From 6e05f67d5732cf6beee9a7cc77c52830137fbce2 Mon Sep 17 00:00:00 2001
From: Holt Wilkins <hwilkins@palantir.com>
Date: Fri, 21 Aug 2015 18:19:52 +1000
Subject: [PATCH] Add support for the Apache SSLProxyMachineCertificateFile
 directive which allows the apache reverse proxy to use a client certificate
 to authenticate to its upstream

---
 README.md                | 11 +++++++++++
 manifests/vhost.pp       |  2 ++
 templates/vhost/_ssl.erb |  3 +++
 3 files changed, 16 insertions(+)

diff --git a/README.md b/README.md
index 769b937b8..a1de3d734 100644
--- a/README.md
+++ b/README.md
@@ -2898,6 +2898,17 @@ Sets the [SSLVerifyDepth](http://httpd.apache.org/docs/current/mod/mod_ssl.html#
     }
 ~~~
 
+##### `ssl_proxy_machine_cert`
+
+Sets the [SSLProxyMachineCertificateFile](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslproxymachinecertificatefile) directive, which specifies an all-in-one file where you keep the certs and keys used for this server to authenticate itself to remote servers.  This file should be a concatenation of the PEM-encoded certificate files in order of preference.  Defaults to 'undef'.
+
+~~~ puppet
+    apache::vhost { 'sample.example.net':
+      …
+      ssl_proxy_machine_cert => '/etc/httpd/ssl/client_certificate.pem',
+    }
+~~~
+
 ##### `ssl_options`
 
 Sets the [SSLOptions](http://httpd.apache.org/docs/current/mod/mod_ssl.html#ssloptions) directive, which configures various SSL engine run-time options. This is the global setting for the given vhost and can be a string or an array. Defaults to 'undef'.
diff --git a/manifests/vhost.pp b/manifests/vhost.pp
index 20b1aa6b9..c44bba589 100644
--- a/manifests/vhost.pp
+++ b/manifests/vhost.pp
@@ -25,6 +25,7 @@
   $ssl_honorcipherorder        = undef,
   $ssl_verify_client           = undef,
   $ssl_verify_depth            = undef,
+  $ssl_proxy_machine_cert      = undef,
   $ssl_options                 = undef,
   $ssl_openssl_conf_cmd        = undef,
   $ssl_proxyengine             = false,
@@ -738,6 +739,7 @@
   # - $ssl_honorcipherorder
   # - $ssl_verify_client
   # - $ssl_verify_depth
+  # - $ssl_proxy_machine_cert
   # - $ssl_options
   # - $ssl_openssl_conf_cmd
   # - $apache_version
diff --git a/templates/vhost/_ssl.erb b/templates/vhost/_ssl.erb
index c2d941350..e99b739a6 100644
--- a/templates/vhost/_ssl.erb
+++ b/templates/vhost/_ssl.erb
@@ -40,6 +40,9 @@
   <%- if @ssl_verify_depth -%>
   SSLVerifyDepth          <%= @ssl_verify_depth %>
   <%- end -%>
+  <%- if @ssl_proxy_machine_cert -%>
+  SSLProxyMachineCertificateFile "<%= @ssl_proxy_machine_cert %>"
+  <%- end -%>
   <%- if @ssl_options -%>
   SSLOptions <%= Array(@ssl_options).join(' ') %>
   <%- end -%>