From e3a1c5d0c8f644bc0956758a8832d2f586556cf6 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Tue, 20 Aug 2013 20:36:12 -0400
Subject: Disable verbose, identifying apache headers (#3462):  . Disable
 ServerSignature  . Set ServerTokens Prod  . unset the X-Powered-By and
 X-Runtime apache headers

Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a
---
 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'puppet/modules/site_apache/templates/vhosts.d/api.conf.erb')

diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index ae894cd4..6a276e22 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -21,6 +21,11 @@ Listen 0.0.0.0:<%= api_port %>
 
   RequestHeader set X_FORWARDED_PROTO 'https'
 
+  <IfModule mod_headers.c>
+    Header always unset X-Powered-By
+    Header always unset X-Runtime
+  </IfModule>
+
   DocumentRoot /srv/leap/webapp/public
 
   # Check for maintenance file and redirect all requests
-- 
cgit v1.2.3


From 613f7f12f4c907ea07e79e3e73da8f2b71d3436d Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Tue, 20 Aug 2013 20:44:21 -0400
Subject: add HSTS if hiera value for webapp['secure'] is set (#3514)

Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab
---
 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'puppet/modules/site_apache/templates/vhosts.d/api.conf.erb')

diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 6a276e22..bc5ff156 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -22,6 +22,9 @@ Listen 0.0.0.0:<%= api_port %>
   RequestHeader set X_FORWARDED_PROTO 'https'
 
   <IfModule mod_headers.c>
+<% if @webapp['secure'] -%>
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+<% end -%>
     Header always unset X-Powered-By
     Header always unset X-Runtime
   </IfModule>
-- 
cgit v1.2.3


From 55578fec453d6b090f623fd3368138f9e322c9f5 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Thu, 19 Sep 2013 13:48:07 +0200
Subject: tidy webapp api x509 definitions (#3840)

---
 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'puppet/modules/site_apache/templates/vhosts.d/api.conf.erb')

diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index bc5ff156..4efbbc52 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -15,9 +15,9 @@ Listen 0.0.0.0:<%= api_port %>
   SSLHonorCipherOrder on
 
   SSLCACertificatePath /etc/ssl/certs
-  SSLCertificateChainFile /etc/ssl/certs/leap_api.pem
-  SSLCertificateKeyFile /etc/x509/keys/leap_api.key
-  SSLCertificateFile /etc/x509/certs/leap_api.crt
+  SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
+  SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key   
+  SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt   
 
   RequestHeader set X_FORWARDED_PROTO 'https'
 
-- 
cgit v1.2.3


From 486a9cd3b7bd8d643a9623fd40db2286cdf52fc8 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Fri, 20 Sep 2013 18:58:13 +0200
Subject: fix whitespace issues from https://review.leap.se/r/82

---
 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'puppet/modules/site_apache/templates/vhosts.d/api.conf.erb')

diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 4efbbc52..5f1f4c1d 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -16,8 +16,8 @@ Listen 0.0.0.0:<%= api_port %>
 
   SSLCACertificatePath /etc/ssl/certs
   SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
-  SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key   
-  SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt   
+  SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
+  SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt
 
   RequestHeader set X_FORWARDED_PROTO 'https'
 
-- 
cgit v1.2.3


From a95e00f78e07d515b49de563ca5fbcd83be0d015 Mon Sep 17 00:00:00 2001
From: kwadronaut <kwadronaut@leap.se>
Date: Tue, 17 Sep 2013 20:09:10 +0200
Subject: adding fqdn as default servername and moving service.domain to
 ServerAlias (fixing #3384) node name and dns fqdn could be different Also
 note that on local deploys that warning from #3384 will continue to exist
 (because of dns)

---
 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'puppet/modules/site_apache/templates/vhosts.d/api.conf.erb')

diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index bc5ff156..2cac297e 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -7,7 +7,8 @@
 Listen 0.0.0.0:<%= api_port %>
 
 <VirtualHost *:<%= api_port -%>>
-  ServerName <%= api_domain %>
+  ServerName <%= domain_name %>
+  ServerAlias <%= api_domain %>
 
   SSLEngine on
   SSLProtocol -all +SSLv3 +TLSv1
-- 
cgit v1.2.3


From 02f17c426e6288f898a66a1a687b413ffe9a9b95 Mon Sep 17 00:00:00 2001
From: varac <varacanero@zeromail.org>
Date: Tue, 24 Sep 2013 11:01:19 +0200
Subject: Webapp doesn't serve commercial cert (Bug #3916)

---
 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'puppet/modules/site_apache/templates/vhosts.d/api.conf.erb')

diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 9e2dbcaf..5f1f4c1d 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -7,8 +7,7 @@
 Listen 0.0.0.0:<%= api_port %>
 
 <VirtualHost *:<%= api_port -%>>
-  ServerName <%= domain_name %>
-  ServerAlias <%= api_domain %>
+  ServerName <%= api_domain %>
 
   SSLEngine on
   SSLProtocol -all +SSLv3 +TLSv1
-- 
cgit v1.2.3


From 5cca6d100ffd991e6f943d916361bf0497728d70 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Wed, 2 Apr 2014 13:17:20 -0400
Subject: Update TLS apache vhost TLS configuration (#5137):

       . We want to allow for TLS1.2 to be enabled (supported in wheezy)

       . Explicitly disable SSLCompression. This aids in protecting
       against the BREACH attack: see http://breachattack.com), and SPDY
       version 3 is vulnerable to the CRIME attack when compression is
       on

       . Switch the cipher suites to match
       https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for
       these reasons:
             . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many
             implementations support this, and there are no known attacks).
             . Prefer AES128 to AES256 because the key schedule in
             AES256 is considered weaker, and maybe AES128 is more
             resistant to timing attacks
             . Prefer AES to RC4. BEAST attacks on AES are mitigated in
             >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and
             likely to become more dangerous
             . RC4 is on the path to removal, but still present for backward compatibility

Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
---
 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'puppet/modules/site_apache/templates/vhosts.d/api.conf.erb')

diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 5f1f4c1d..3360ac59 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -10,9 +10,10 @@ Listen 0.0.0.0:<%= api_port %>
   ServerName <%= api_domain %>
 
   SSLEngine on
-  SSLProtocol -all +SSLv3 +TLSv1
-  SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+  SSLProtocol all -SSLv2
   SSLHonorCipherOrder on
+  SSLCompression off
+  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
 
   SSLCACertificatePath /etc/ssl/certs
   SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
-- 
cgit v1.2.3