puppet-nginx icon indicating copy to clipboard operation
puppet-nginx copied to clipboard
verified publisher icon voxpupuli

Remove deprecated `ssl` directive

Open kenyon opened this issue 2 years ago • 5 comments

We need to remove the deprecated ssl directive, which was deprecated in version 1.15.0, and has been removed in nginx 1.25.1: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl

kenyon avatar Oct 05 '23 00:10 kenyon

Actually, I see that the ssl directive gets removed on the second puppet run. So we just need to make sure it isn't added on the first puppet run. Not sure how that is happening (yet).

kenyon avatar Oct 05 '23 00:10 kenyon

This comes from:

https://github.com/voxpupuli/puppet-nginx/blob/e984c166cf75be62e206d2954f4991ec3b0502f4/templates/server/server_ssl_settings.erb#L1-L3

On first run, if nginx was not installed, the fact nginx_version has no value and the assumed version is 1.6.0:

https://github.com/voxpupuli/puppet-nginx/blob/e984c166cf75be62e206d2954f4991ec3b0502f4/manifests/init.pp#L243

I am not sure if we can just remove this code fragment without consequences. On one hand, version 1.15.0 was released in 2020 and has known vulnerabilities, but on the other hand if we allow to set a specific version I am sure people use this to stick to a legacy release…

smortex avatar Oct 05 '23 21:10 smortex

@smortex ahhh. Seems like the default value for $nginx_version should be the lowest version that we support. That would be the min() of what upstream supports, and what comes with OSes that are supported per metadata.json, I think. Not sure what that version is, but that has to be newer than 1.6.0 (released in 2014) by now.

kenyon avatar Oct 05 '23 22:10 kenyon

I see now that this is documented too: https://github.com/voxpupuli/puppet-nginx/blob/e984c166cf75be62e206d2954f4991ec3b0502f4/README.md?plain=1#L148-L153

Done in https://github.com/voxpupuli/puppet-nginx/commit/0ff826527ffb95f5a68662e8b88bc364d29228a5

kenyon avatar Oct 05 '23 23:10 kenyon

According to https://www.nginx.com/support/:

We provide technical support for the current release, and releases that launched within two years of the launch date of the current release.

Latest release is from 2023-08-15 (1.25.2), so the first version after 2021-08-15 is 1.21.2 released on 2021-08-31. Version 1.15.0 is therefore not maintained anymore by NGINX.

But Debian oldoldstable ship version 1.14.2 and continue to backport security fixes for this version.

Maybe updating the default version would be enough for now: instead of having the 1st Puppet run produce a broken config with recent nginx and the 2nd run fix it, we can have a broken config on 1st run on legacy systems and a fix on the 2nd?

smortex avatar Oct 06 '23 00:10 smortex