2 files changed, 14 insertions, 7 deletions

diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 5f1f4c1d..3360ac59 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -10,9 +10,10 @@ Listen 0.0.0.0:<%= api_port %>
   ServerName <%= api_domain %>
 
   SSLEngine on
-  SSLProtocol -all +SSLv3 +TLSv1
-  SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+  SSLProtocol all -SSLv2
   SSLHonorCipherOrder on
+  SSLCompression off
+  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
 
   SSLCACertificatePath /etc/ssl/certs
   SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index a001552a..ed430510 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -11,9 +11,10 @@
   ServerAlias www.<%= domain %>
 
   SSLEngine on
-  SSLProtocol -all +SSLv3 +TLSv1
-  SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+  SSLProtocol all -SSLv2
   SSLHonorCipherOrder on
+  SSLCompression off
+  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
 
   SSLCACertificatePath /etc/ssl/certs
   SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt
@@ -23,13 +24,14 @@
   RequestHeader set X_FORWARDED_PROTO 'https'
 
   <IfModule mod_headers.c>
-<% if @webapp['secure'] -%>
+<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%>
     Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
 <% end -%>
     Header always unset X-Powered-By
     Header always unset X-Runtime
   </IfModule>
 
+<% if (defined? @services) and (@services.include? 'webapp') -%>
   DocumentRoot /srv/leap/webapp/public
 
   RewriteEngine On
@@ -52,16 +54,20 @@
     ExpiresActive On
     ExpiresDefault "access plus 1 year"
   </Location>
+<% end -%>
+
 
- <% if (defined? @services) and (@services.include? 'monitor') -%>
+<% if (defined? @services) and (@services.include? 'monitor') -%>
  <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
+ <% if (defined? @services) and (@services.include? 'webapp') -%>
     PassengerEnabled off
+ <% end -%>
     AllowOverride all
     # Nagios won't work with setting this option to "DENY",
     # as set in conf.d/security (#4169). Therefor we allow
     # it here, only for nagios.
     Header set X-Frame-Options: "ALLOW"
   </DirectoryMatch>
- <% end -%>
+<% end -%>
 </VirtualHost>