leap_platform.git/puppet/modules/site_apache, branch 0.6.0 [leap_platform] Adds support for Tor hidden service on webapp (Feature #6273) 2014-11-05T01:24:44+00:00 guido guido@bruo.org 2014-10-29T00:03:52+00:00 16c985a1b8e692c0e0f76a30b7ec052c9dc269bd Change-Id: I56250e05e3a933deacd0b6e02192e712d3fd9fd5 
Change-Id: I56250e05e3a933deacd0b6e02192e712d3fd9fd5
Disable SSLv3, and RC4 ciphers 2014-10-15T21:08:52+00:00 Micah Anderson micah@leap.se 2014-10-15T21:07:45+00:00 189bd4b704ba685640ca01afe90f592e7b33567a Change-Id: I7214aa4334e3d817dd1b6d8dce43523e3d955b5d 
Change-Id: I7214aa4334e3d817dd1b6d8dce43523e3d955b5d
stop logging user-agent in apache, fixes #6129 2014-09-25T09:22:14+00:00 Micah Anderson micah@leap.se 2014-09-22T18:57:24+00:00 9da2a36155d3b96e0dc41cac3dd38f8b6c50efd2 Change-Id: I66384ae4a723be063790362f70e57228a0f1539b 
Change-Id: I66384ae4a723be063790362f70e57228a0f1539b
Update TLS apache vhost TLS configuration (#5137): 2014-04-02T17:25:13+00:00 Micah Anderson micah@leap.se 2014-04-02T17:17:20+00:00 5cca6d100ffd991e6f943d916361bf0497728d70 . We want to allow for TLS1.2 to be enabled (supported in wheezy) . Explicitly disable SSLCompression. This aids in protecting against the BREACH attack: see http://breachattack.com), and SPDY version 3 is vulnerable to the CRIME attack when compression is on . Switch the cipher suites to match https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for these reasons: . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many implementations support this, and there are no known attacks). . Prefer AES128 to AES256 because the key schedule in AES256 is considered weaker, and maybe AES128 is more resistant to timing attacks . Prefer AES to RC4. BEAST attacks on AES are mitigated in >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and likely to become more dangerous . RC4 is on the path to removal, but still present for backward compatibility Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043 
       . We want to allow for TLS1.2 to be enabled (supported in wheezy)

       . Explicitly disable SSLCompression. This aids in protecting
       against the BREACH attack: see http://breachattack.com), and SPDY
       version 3 is vulnerable to the CRIME attack when compression is
       on

       . Switch the cipher suites to match
       https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for
       these reasons:
             . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many
             implementations support this, and there are no known attacks).
             . Prefer AES128 to AES256 because the key schedule in
             AES256 is considered weaker, and maybe AES128 is more
             resistant to timing attacks
             . Prefer AES to RC4. BEAST attacks on AES are mitigated in
             >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and
             likely to become more dangerous
             . RC4 is on the path to removal, but still present for backward compatibility

Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
move leap_webapp.conf template to common.conf which is included by the nagios and webapp node (#5096) 2014-02-10T17:40:08+00:00 varac varacanero@zeromail.org 2014-02-06T14:36:12+00:00 6255e58bf9ff3489bf2707bc2be9759ec5c7db68 






anonymize webapp ips (Bug #4896)
2014-01-22T15:47:59+00:00

varac
varacanero@zeromail.org

2014-01-22T15:47:59+00:00

e7fe6d504565b7e0234681ed500059a54739f2e3












improvements to webapp deployment: allow for greater customization, allow for custom git source, improve apache config.
2013-11-22T19:14:13+00:00

elijah
elijah@riseup.net

2013-11-15T09:02:25+00:00

289a00a149ac08d01b8ee638620d8c2928966fa3












"Header set X-Frame-Options: Allow" only for nagios (Bug #4169)
2013-10-18T12:10:18+00:00

varac
varacanero@zeromail.org

2013-10-17T21:09:49+00:00

9074a7bce264d64f467bc628f06e37a5802043bd

Nagios won't work with setting this option to "DENY",
as set in conf.d/security (#4169). Therefor we allow
it here, only for nagios.





Nagios won't work with setting this option to "DENY",
as set in conf.d/security (#4169). Therefor we allow
it here, only for nagios.







Webapp doesn't serve commercial cert (Bug #3916)
2013-09-24T09:01:19+00:00

varac
varacanero@zeromail.org

2013-09-24T09:01:19+00:00

02f17c426e6288f898a66a1a687b413ffe9a9b95












move commercial x509 deployment to site_x509 (Feature #3889)
2013-09-24T08:06:22+00:00

varac
varacanero@zeromail.org

2013-09-24T07:23:54+00:00

9fae612bd8d147321e0cb553610fcaf0140e84eb