leap_platform.git/puppet/modules/site_apache, branch 0.5.2 [leap_platform] Update TLS apache vhost TLS configuration (#5137): 2014-04-02T17:25:13+00:00 Micah Anderson micah@leap.se 2014-04-02T17:17:20+00:00 5cca6d100ffd991e6f943d916361bf0497728d70 . We want to allow for TLS1.2 to be enabled (supported in wheezy) . Explicitly disable SSLCompression. This aids in protecting against the BREACH attack: see http://breachattack.com), and SPDY version 3 is vulnerable to the CRIME attack when compression is on . Switch the cipher suites to match https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for these reasons: . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many implementations support this, and there are no known attacks). . Prefer AES128 to AES256 because the key schedule in AES256 is considered weaker, and maybe AES128 is more resistant to timing attacks . Prefer AES to RC4. BEAST attacks on AES are mitigated in >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and likely to become more dangerous . RC4 is on the path to removal, but still present for backward compatibility Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043 
       . We want to allow for TLS1.2 to be enabled (supported in wheezy)

       . Explicitly disable SSLCompression. This aids in protecting
       against the BREACH attack: see http://breachattack.com), and SPDY
       version 3 is vulnerable to the CRIME attack when compression is
       on

       . Switch the cipher suites to match
       https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for
       these reasons:
             . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many
             implementations support this, and there are no known attacks).
             . Prefer AES128 to AES256 because the key schedule in
             AES256 is considered weaker, and maybe AES128 is more
             resistant to timing attacks
             . Prefer AES to RC4. BEAST attacks on AES are mitigated in
             >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and
             likely to become more dangerous
             . RC4 is on the path to removal, but still present for backward compatibility

Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
move leap_webapp.conf template to common.conf which is included by the nagios and webapp node (#5096) 2014-02-10T17:40:08+00:00 varac varacanero@zeromail.org 2014-02-06T14:36:12+00:00 6255e58bf9ff3489bf2707bc2be9759ec5c7db68 






anonymize webapp ips (Bug #4896)
2014-01-22T15:47:59+00:00

varac
varacanero@zeromail.org

2014-01-22T15:47:59+00:00

e7fe6d504565b7e0234681ed500059a54739f2e3












improvements to webapp deployment: allow for greater customization, allow for custom git source, improve apache config.
2013-11-22T19:14:13+00:00

elijah
elijah@riseup.net

2013-11-15T09:02:25+00:00

289a00a149ac08d01b8ee638620d8c2928966fa3












"Header set X-Frame-Options: Allow" only for nagios (Bug #4169)
2013-10-18T12:10:18+00:00

varac
varacanero@zeromail.org

2013-10-17T21:09:49+00:00

9074a7bce264d64f467bc628f06e37a5802043bd

Nagios won't work with setting this option to "DENY",
as set in conf.d/security (#4169). Therefor we allow
it here, only for nagios.





Nagios won't work with setting this option to "DENY",
as set in conf.d/security (#4169). Therefor we allow
it here, only for nagios.







Webapp doesn't serve commercial cert (Bug #3916)
2013-09-24T09:01:19+00:00

varac
varacanero@zeromail.org

2013-09-24T09:01:19+00:00

02f17c426e6288f898a66a1a687b413ffe9a9b95












move commercial x509 deployment to site_x509 (Feature #3889)
2013-09-24T08:06:22+00:00

varac
varacanero@zeromail.org

2013-09-24T07:23:54+00:00

9fae612bd8d147321e0cb553610fcaf0140e84eb












Merge branch 'api-crt-3384' into develop fixes #3384
2013-09-21T22:13:13+00:00

kwadronaut
kwadronaut@leap.se

2013-09-21T22:13:13+00:00

5e582cbf9e2cd135009965433b4cd2a7747732ed












adding fqdn as default servername and moving service.domain to ServerAlias (fixing #3384)
2013-09-21T22:08:05+00:00

kwadronaut
kwadronaut@leap.se

2013-09-17T18:09:10+00:00

a95e00f78e07d515b49de563ca5fbcd83be0d015

node name and dns fqdn could be different
Also note that on local deploys that warning from #3384 will continue to exist (because of dns)





node name and dns fqdn could be different
Also note that on local deploys that warning from #3384 will continue to exist (because of dns)







fix whitespace issues from https://review.leap.se/r/82
2013-09-20T16:58:13+00:00

varac
varacanero@zeromail.org

2013-09-20T16:58:13+00:00

486a9cd3b7bd8d643a9623fd40db2286cdf52fc8