leap_platform.git/puppet/modules/site_apache, branch 0.7.1 [leap_platform] Implement weakdh recommendations for cipher suites (#7024) 2015-05-27T02:23:22+00:00 Micah Anderson micah@leap.se 2015-05-27T02:23:22+00:00 b77e3f7e87bc64ffaaa608e5b6a6ef385b8054d3 This is a first step mitigation until we can have a newer apache that will allow us to specify dh parameters other than the default. Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d 
This is a first step mitigation until we can have a newer apache that
will allow us to specify dh parameters other than the default.

Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d
Disable passenger when pnp4nagios is being fetched, this is part of 2015-04-08T15:57:34+00:00 Micah Anderson micah@leap.se 2015-04-07T20:20:39+00:00 27cd49653769979c3797df340d761a184cea0fec Change-Id: I21e9af3ef76f19924e58df5b40f4097d42fbf1cd 
Change-Id: I21e9af3ef76f19924e58df5b40f4097d42fbf1cd
Adds apache support for webapp.domain if defined on :80, completes fix for #6632 2015-03-30T19:55:27+00:00 guido guido@bruo.org 2015-03-30T19:55:27+00:00 252bb2121c87a2c650551fc306f7ee41c17e8d9f 






Adds apache support for webapp.domain if defined. Fixes #6632
2015-01-12T16:10:24+00:00

guido
guido@bruo.org

2015-01-12T15:43:35+00:00

53b87cc2b283df665a46a5781974f9ffd047c72c

Change-Id: If63aac60e44c4a68f030f93e20e8dc071f9df610





Change-Id: If63aac60e44c4a68f030f93e20e8dc071f9df610







Adds a ssl_common.inc file to use inside vhosts for the SSL config (solves #5103)
2014-12-22T13:52:38+00:00

guido
guido@bruo.org

2014-12-22T13:52:38+00:00

7d1f286e571af299fa88881393876dc6fb494256

Change-Id: I717bf7ca2c5679165a99370c4540f8b8dc1a48ea





Change-Id: I717bf7ca2c5679165a99370c4540f8b8dc1a48ea







Adds support for Tor hidden service on webapp (Feature #6273)
2014-11-05T01:24:44+00:00

guido
guido@bruo.org

2014-10-29T00:03:52+00:00

16c985a1b8e692c0e0f76a30b7ec052c9dc269bd

Change-Id: I56250e05e3a933deacd0b6e02192e712d3fd9fd5





Change-Id: I56250e05e3a933deacd0b6e02192e712d3fd9fd5







Disable SSLv3, and RC4 ciphers
2014-10-15T21:08:52+00:00

Micah Anderson
micah@leap.se

2014-10-15T21:07:45+00:00

189bd4b704ba685640ca01afe90f592e7b33567a

Change-Id: I7214aa4334e3d817dd1b6d8dce43523e3d955b5d





Change-Id: I7214aa4334e3d817dd1b6d8dce43523e3d955b5d







stop logging user-agent in apache, fixes #6129
2014-09-25T09:22:14+00:00

Micah Anderson
micah@leap.se

2014-09-22T18:57:24+00:00

9da2a36155d3b96e0dc41cac3dd38f8b6c50efd2

Change-Id: I66384ae4a723be063790362f70e57228a0f1539b





Change-Id: I66384ae4a723be063790362f70e57228a0f1539b







Update TLS apache vhost TLS configuration (#5137):
2014-04-02T17:25:13+00:00

Micah Anderson
micah@leap.se

2014-04-02T17:17:20+00:00

5cca6d100ffd991e6f943d916361bf0497728d70

       . We want to allow for TLS1.2 to be enabled (supported in wheezy)

       . Explicitly disable SSLCompression. This aids in protecting
       against the BREACH attack: see http://breachattack.com), and SPDY
       version 3 is vulnerable to the CRIME attack when compression is
       on

       . Switch the cipher suites to match
       https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for
       these reasons:
             . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many
             implementations support this, and there are no known attacks).
             . Prefer AES128 to AES256 because the key schedule in
             AES256 is considered weaker, and maybe AES128 is more
             resistant to timing attacks
             . Prefer AES to RC4. BEAST attacks on AES are mitigated in
             >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and
             likely to become more dangerous
             . RC4 is on the path to removal, but still present for backward compatibility

Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043





       . We want to allow for TLS1.2 to be enabled (supported in wheezy)

       . Explicitly disable SSLCompression. This aids in protecting
       against the BREACH attack: see http://breachattack.com), and SPDY
       version 3 is vulnerable to the CRIME attack when compression is
       on

       . Switch the cipher suites to match
       https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for
       these reasons:
             . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many
             implementations support this, and there are no known attacks).
             . Prefer AES128 to AES256 because the key schedule in
             AES256 is considered weaker, and maybe AES128 is more
             resistant to timing attacks
             . Prefer AES to RC4. BEAST attacks on AES are mitigated in
             >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and
             likely to become more dangerous
             . RC4 is on the path to removal, but still present for backward compatibility

Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043







move leap_webapp.conf template to common.conf which is included by the nagios and webapp node (#5096)
2014-02-10T17:40:08+00:00

varac
varacanero@zeromail.org

2014-02-06T14:36:12+00:00

6255e58bf9ff3489bf2707bc2be9759ec5c7db68