Age | Commit message (Collapse) | Author |
|
We want to access service levels by means of the id stored in the user record. With a hash we don't have to loop through all elements to find the one with a given id and still can use arbitrary strings and do not rely on the order of the array.
Also it's the format the webapp is expecting right now.
|
|
"2"; add tcp-nodelay to tcp servers.
|
|
Change-Id: I8caad9b4ac15dcce8ab74ad6d22dd6ad9f6efb14
|
|
trigger changes, make the default ipv6 firewall subscribe to shorewall6,
if it exists, and finally reject all outgoing IPv6 packets.
All of this will complete the platform-side of route IPv6 through
OpenVPN gateway, and block it. (Feature #4163)
Change-Id: Icf6d582063ed01d304658b740a565057ee4e6810
|
|
some important things to note:
We are hard-coding the pushing of the ipv6 route '2000::/3' and
configuring the server-ipv6 to be 2001:db8:123::/64. This netblock is a
reserved ipv6 prefix that is used for documentation purposes
only (http://www.apnic.net/info/faq/ipv6-documentation-prefix-faq.html),
and the route being pushed redirects all internet-bound traffic.
When LEAP fully supports ipv6, these network values should be turned
into variables, but for now, to make sure we are blocking any clients
that have functional ipv6, this will work.
Change-Id: Icb65f3169264e0178a2e98825b266a779feac6b5
|
|
which will provide us with proper ipv6 support
Change-Id: I0188732aae6cbc64ab57e95bf805d6158fa17e07
|
|
Change-Id: I9c6c798b174228d44d01b55f2a4aa19458e2da8d
|
|
Change-Id: Ic7d0f8cc8c0340fdc24cf5ffa4c7018ebac76c7f
|
|
There are many different edge cases where mac and windows clients (and
maybe android too) will revert to using a different DNS server than the
one specified by openvpn.
This is bad news for security reasons. The client is being designed so
it doesn't leak DNS, however we don't want to put all of our eggs in one
basket, so this will block outgoing port 53 (udp and tcp) on the
gateway's firewall from any of the EIP interfaces (thus not blocking DNS
access on the gateway itself).
Change-Id: I84dcfec7fb591cf7e6b356b66b9721feda188177
|
|
specific, to avoid catching unrelated processes (#5327)
Change-Id: I63ffcd644a85137708712daac671b92898c70b7e
|
|
|
|
including the default_service_level
|
|
that sshd will be listening to in a default setup. This needs to be
allowed so that you can have a different port configured in the
hiera and not get locked out during deployment (#5119)
Change-Id: Ie101eaaf440415ddb276621c369da7f67f409c2b
|
|
the pid file (#5577)
Change-Id: I2144e3d8c0ee18254fe3822098c87b2a8c57c2ce
|
|
"rabbitLKJYW23695JGLKJ" where rabbit is the node name). Stop shipping a
static 'family' and instead provide a comma separated list of node tor
nicknames. (#5220)
Change-Id: I479f460ab230ad440f72c78dc6362983387ce12a
|
|
cert/key. This has the same effect of 'require' because both make sure
that the mentioned resource(s) will be applied before this resource, but
subscribe will cause this resource to refresh anytime the subscribed
resources change (#4342)
Change-Id: I9470bb36f135b821b67a1da70c472d7687b08718
|
|
is run, otherwise the openvpn service is restarted before config files
are deployed (#4154)
Change-Id: Ide38615714c1978bb90237986baea530c54153c3
|
|
Change-Id: Ic0ac3a7e6c9ce0e5f95bab023dbbf890c31d9e1c
|
|
Conflicts in certain situations (#5523)
Change-Id: I1ca67e317a7eb84f64cb7b79daa2e500f0561707
|
|
class to be more visually logical (#5269, #4590, #3712)
Change-Id: I58c28c3bc62e67b25f33da3378e8146110471613
|
|
. make the couchdb service start after the stunnels have been
setup. This may improve the cluster membership coming online
faster
. replace the two Couchdb::Create_db ordering hints (for the
'users' and 'tokens' databases) with a generic
Class['site_config::create_dbs'] hint. This makes it so we get
the ordering hint for all databases, which we were not before,
without having to individually list them
. replace the two Couchdb::Add_user ordering hints (for the
$couchdb_webapp_user and the $couchdb_soledad_user) with a
generic ordering hint for Class['site_couchdb::add_users']
ordering hint. This makes it so we get the ordering hint for all
the users, which we were not before, without having to
individually list them
Change-Id: Ia63e62d68d24e77a49d4ef928a2a8130ab7bccb9
|
|
cluster membership to settle, before attempting any operations
(#5269, #4590, #3712)
Change-Id: Ic9826dda1c242e705ce85ae218766496bdd8ecbd
|
|
|
|
|
|
|
|
(#5499)
Change-Id: Ia0efb4c129a71504a717c20e2e260a1ed83f2223
|
|
|
|
|
|
|
|
https://leap.se/code/issues/5426 Merge branch 'bugfix/buildessential' of https://github.com/elijh/leap_platform into elijh-bugfix/buildessential
|
|
https://leap.se/code/issues/4127
|
|
https://leap.se/code/issues/5426
|
|
|
|
|
|
smtp_tls_security_level of 'encrypt', so it is not optional (#1902)
Change-Id: I61ad0823e3eb8df6c224767d63f0911dcba42a16
|
|
. We want to allow for TLS1.2 to be enabled (supported in wheezy)
. Explicitly disable SSLCompression. This aids in protecting
against the BREACH attack: see http://breachattack.com), and SPDY
version 3 is vulnerable to the CRIME attack when compression is
on
. Switch the cipher suites to match
https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for
these reasons:
. Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many
implementations support this, and there are no known attacks).
. Prefer AES128 to AES256 because the key schedule in
AES256 is considered weaker, and maybe AES128 is more
resistant to timing attacks
. Prefer AES to RC4. BEAST attacks on AES are mitigated in
>=TLS1.1, and difficult in TLS1.0. They are not in RC4, and
likely to become more dangerous
. RC4 is on the path to removal, but still present for backward compatibility
Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
|
|
because the DNS lookup is either impossible (.local domain), or
incorrect (certain openstack/amazon/piston cloud configurations create
this setup when the relayhost is in the same cluster as the satellite).
Fixes #5225
Change-Id: Ifbc201678f2c0e97ee0e12bbf1c7f71d035d45c1
|
|
|
|
allow ability to customize openvpn security options
|
|
design docs json files (Feature #5359)
|
|
the mynetworks parameter. Previously we only allowed other mx servers to
relay to each other, but this prevents system mail from non-mx nodes
from getting out.
Fixes "Helo command rejected: You are not in domain bitmask.net (in reply to RCPT TO command))" (#5343)
Change-Id: I5e204958cb235808eedc3a1724fb2dc6c7a5b73b
|
|
into elijh-feature/static_site
Conflicts:
puppet/modules/site_config/manifests/packages/base.pp
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|