+ {%- endif %}
+ {%- endif %}
+ {%- if site.ssl.stapling_file is defined %}
+ ssl_stapling_file {{ site.ssl.stapling_file }};
+ {%- endif %}
+ {%- if site.ssl.stapling_responder is defined %}
+ ssl_stapling_responder {{ site.ssl.stapling_responder }};
+ {%- endif %}
+ {%- if site.ssl.stapling_verify is defined %}
+ ssl_stapling_verify {{ site.ssl.stapling_verify }};
+ {%- endif %}
+ {%- if site.ssl.verify_client is defined %}
+ ssl_verify_client {{ site.ssl.verify_client }};
+ {%- endif %}
+ {%- if site.ssl.get('client_certificate', {'enabled': False}).enabled and site.ssl.client_certificate.file is defined %}
+ ssl_client_certificate {{ site.ssl.client_certificate.file }};
+ {%- endif %}
+ {%- if site.ssl.verify_depth is defined %}
+ ssl_verify_depth {{ site.ssl.verify_depth }};
+ {%- endif %}
+ {%- else %}
+ {#- Using this file is deprecated, it may be silensly removed in future. All options are now set from _ssl.conf #}
+ {#- Please check README about new option types #}
+ {%- set ssl_mode = site.ssl.get('mode', 'secure') %}
+ {%- include "nginx/files/_ssl_"+ssl_mode+".conf" %}
+
+ {%- endif %}
{%- endif %}
diff --git a/nginx/files/_ssl_secure.conf b/nginx/files/_ssl_secure.conf
index 5f14a05..319e37b 100644
--- a/nginx/files/_ssl_secure.conf
+++ b/nginx/files/_ssl_secure.conf
@@ -1,4 +1,5 @@
-
+ {#- Using this file is deprecated, it may be silensly removed in future. All options are now set from _ssl.conf #}
+ {#- Please check README about new option types #}
ssl_protocols {{ site.ssl.get('protocols','TLSv1 TLSv1.1 TLSv1.2') }};
#https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_ciphers '{{ site.ssl.get('ciphers','ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS') }}';
diff --git a/nginx/map.jinja b/nginx/map.jinja
index 360cab5..ffff39e 100644
--- a/nginx/map.jinja
+++ b/nginx/map.jinja
@@ -1,14 +1,14 @@
{% set server = salt['grains.filter_by']({
'Debian': {
- 'pkgs': ['nginx', 'apache2-utils'],
+ 'pkgs': ['nginx', 'apache2-utils', 'openssl'],
'service': 'nginx',
'system_user': 'www-data',
'vhost_dir': '/etc/nginx/sites-available',
'log_dir': '/var/log/nginx',
},
'RedHat': {
- 'pkgs': ['nginx', 'httpd-tools'],
+ 'pkgs': ['nginx', 'httpd-tools', 'openssl'],
'service': 'nginx',
'system_user': 'nginx',
'vhost_dir': '/etc/nginx/conf.d',
diff --git a/nginx/server/sites.sls b/nginx/server/sites.sls
index 0da0fad..b8cb743 100644
--- a/nginx/server/sites.sls
+++ b/nginx/server/sites.sls
@@ -5,6 +5,42 @@
{%- for site_name, site in server.get('site', {}).iteritems() %}
{%- if site.get('enabled') %}
+{%- if site.get('ssl', {'enabled': False}).enabled %}
+{%- if site.ssl.get('dhparam', {'enabled': False}).enabled %}
+nginx_generate_{{ site_name }}_dhparams:
+ cmd.run:
+ - name: openssl dhparam -out /etc/ssl/dhparams_{{ site_name }}.pem {% if site.ssl.dhparam.numbits is defined %}{{ site.ssl.dhparam.numbits }}{% else %}2048{% endif %}
+ - unless: "test -f /etc/ssl/dhparams_{{ site_name }}.pem && [ $(openssl dhparam -inform PEM -in /etc/ssl/dhparams_{{ site_name }}.pem -check -text | grep -Po 'DH Parameters: \\(\\K[0-9]+') = {% if site.ssl.dhparam.numbits is defined %}{{ site.ssl.dhparam.numbits }}{% else %}2048{% endif %} ]"
+ - require:
+ - pkg: nginx_packages
+ - watch_in:
+ - service: nginx_service
+{% endif %}
+
+{%- if site.ssl.get('ticket_key', {'enabled': False}).enabled %}
+nginx_generate_{{ site_name }}_ticket_key:
+ cmd.run:
+ - name: openssl rand {% if site.ssl.ticket_key.numbytes is defined %}{{ site.ssl.ticket_key.numbytes }}{% else %}48{% endif %} > /etc/ssl/ticket_{{ site_name }}.key
+ - unless: "test -f /etc/ssl/ticket_{{ site_name }}.key && [ $(wc -c < /etc/ssl/ticket_{{ site_name }}.key) = {% if site.ssl.ticket_key.numbytes is defined %}{{ site.ssl.ticket_key.numbytes }}{% else %}48{% endif %} ]"
+ - require:
+ - pkg: nginx_packages
+ - watch_in:
+ - service: nginx_service
+{% endif %}
+
+{%- if site.ssl.get('password_file', {'enabled': False}).enabled and site.ssl.password_file.file is not defined and site.ssl.password_file.content is defined %}
+/etc/ssl/password_{{ site_name }}.key:
+ file.managed:
+ - contents_pillar: nginx:server:site:{{ site_name }}:ssl:password_file:content
+ - require:
+ - pkg: nginx_packages
+ - watch_in:
+ - service: nginx_service
+{% endif %}
+{% endif %}
+
+
+
{%- if site.get('ssl', {'enabled': False}).enabled and site.host.name not in ssl_certificates.keys() %}
{%- set _dummy = ssl_certificates.update({site.host.name: []}) %}
@@ -85,8 +121,8 @@
- watch_in:
- service: nginx_service
-{% endif %}
+{% endif %}
sites-available-{{ site_name }}:
file.managed:
diff --git a/tests/pillar/proxy_with_ssl.sls b/tests/pillar/proxy_with_ssl.sls
new file mode 100644
index 0000000..a6e498b
--- /dev/null
+++ b/tests/pillar/proxy_with_ssl.sls
@@ -0,0 +1,278 @@
+salt:
+ minion:
+ enabled: true
+nginx:
+ server:
+ stream:
+ rabbitmq:
+ host:
+ port: 5672
+ backend:
+ server1:
+ address: 10.10.10.113
+ port: 5672
+ unbound:
+ host:
+ bind: 127.0.0.1
+ port: 53
+ protocol: udp
+ backend:
+ server1:
+ address: 10.10.10.114
+ port: 5353
+ enabled: true
+ extras: false
+ bind:
+ address: 127.0.0.1
+ protocol: tcp
+ upstream:
+ horizon-upstream:
+ backend1:
+ address: 10.10.10.113
+ port: 8078
+ opts: weight=3
+ backend2:
+ address: 10.10.10.114
+ site:
+ nginx_proxy_site01:
+ enabled: true
+ type: nginx_proxy
+ name: site01
+ proxy:
+ host: 172.10.10.100
+ port: 80
+ protocol: http
+ host:
+ name: cloudlab.domain.com
+ port: 80
+ ssl:
+ enabled: true
+ key: |
+ -----BEGIN RSA PRIVATE KEY-----
+ MIIG4wIBAAKCAYEAq5spAL9CIZbe687oudIttun6ciXynqHmVb0wqpvKF7SwwrOh
+ AMINZG7rqUYK+LAtbfk53yr8nKaIf8CfGfVPInSgKiA/cW67kXUJ9jQ9VgnE8Hlo
+ Itj3ExmYKoQpMR9zQLHVo6Qzzend1MD+LoS0Gusw2hJEM46bO3RRd6uYFt5oxiTY
+ VVll651kUURVbuTn22xZAeif7Swh4zKzn8jJ0Wha9P+oDJNo74U2k5oRnRBqUxhg
+ s7eZbpzSPZ2AobSB5d+PmlXr8oHBGHTIJ67oCJVpn8LbtE4Rfsk2/s/mhufhXRNf
+ dyj+XZ8TX2Y7mZ86F8iZdLhMEXEkagji0+lumFgtUhqYaLRU40lDr1ifwrOCmFx2
+ q4Jkjl9bbDZ+ckua3uPar7/0JS2ZGW17mU/T6nrf2UxNa7/r6jS5XKCMRLmTH7mh
+ 21PXpDuFursnAVpOiZRks840KvjdIwX8bHVFd+E45nLDhjWNhRjsvRymZfQ3dRoO
+ MFHP/eoOuzQnxG7xAgMBAAECggGAJX8RxogD+zLsIrpjP7cdJgqaHrcL/H2Dxtg/
+ +gdwcR2aQfDeDTxZkMhr1eDoJM7aHl2Gt6y85b29taxxF0ryr6SsGohRVIfNlEru
+ kk132YTo82KTzol580J0bVXTalhk5o31EHyglS20uvgwkhmNARTC5+N1444VfTg9
+ VNi5ssWGP0Vtv7h4/LK3aMp1oHWD8/4ItNIPn9M01GAPv6ov7wHOXho+rgDHvQ5u
+ jnHrx1X+5Yk+GAbWD8VUawIvSSYXoHhKxDYjT8KYEtVZFgP12NIoWp+THczK6JMh
+ dYuSSXXOTlPTfec9/OmJ5eMXCWYS0Ns7J9U0/oG6unfiEVzgcKmz6hBMKQMkVwsR
+ POUbtopQqs6sdekZGq5SuuDvtDENkhwbC0DTmrr2PMinZag+F62cg0TBxQQt+RkS
+ EKJwKalOLH3svsY9bsmXKKBMsl7hIHjslVp3h5Es314q8Vqp3QhwqpD72owuARVo
+ i81S7WeQTmxKWSZquNnSHDtJn1XBAoHBANRFpCF1j9MjqLZ3tXSiT/wP6wW65GK4
+ 8yXfRFW8pZjvMeT0IN9ClHZHB3G1kO/8H4Ksex+IJzieJnp+4UhhN97WBRf5FTXV
+ shftb7V2ZLFWbn2KwnbOSjLcT9UoEVOhwp+TCgV3QIqGHvSLj45pB0uERNoUts5I
+ 5+VnXNDzw2AFqnH3KLgKIRDTEj1okaJrkqyb2EKFDybo3lsCPcqO8qclvKvMv7y4
+ +vqBgV17RoR6vQIXaLgdOHJYo45Z0kV2lwKBwQDO9PawowOh+rOaGOQoqWoOGDVv
+ RTe5INVQFPWm1wvsZYZ+FzP6rP6RHQB/VcNTBUfwGnk8lSulN8vyo4Zipe3UgBK1
+ DM6LjXMhdyOjGiOw3M6BzZHMxiQD2lTvqURpTf8XYlBj/lpw6z/w2B9F1LZPzw7T
+ JTEvPFNMeH77bvy8M+lu5uucOgyU/6gUgEDxdfcVbQRSRJ+wGVrf2BVPIsMWxPcr
+ dY9ziG7WCxdCEGDVRgiAOo1YcSlvdJ6NlCauv7cCgcB70N9K0PsCijM3s525GZAU
+ E+jfn8LlvsG9Hn0KkY36JdNxm+CsuXZFg2rZLbIL+YEbxKXQn6dZBA6ntuiLQoHH
+ TgkMkbKIg0xtXoahTxyuwB6UxeJmUC/BePZr/AIXSSxvzeGzjHquEktuExW6WJLz
+ voQ2vIxgyO/SxLbD/tvAX62q6iLrLqVY3fUuspb4KU0Vt5WuP1S2OnCwnx8Rzs3F
+ J2Lkxvo0B6YFhpLBx007qygiVysy8YBiWkeUmdnnwKMCgcBoMzRFyT3Z/2UQUDoI
+ Mwxf3laBGKOuxVZBhNwOTbYGJzPpJnuYWiOuIqEOe7rlgQIwZNPn6d9Yx1gbabQO
+ 1SaC2J0SpUkVQHnYPqklxNJ1iSc8ealQJe8aNYKQTHRSZN/sASciwXz936SI+ff8
+ 69WDJ2h6bP5vnvr9xKmCpOYBSE3e9ctpFF0jY/lXoR+Rs2hdVE9ZsI2KV6nGjIBm
+ IMWDIFamfgFlFStg/6KNM7vdhe5fyZtDDW7kXB48gHxdfc8CgcEAgnqyIL940xfG
+ BndbV0yWBI6VsmeaQdB/xaJetAMENUZlT/3CP4XecHMBDXhGv1p8nAqfLhlLfpus
+ aJUpSXB+aXz8ftR1Y7efLMKAW2IKs4+U5Fx4S99Ui71vgWYl8sJOqS+1jijSqZ0K
+ JzLO4lnAYfwV5mve8JB5NmGffOaPrBvfiY9Q6/pZ4kHEZAJBr6Nn7tFp8LyRewxM
+ FLDC6kPWlj/qE92b4zsc6DvAW3M/kIsqATRPijLuqyKDfgQ+QAYn
+ -----END RSA PRIVATE KEY-----
+ cert: |
+ -----BEGIN CERTIFICATE-----
+ MIIE3jCCA0agAwIBAgIMWQmRtQWP7bWTfSYmMA0GCSqGSIb3DQEBCwUAMEgxFTAT
+ BgNVBAMTDGNsb3VkIGRldm9wczERMA8GA1UEChMIbWlyYW50aXMxDzANBgNVBAgT
+ BlByYWd1ZTELMAkGA1UEBhMCQ1owHhcNMTcwNTAzMDgxNTQ5WhcNMjcwNTAxMDgx
+ NTQ5WjBVMREwDwYDVQQDEwh3aWxkY2FyZDEPMA0GA1UECxMGZGV2b3BzMREwDwYD
+ VQQKEwhtaXJhbnRpczEPMA0GA1UECBMGUHJhZ3VlMQswCQYDVQQGEwJDWjCCAaIw
+ DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKubKQC/QiGW3uvO6LnSLbbp+nIl
+ 8p6h5lW9MKqbyhe0sMKzoQDCDWRu66lGCviwLW35Od8q/JymiH/Anxn1TyJ0oCog
+ P3Fuu5F1CfY0PVYJxPB5aCLY9xMZmCqEKTEfc0Cx1aOkM83p3dTA/i6EtBrrMNoS
+ RDOOmzt0UXermBbeaMYk2FVZZeudZFFEVW7k59tsWQHon+0sIeMys5/IydFoWvT/
+ qAyTaO+FNpOaEZ0QalMYYLO3mW6c0j2dgKG0geXfj5pV6/KBwRh0yCeu6AiVaZ/C
+ 27ROEX7JNv7P5obn4V0TX3co/l2fE19mO5mfOhfImXS4TBFxJGoI4tPpbphYLVIa
+ mGi0VONJQ69Yn8KzgphcdquCZI5fW2w2fnJLmt7j2q+/9CUtmRlte5lP0+p639lM
+ TWu/6+o0uVygjES5kx+5odtT16Q7hbq7JwFaTomUZLPONCr43SMF/Gx1RXfhOOZy
+ w4Y1jYUY7L0cpmX0N3UaDjBRz/3qDrs0J8Ru8QIDAQABo4G6MIG3MAwGA1UdEwEB
+ /wQCMAAwQQYDVR0RBDowOIIHKi5sb2NhbIIKKi5jaS5sb2NhbIIIKi5jaS5kZXaC
+ CSouY2kudGVzdIIMKi5jaS5zdGFnaW5nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8G
+ A1UdDwEB/wQFAwMHIAAwHQYDVR0OBBYEFGtBfuF1lejUs6Bh87nkCgrjv3UuMB8G
+ A1UdIwQYMBaAFIrt2HX5Q/vHJHZpGDTbhUoF09qfMA0GCSqGSIb3DQEBCwUAA4IB
+ gQAud7sUeG4nCAY9GaeswvRQL58GqJEkfYFXSzWcxwluyTsz/z/7CQiNG77/jHPs
+ IvJBt79uFQWL8YINrdzMIGRpHLpTT6g7hRDtx0T0tzj28bu4twayu9ePMPQIgh/3
+ ISJBIIeJIKQ/EWCm+3ePKKZWp3OscxPUdSLNf+3dmvSWmjdazhq5F/d5i4u5Fqur
+ iHaw6P/bGd2yqSiiYC1Csr1+Rfe+ulyk1NUBtpewX/96KjWNlU7q9F3RxiTNxh7x
+ CDJf5DBHIQP/KCquq8T3uZAOV2sN+HGvO4OzelisnzmRuRm8Lk4ZYNPXFTugdysY
+ HZk3aBIfowkAbNGsGOaiLkc80GxDwXXGCvTLHUXtPYH+Dkw1PRZkP+UhxT9b70El
+ qaZkfvfWEum90BH0km+1dPB/mBMqoTRXVmRyrc2QFsxRGenDbM5RhcT4HfgxCyzC
+ J2EGz8Wzf1bn2kRR4uomSzcoLe8lCM79M+DY21dxP0V8dq2sNvHOqP/0HT62BlEq
+ XtI=
+ -----END CERTIFICATE-----
+ chain: |
+ -----BEGIN CERTIFICATE-----
+ MIIE3jCCA0agAwIBAgIMWQmRtQWP7bWTfSYmMA0GCSqGSIb3DQEBCwUAMEgxFTAT
+ BgNVBAMTDGNsb3VkIGRldm9wczERMA8GA1UEChMIbWlyYW50aXMxDzANBgNVBAgT
+ BlByYWd1ZTELMAkGA1UEBhMCQ1owHhcNMTcwNTAzMDgxNTQ5WhcNMjcwNTAxMDgx
+ NTQ5WjBVMREwDwYDVQQDEwh3aWxkY2FyZDEPMA0GA1UECxMGZGV2b3BzMREwDwYD
+ VQQKEwhtaXJhbnRpczEPMA0GA1UECBMGUHJhZ3VlMQswCQYDVQQGEwJDWjCCAaIw
+ DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAKubKQC/QiGW3uvO6LnSLbbp+nIl
+ 8p6h5lW9MKqbyhe0sMKzoQDCDWRu66lGCviwLW35Od8q/JymiH/Anxn1TyJ0oCog
+ P3Fuu5F1CfY0PVYJxPB5aCLY9xMZmCqEKTEfc0Cx1aOkM83p3dTA/i6EtBrrMNoS
+ RDOOmzt0UXermBbeaMYk2FVZZeudZFFEVW7k59tsWQHon+0sIeMys5/IydFoWvT/
+ qAyTaO+FNpOaEZ0QalMYYLO3mW6c0j2dgKG0geXfj5pV6/KBwRh0yCeu6AiVaZ/C
+ 27ROEX7JNv7P5obn4V0TX3co/l2fE19mO5mfOhfImXS4TBFxJGoI4tPpbphYLVIa
+ mGi0VONJQ69Yn8KzgphcdquCZI5fW2w2fnJLmt7j2q+/9CUtmRlte5lP0+p639lM
+ TWu/6+o0uVygjES5kx+5odtT16Q7hbq7JwFaTomUZLPONCr43SMF/Gx1RXfhOOZy
+ w4Y1jYUY7L0cpmX0N3UaDjBRz/3qDrs0J8Ru8QIDAQABo4G6MIG3MAwGA1UdEwEB
+ /wQCMAAwQQYDVR0RBDowOIIHKi5sb2NhbIIKKi5jaS5sb2NhbIIIKi5jaS5kZXaC
+ CSouY2kudGVzdIIMKi5jaS5zdGFnaW5nMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8G
+ A1UdDwEB/wQFAwMHIAAwHQYDVR0OBBYEFGtBfuF1lejUs6Bh87nkCgrjv3UuMB8G
+ A1UdIwQYMBaAFIrt2HX5Q/vHJHZpGDTbhUoF09qfMA0GCSqGSIb3DQEBCwUAA4IB
+ gQAud7sUeG4nCAY9GaeswvRQL58GqJEkfYFXSzWcxwluyTsz/z/7CQiNG77/jHPs
+ IvJBt79uFQWL8YINrdzMIGRpHLpTT6g7hRDtx0T0tzj28bu4twayu9ePMPQIgh/3
+ ISJBIIeJIKQ/EWCm+3ePKKZWp3OscxPUdSLNf+3dmvSWmjdazhq5F/d5i4u5Fqur
+ iHaw6P/bGd2yqSiiYC1Csr1+Rfe+ulyk1NUBtpewX/96KjWNlU7q9F3RxiTNxh7x
+ CDJf5DBHIQP/KCquq8T3uZAOV2sN+HGvO4OzelisnzmRuRm8Lk4ZYNPXFTugdysY
+ HZk3aBIfowkAbNGsGOaiLkc80GxDwXXGCvTLHUXtPYH+Dkw1PRZkP+UhxT9b70El
+ qaZkfvfWEum90BH0km+1dPB/mBMqoTRXVmRyrc2QFsxRGenDbM5RhcT4HfgxCyzC
+ J2EGz8Wzf1bn2kRR4uomSzcoLe8lCM79M+DY21dxP0V8dq2sNvHOqP/0HT62BlEq
+ XtI=
+ -----END CERTIFICATE-----
+ -----BEGIN CERTIFICATE-----
+ MIIEWTCCAsGgAwIBAgIMWQmRjiv/O7NwT3AxMA0GCSqGSIb3DQEBCwUAMEgxFTAT
+ BgNVBAMTDGNsb3VkIGRldm9wczERMA8GA1UEChMIbWlyYW50aXMxDzANBgNVBAgT
+ BlByYWd1ZTELMAkGA1UEBhMCQ1owHhcNMTcwNTAzMDgxNTEwWhcNMjcwNTAxMDgx
+ NTEwWjBIMRUwEwYDVQQDEwxjbG91ZCBkZXZvcHMxETAPBgNVBAoTCG1pcmFudGlz
+ MQ8wDQYDVQQIEwZQcmFndWUxCzAJBgNVBAYTAkNaMIIBojANBgkqhkiG9w0BAQEF
+ AAOCAY8AMIIBigKCAYEAyIW/3H2CIvnkflCm4bc9im8TeoE+s/W/OI80d1cgfnVY
+ VRvQMuhfKMV9Ec83qaMoT/VD2TLGoaLTKxvn05jpYd7lFf+ekZXPC1tK+Wgj5w38
+ c/V+tux6uYMPDo9XoHkGqakqE0Y9PkiUcsiOhCXMzrr3SkkpHqLV32kEKz711ibi
+ h4ATeYou7Q0hsRqRfjRj/JAr+nVQiZM39jm1OvA7VYgIrppu2rSSJwsOhneG2dhP
+ EEhpTSWB/kMPmxMQygKGZc08noZsReC7U5F+n2+DDkhdvQtQUqN2UZ4iCWt1aMxd
+ FDYmXm0uB6utJCsxy3uf4Mkfb86RBI5owECel4ASTQcAIRQNsFcaQg408c+sXTuB
+ 44RZBgJY6re2UEGGUiZ0i7mAR07Ava3dve2Rm24t2Lg17WIuIQC+kqIbgvnj9KtS
+ w00JyXFCrbiYmxpx286X27ca7sLGZZnpSNfoGvfX1UFlmmK/89klR+kMktgGdka6
+ pnfbGDLfS5h7AkZnjzAnAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0P
+ AQH/BAUDAwcGADAdBgNVHQ4EFgQUiu3YdflD+8ckdmkYNNuFSgXT2p8wDQYJKoZI
+ hvcNAQELBQADggGBAGkWleGTCwl5v9DyL+ReQ7cIsZp2FZCPATWjrlY69QNpa7s/
+ h7gS0Lx1bmwSVyM/A7DrmHUz2ScUjJJeZuOAt2LaKl8rnMJMSRIj4WosIB886bOw
+ d6polbiVWRFUGEaD/X9L4AJFLE3X8ITuwd4ukwCB4IvEuPLhDVIFHFIk2ur7n0HF
+ XsE/SNmsRuULMXLEqguWmCXhHqsbFoBrmUdUIyVPav9j/XFc/3jG5kAn25Qz9LfV
+ cX1LJihPbtCrc1LtBqV0LrV6aFwcl8c9JFR3qha19za/Fk/JnKz1E6CbVWMLLSOo
+ +fTGf4nvof/jJS61vKwRE3lyxZNciiXQV4fGVRIrVkbULbNSgmQaFtNFBwQ07w61
+ 5ks8/gGnwHKnNc9kQdPm8nNjY7Jqp9XI8RaLoLvqaTAqcempwiyPYT8qu3JE79Dl
+ 6Jw10sI4/PqU5XVTqSCrvmICOOgZbFRWgCLwJzp5rq0cWvJH0N5PyATL6FfhDGm0
+ myUGszN7wRKeJqKa1w==
+ -----END CERTIFICATE-----
+ session_timeout: '15m'
+ session_cache: 'shared:SSL:15m'
+ mode: 'manual'
+ protocols:
+ TLS1:
+ name: 'TLSv1'
+ enabled: True
+ TLS1_1:
+ name: 'TLSv1.1'
+ enabled: True
+ TLS1_2:
+ name: 'TLSv1.2'
+ enabled: False
+ ciphers:
+ ECDHE_RSA_AES256_GCM_SHA384:
+ name: 'ECDHE-RSA-AES256-GCM-SHA384'
+ enabled: True
+ ECDHE_ECDSA_AES256_GCM_SHA384:
+ name: 'ECDHE-ECDSA-AES256-GCM-SHA384'
+ enabled: True
+ prefer_server_ciphers: "off"
+ buffer_size: '16k'
+ dhparam:
+ enabled: True
+ numbits: 1024
+ ecdh_curve:
+ secp384r1:
+ name: 'secp384r1'
+ enabled: False
+ secp521r1:
+ name: 'secp521r1'
+ enabled: True
+ ticket_key:
+ enabled: True
+ numbytes: 48
+ session_tickets: 'on'
+ stapling: 'off'
+ crl:
+ file: '/etc/ssl/crl.pem'
+ enabled: False
+ password_file:
+ content: 'testcontent22'
+ enabled: True
+ resolver:
+ address: '127.0.0.1'
+ valid_seconds: '500'
+ timeout_seconds: '60'
+ client_certificate:
+ file: '/etc/ssl/client_cert.pem'
+ enabled: False
+ verify_client: 'off'
+ nginx_proxy_site02:
+ enabled: true
+ type: nginx_proxy
+ name: site02
+ proxy:
+ upstream_proxy_pass: http://horizon-upstream
+ host:
+ name: cloudlab.domain.com
+ port: 31337
+ nginx_proxy_site03:
+ enabled: true
+ type: nginx_proxy
+ name: site03
+ proxy:
+ host: 172.120.10.100
+ port: 80
+ protocol: http
+ location:
+ /kek/:
+ host: 172.10.10.100
+ port: 80
+ protocol: http
+ size: 10000m
+ timeout: 43200
+ websocket: true
+ request_buffer: false
+ buffer:
+ number: 4
+ size: 256
+ /doc/:
+ host: 172.10.10.200
+ port: 80
+ protocol: http
+ host:
+ name: cloudlab.domain.com
+ port: 80
+ nginx_proxy_site04:
+ enabled: true
+ type: nginx_proxy
+ name: site04
+ location:
+ /:
+ host: 172.10.10.100
+ port: 80
+ protocol: http
+ /doc/:
+ host: 172.10.10.200
+ port: 80
+ protocol: http
+ host:
+ name: cloudlab.domain.com
+ port: 80