RubyGems - capistrano-unicorn-nginx - Versions diffs - 4.1.0 → 4.2.0 - Mend

capistrano-unicorn-nginx 4.1.0 → 4.2.0

Files changed (7) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9fe00dbabd4665ed0ccb5d10829f8e717cc5c2d7
-  data.tar.gz: 34dc0d1bc6cb2b731e536389382693981f09d83b
+  metadata.gz: 8f0337593e08e19cab15ce29f6ccb7455e37df5e
+  data.tar.gz: 8eba038b8b6e113d3e8be52f8838c14e3232fea4
 SHA512:
-  metadata.gz: c8dfbf17556637f0cbc88c29a7a8d52d4524b9bb87a83028216e12aaa7e0972d104cafb7cb89629527d3b49c28e13724ebae74a91c1fae8d2b752d9b2f7ed208
-  data.tar.gz: 776ac431b05d7db9f967f7294371a60228dbd9ea5dece3faac483a520d80b4ec5a17ee118e0a86aebb5c0eba3489ea838cac366f60259cad97fdbdbca92d4954
+  metadata.gz: 207b3ae7e01925fb55b881e18188b4c8c8b939cf874d2c1b6f2228c1957f975d97d95a926e637e10bcf2b563c804492b507f5dc9691c7ac5ebfd647b61c2d636
+  data.tar.gz: b801c70fc857c355b81444fbac9e5206719444107acf0aa0840a1bc68bd00f011c40e86885241e5b0660bc856c00f653cd84ce32d6ae87ef22063452e0c008d1

data/CHANGELOG.md CHANGED

@@ -2,6 +2,9 @@
 ### master
+### v4.2.0, 2018-02-08
+- Add support for client authentication using a root CA. Inspired by
+  http://www.pandurang-waghulde.com/2014/06/client-side-ssl-certificate.html
 ### v4.1.0, 2017-06-21
 - Auto-generate dhparams.pem if missing

@@ -1,13 +1,12 @@
 module Capistrano
   module DSL
     module NginxPaths
       def nginx_sites_available_file
         "#{fetch(:nginx_location)}/sites-available/#{fetch(:nginx_config_name)}"
       end
       def nginx_dh_params_file
-        "/etc/nginx/ssl/dhparam.pem"
+        '/etc/nginx/ssl/dhparam.pem'
       end
       def nginx_sites_enabled_file
@@ -15,7 +14,7 @@ module Capistrano
       end
       def nginx_service_path
-        "#{fetch(:nginx_service_path)}"
+        fetch(:nginx_service_path).to_s
       end
       def nginx_default_pid_file
@@ -32,11 +31,11 @@ module Capistrano
       end
       def nginx_default_ssl_cert_file_path
-        "/etc/ssl/certs/"
+        '/etc/ssl/certs/'
       end
       def nginx_default_ssl_cert_key_file_path
-        "/etc/ssl/private/"
+        '/etc/ssl/private/'
       end
       def nginx_ssl_cert_file
@@ -47,6 +46,10 @@ module Capistrano
         "#{fetch(:nginx_ssl_cert_key_path)}#{fetch(:nginx_ssl_cert_key)}"
       end
+      def nginx_ssl_client_ca
+        fetch(:nginx_ssl_client_ca)
+      end
       # log files
       def nginx_access_log_file
         "/var/log/nginx/#{fetch(:nginx_config_name)}.access.log"
@@ -55,7 +58,6 @@ module Capistrano
       def nginx_error_log_file
         "/var/log/nginx/#{fetch(:nginx_config_name)}.error.log"
       end
     end
   end
 end

@@ -1,5 +1,5 @@
 module Capistrano
   module UnicornNginx
-    VERSION = "4.1.0"
+    VERSION = '4.2.0'.freeze
   end
 end

@@ -17,6 +17,9 @@ server {
     ssl on;
     ssl_certificate <%= nginx_ssl_cert_file %>;
     ssl_certificate_key <%= nginx_ssl_cert_key_file %>;
+    <% if fetch(:nginx_use_client_ssl) -%>
+    ssl_trusted_certificate <%= nginx_ssl_client_ca %>;
+    <% end -%>
     ssl_session_cache shared:SSL:10m;
     ssl_session_timeout 10m;
@@ -35,7 +38,7 @@ server {
   add_header X-Content-Type-Options nosniff;
-<% if fetch(:nginx_use_ssl) && nginx_pass_ssl_client_cert -%>
+<% if fetch(:nginx_use_ssl) && (nginx_pass_ssl_client_cert || fetch(:nginx_use_client_ssl)) -%>
     ssl_verify_client optional_no_ca;
 <% end -%>
@@ -59,6 +62,12 @@ server {
         <% if fetch(:nginx_use_ssl) -%>
         proxy_set_header X-Forwarded-Proto https;
         <% end -%>
+        <% if fetch(:nginx_use_client_ssl) -%>
+        proxy_set_header X-Client-Dn $ssl_client_s_dn;
+        proxy_set_header X-Client-Serial $ssl_client_serial;
+        proxy_set_header X-Client-Verify $ssl_client_verify;
+        <% end -%>
         <% if fetch(:nginx_use_ssl) && nginx_pass_ssl_client_cert -%>
         # source: http://forum.nginx.org/read.php?2,236546,236596
         proxy_set_header X-Client-Cert $a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$v$u$w$x$y$z;

@@ -16,10 +16,10 @@ server {
 }
 <% end -%>
-<% # render the default server directive. If SSL is enabled, port 443 is used %>
+<%# render the default server directive. If SSL is enabled, port 443 is used %>
 <%= template_to_s("_default_server_directive.erb", ssl_port: 443, nginx_pass_ssl_client_cert: false).to_s %>
 <% if fetch(:nginx_pass_ssl_client_cert) -%>
-<% # render the server directive with SSL client certificate authentication enabled on port 444 %>
+<%# render the server directive with SSL client certificate authentication enabled on port 444 %>
 <%= template_to_s("_default_server_directive.erb", ssl_port: 444, nginx_pass_ssl_client_cert: true).to_s %>
 <% end -%>

metadata CHANGED

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: capistrano-unicorn-nginx
 version: !ruby/object:Gem::Version
-  version: 4.1.0
+  version: 4.2.0
 platform: ruby
 authors:
 - Ruben Stranders
@@ -9,7 +9,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2017-06-21 00:00:00.000000000 Z
+date: 2018-02-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: capistrano
@@ -107,9 +107,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project:
-rubygems_version: 2.6.10
+rubygems_version: 2.6.14
 signing_key:
 specification_version: 4
 summary: Capistrano tasks for automatic and sensible unicorn + nginx configuraion.
 test_files: []
-has_rdoc: