diff options
author | Micah <micah@riseup.net> | 2015-05-28 14:41:23 +0000 |
---|---|---|
committer | Micah <micah@riseup.net> | 2015-05-28 14:41:23 +0000 |
commit | e7651410cfc8f67be1deaa5354a7f88219086719 (patch) | |
tree | 6a8e58662845b4cf03f7f6c1b280aa9ad88f2595 /puppet/modules/site_nickserver | |
parent | d3ba83a4825b8296217e1f21190728772fc32133 (diff) | |
parent | b77e3f7e87bc64ffaaa608e5b6a6ef385b8054d3 (diff) |
Merge branch '0.7.0' into '0.7.0'
Implement weakdh recommendations for cipher suites (#7024)
This is a first step mitigation until we can have a newer apache that
will allow us to specify dh parameters other than the default.
Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d
See merge request !48
Diffstat (limited to 'puppet/modules/site_nickserver')
-rw-r--r-- | puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb | 8 |
1 files changed, 2 insertions, 6 deletions
diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index 56a8d9f6..d4e734c3 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -8,17 +8,13 @@ Listen 0.0.0.0:<%= @nickserver_port -%> ServerName <%= @nickserver_domain %> ServerAlias <%= @address_domain %> - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLHonorCipherOrder on - SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" - SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt + Include include.d/ssl_common.inc + ProxyPass / http://localhost:<%= @nickserver_local_port %>/ ProxyPreserveHost On # preserve Host header in HTTP request </VirtualHost> |