summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2014-04-02Update TLS apache vhost TLS configuration (#5137):Micah Anderson
. We want to allow for TLS1.2 to be enabled (supported in wheezy) . Explicitly disable SSLCompression. This aids in protecting against the BREACH attack: see http://breachattack.com), and SPDY version 3 is vulnerable to the CRIME attack when compression is on . Switch the cipher suites to match https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for these reasons: . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many implementations support this, and there are no known attacks). . Prefer AES128 to AES256 because the key schedule in AES256 is considered weaker, and maybe AES128 is more resistant to timing attacks . Prefer AES to RC4. BEAST attacks on AES are mitigated in >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and likely to become more dangerous . RC4 is on the path to removal, but still present for backward compatibility Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
2014-04-02Fix for satellite hosts that are unable to contact their relayhostMicah Anderson
because the DNS lookup is either impossible (.local domain), or incorrect (certain openstack/amazon/piston cloud configurations create this setup when the relayhost is in the same cluster as the satellite). Fixes #5225 Change-Id: Ifbc201678f2c0e97ee0e12bbf1c7f71d035d45c1
2014-04-02Merge branch '5359_design_docs' into 0.6varac
2014-04-02Merge remote-tracking branch 'github/0.6' into 0.6varac
2014-04-02Merge pull request #20 from elijh/feature/openvpn-configvarac
allow ability to customize openvpn security options
2014-04-02couch design docs should be always deployed, not only on update of the ↵varac
design docs json files (Feature #5359)
2014-04-01Fix for Openstack/Amazon special case needing to allow ec2_public_ipv4Micah Anderson
in mynetworks (#5427) Change-Id: Iee954f8cacd852f8c7c598c68a8793a3523c0132
2014-04-01Include all the ips that are allowed to send mail through the relay inMicah Anderson
the mynetworks parameter. Previously we only allowed other mx servers to relay to each other, but this prevents system mail from non-mx nodes from getting out. Fixes "Helo command rejected: You are not in domain bitmask.net (in reply to RCPT TO command))" (#5343) Change-Id: I5e204958cb235808eedc3a1724fb2dc6c7a5b73b
2014-03-31Merge branch 'feature/static_site' of https://github.com/elijh/leap_platform ↵kwadronaut
into elijh-feature/static_site Conflicts: puppet/modules/site_config/manifests/packages/base.pp
2014-03-26minor: fix message on stunnel test.elijah
2014-03-26contacts.tor must be an arrayelijah
2014-03-26Merge branch '0.6' of ssh://code.leap.se/leap_platform into 0.6varac
2014-03-26Merge branch '5018_dont_remove_dev_packages_on_couch_node' into 0.6varac
2014-03-26Merge branch '5374_openvpn_logwatch' into 0.6varac
2014-03-26Merge branch 'feature/cleanup-test-names' of ↵kwadronaut
https://github.com/elijh/leap_platform into elijh-feature/cleanup-test-names
2014-03-25Move setup.pp to a subclass (site_config::setup) (Feature #2993)varac
2014-03-25couch node: same packages removed on every (second ?) puppetrun (Feature #5018)varac
2014-03-25 ignore openvpn TLS initialization errors (Feature #5374)varac
2014-03-24ensure platform.rb is utf8elijah
2014-03-24modules/site_static: part 2 - apacheelijah
2014-03-24fixes #5360 adds admin@ as reserved address + lintingkwadronaut
2014-03-23modules/site_static: part 1 - amberelijah
2014-03-20allow ability to customize openvpn security stuff: tls-cipher, auth, and ↵elijah
cipher config options.
2014-03-19Merge branch '5306_ignore_tapicero_PreconditionFailed' into 0.6varac
2014-03-19Merge branch '4798_automatic_compaction' into 0.6varac
2014-03-18clean up the names of testselijah
2014-03-15Merge remote-tracking branch 'elijah/feature/test-order' into 0.6varac
2014-03-15Merge remote-tracking branch 'elijah/feature/provider-env' into 0.6varac
2014-03-14added support for environment specific providers (e.g. ↵elijah
provider.production.json). requires latest leap_cli.
2014-03-13catch errors when tapicero fails to create a userdb (Feature #5306)varac
2014-03-13Merge branch '5324_nagios_logging' into 0.6varac
2014-03-13deploy automatic compaction via platform (Feature #4798)varac
2014-03-13Merge branch '5239_soledad_check' into 0.6varac
2014-03-13Dont't archive nagios logs, use logrotate for it (Feature #5324)varac
2014-03-13Dont't archive nagios logs (#5324)varac
2014-03-13removed trailing whitespaces in nagios.cfgvarac
2014-03-12check if soledad is working (Feature #5239)varac
2014-03-12Merge remote-tracking branch 'irregulator/bug/5241' into 0.6Micah Anderson
2014-03-12Merge branch 'develop' into 0.6Micah Anderson
2014-03-12Indentation fix.irregulator
2014-03-12DirPortFrontPage serves a static webpage only when Tor node is exit.irregulator
See leap.se/code/issues/5241
2014-03-08allow for (optional) configured node order when running tests. requires ↵elijah
latest leap_cli to work, but won't break with older leap_cli
2014-03-05updated submodule rubygems (#3827)varac
2014-03-05updated submodule rubygems (#3827)varac
2014-03-05use the right package dependencies for site_check_mk::agent class and subclassesvarac
2014-03-04Merge branch 'improve_monitoring_even_more' into 0.6varac
2014-03-04remove trailing whitespaces from logwatch config filesvarac
2014-03-04updated submodule check_mkvarac
2014-03-04use curly brackets for variables in check_leap_mx.sh output, see ↵varac
https://review.leap.se/r/160/#comment156
2014-03-04don't use storedconfigs for check_mk, requires current check_mk module (#5253)varac