1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
| | # -*- encoding: binary -*-
# :stopdoc:
# This module is included in Unicorn::Configurator
# :startdoc:
#
module Unicorn::SSLConfigurator
def ssl(&block)
ssl_require!
before = @set[:listeners].dup
opts = @set[:ssl_opts] = {}
yield
(@set[:listeners] - before).each do |address|
(@set[:listener_opts][address] ||= {})[:ssl_opts] = opts
end
ensure
@set.delete(:ssl_opts)
end
def ssl_certificate(file)
ssl_set(:ssl_certificate, file)
end
def ssl_certificate_key(file)
ssl_set(:ssl_certificate_key, file)
end
def ssl_client_certificate(file)
ssl_set(:ssl_client_certificate, file)
end
def ssl_dhparam(file)
ssl_set(:ssl_dhparam, file)
end
def ssl_ciphers(openssl_cipherlist_spec)
ssl_set(:ssl_ciphers, openssl_cipherlist_spec)
end
def ssl_crl(file)
ssl_set(:ssl_crl, file)
end
def ssl_prefer_server_ciphers(bool)
ssl_set(:ssl_prefer_server_ciphers, check_bool(bool))
end
def ssl_protocols(list)
ssl_set(:ssl_protocols, list)
end
def ssl_verify_client(on_off_optional)
ssl_set(:ssl_verify_client, on_off_optional)
end
def ssl_session_timeout(seconds)
ssl_set(:ssl_session_timeout, seconds)
end
def ssl_verify_depth(depth)
ssl_set(:ssl_verify_depth, depth)
end
# Allows specifying an engine for OpenSSL to use. We have not been
# able to successfully test this feature due to a lack of hardware,
# Reports of success or patches to mongrel-unicorn@rubyforge.org is
# greatly appreciated.
def ssl_engine(engine)
ssl_warn_global(:ssl_engine)
ssl_require!
OpenSSL::Engine.load
OpenSSL::Engine.by_id(engine)
@set[:ssl_engine] = engine
end
def ssl_compression(bool)
# OpenSSL uses the SSL_OP_NO_COMPRESSION flag, Flipper follows suit
# with :ssl_no_compression, but we negate it to avoid exposing double
# negatives to the user.
ssl_set(:ssl_no_compression, check_bool(:ssl_compression, ! bool))
end
private
def ssl_warn_global(func) # :nodoc:
Hash === @set[:ssl_opts] or return
warn("`#{func}' affects all SSL contexts in this process, " \
"not just this block")
end
def ssl_set(key, value) # :nodoc:
cur = @set[:ssl_opts]
Hash === cur or
raise ArgumentError, "#{key} must be called inside an `ssl' block"
cur[key] = value
end
def ssl_require! # :nodoc:
require "flipper"
require "unicorn/ssl_client"
rescue LoadError
warn "install 'kgio-monkey' for SSL support"
raise
end
end
|