diff options
m--------- | puppet/modules/backupninja | 0 | ||||
-rw-r--r-- | puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb | 2 | ||||
-rw-r--r-- | puppet/modules/site_nagios/files/configs/Debian/nagios.cfg | 1 | ||||
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 1 | ||||
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx/smtp_tls.pp | 10 | ||||
-rw-r--r-- | puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp | 11 | ||||
-rw-r--r-- | puppet/modules/site_static/manifests/domain.pp | 4 | ||||
-rw-r--r-- | puppet/modules/site_webapp/files/server-status.conf | 4 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/hidden_service.pp | 6 | ||||
m--------- | puppet/modules/tor | 0 |
10 files changed, 32 insertions, 7 deletions
diff --git a/puppet/modules/backupninja b/puppet/modules/backupninja -Subproject daeb1a1f112a4dbf6b39565f0dea461e46a6468 +Subproject 497513547be79f9d3c8e96f1650ec43ee634b27 diff --git a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb index 653664ec..232b1577 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/hidden_service.conf.erb @@ -1,5 +1,5 @@ <VirtualHost 127.0.0.1:80> - ServerName <%= tor_domain %> + ServerName <%= @tor_domain %> <IfModule mod_headers.c> Header always unset X-Powered-By diff --git a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg index 695f437b..62f26f2c 100644 --- a/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg +++ b/puppet/modules/site_nagios/files/configs/Debian/nagios.cfg @@ -24,6 +24,7 @@ log_file=/var/log/nagios3/nagios.log # Check_mk configuration files cfg_dir=/etc/nagios3/conf.d/check_mk +cfg_dir=/etc/nagios3/local # Puppet-managed configuration files cfg_file=/etc/nagios3/nagios_templates.cfg diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 3230d4f0..7837f415 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -119,6 +119,7 @@ class site_postfix::mx { smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_tls_security_level=encrypt + -o tls_preempt_cipherlist=yes ${smtpd_relay_restrictions} -o smtpd_recipient_restrictions=\$smtps_recipient_restrictions -o smtpd_helo_restrictions=\$smtps_helo_restrictions -o smtpd_client_restrictions= diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp index 4eb80dd6..b27c0e3c 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtp_tls.pp @@ -28,5 +28,15 @@ class site_postfix::mx::smtp_tls { # see issue #4011 'smtp_tls_protocols': value => '!SSLv2, !SSLv3'; + 'smtp_tls_mandatory_protocols': + value => '!SSLv2, !SSLv3'; + 'tls_ssl_options': + value => 'NO_COMPRESSION'; + # We can switch between the different postfix internal list of ciphers by + # using smtpd_tls_ciphers. For server-to-server connections we leave this + # at its default because of opportunistic encryption combined with many mail + # servers only support outdated protocols and ciphers and if we are too + # strict with required ciphers, then connections *will* fall-back to + # plain-text. Bad ciphers are still better than plain text transmission. } } diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp index 9fed3874..02a59942 100644 --- a/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_tls.pp @@ -20,6 +20,17 @@ class site_postfix::mx::smtpd_tls { value => 'ultra'; 'smtpd_tls_session_cache_database': value => 'btree:${data_directory}/smtpd_scache'; + # see issue #4011 + 'smtpd_tls_mandatory_protocols': + value => '!SSLv2, !SSLv3'; + 'smtpd_tls_protocols': + value => '!SSLv2, !SSLv3'; + # For connections to MUAs, TLS is mandatory and the ciphersuite is modified. + # MX and SMTP client configuration + 'smtpd_tls_mandatory_ciphers': + value => 'high'; + 'tls_high_cipherlist': + value => 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; } # Setup DH parameters diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index b9177f25..5537d247 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -10,7 +10,9 @@ define site_static::domain ( $domain = $name $base_dir = '/srv/static' - create_resources(site_static::location, $locations) + if is_hash($locations) { + create_resources(site_static::location, $locations) + } x509::cert { $domain: content => $cert, diff --git a/puppet/modules/site_webapp/files/server-status.conf b/puppet/modules/site_webapp/files/server-status.conf index 84cb9ae0..10b2d4ed 100644 --- a/puppet/modules/site_webapp/files/server-status.conf +++ b/puppet/modules/site_webapp/files/server-status.conf @@ -7,14 +7,12 @@ ExtendedStatus On #SeeRequestTail On Listen 127.0.0.1:8162 -NameVirtualHost 127.0.0.1:8162 <VirtualHost 127.0.0.1:8162> <Location /server-status> SetHandler server-status - Order deny,allow - Deny from all + Require all granted Allow from 127.0.0.1 </Location> diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp index 12eb1793..72a2ce95 100644 --- a/puppet/modules/site_webapp/manifests/hidden_service.pp +++ b/puppet/modules/site_webapp/manifests/hidden_service.pp @@ -10,7 +10,7 @@ class site_webapp::hidden_service { include apache::module::removeip include tor::daemon - tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' } + tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'] } file { '/var/lib/tor/webapp/': @@ -38,7 +38,9 @@ class site_webapp::hidden_service { # because we are configuring our own version that is unavailable # over the hidden service (see: #7456 and #7776) apache::module { 'status': ensure => present, conf_content => ' ' } - + # the access_compat module is required to enable Allow directives + apache::module { 'access_compat': ensure => present } + apache::vhost::file { 'hidden_service': content => template('site_apache/vhosts.d/hidden_service.conf.erb'); diff --git a/puppet/modules/tor b/puppet/modules/tor -Subproject dcb6e748864e7dfd3c14f4f2aba4c9120f12b78 +Subproject 8c936c166b6da1ebd0e8d95e56ceee5167357d6 |