From e3a1c5d0c8f644bc0956758a8832d2f586556cf6 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 20:36:12 -0400 Subject: Disable verbose, identifying apache headers (#3462): . Disable ServerSignature . Set ServerTokens Prod . unset the X-Powered-By and X-Runtime apache headers Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 5 +++++ puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 5 +++++ 2 files changed, 10 insertions(+) (limited to 'puppet/modules/site_apache/templates') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index ae894cd4..6a276e22 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -21,6 +21,11 @@ Listen 0.0.0.0:<%= api_port %> RequestHeader set X_FORWARDED_PROTO 'https' + + Header always unset X-Powered-By + Header always unset X-Runtime + + DocumentRoot /srv/leap/webapp/public # Check for maintenance file and redirect all requests diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 4b051699..9108caff 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -21,6 +21,11 @@ RequestHeader set X_FORWARDED_PROTO 'https' + + Header always unset X-Powered-By + Header always unset X-Runtime + + DocumentRoot /srv/leap/webapp/public RewriteEngine On -- cgit v1.2.3 From 613f7f12f4c907ea07e79e3e73da8f2b71d3436d Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 20 Aug 2013 20:44:21 -0400 Subject: add HSTS if hiera value for webapp['secure'] is set (#3514) Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 +++ puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 +++ 2 files changed, 6 insertions(+) (limited to 'puppet/modules/site_apache/templates') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 6a276e22..bc5ff156 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -22,6 +22,9 @@ Listen 0.0.0.0:<%= api_port %> RequestHeader set X_FORWARDED_PROTO 'https' +<% if @webapp['secure'] -%> + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" +<% end -%> Header always unset X-Powered-By Header always unset X-Runtime diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 9108caff..5e3960c2 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -22,6 +22,9 @@ RequestHeader set X_FORWARDED_PROTO 'https' +<% if @webapp['secure'] -%> + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" +<% end -%> Header always unset X-Powered-By Header always unset X-Runtime -- cgit v1.2.3 From 55578fec453d6b090f623fd3368138f9e322c9f5 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 19 Sep 2013 13:48:07 +0200 Subject: tidy webapp api x509 definitions (#3840) --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_apache/templates') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index bc5ff156..4efbbc52 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -15,9 +15,9 @@ Listen 0.0.0.0:<%= api_port %> SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_api.pem - SSLCertificateKeyFile /etc/x509/keys/leap_api.key - SSLCertificateFile /etc/x509/certs/leap_api.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' -- cgit v1.2.3 From 486a9cd3b7bd8d643a9623fd40db2286cdf52fc8 Mon Sep 17 00:00:00 2001 From: varac Date: Fri, 20 Sep 2013 18:58:13 +0200 Subject: fix whitespace issues from https://review.leap.se/r/82 --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_apache/templates') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 4efbbc52..5f1f4c1d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -16,8 +16,8 @@ Listen 0.0.0.0:<%= api_port %> SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt - SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' -- cgit v1.2.3 From a95e00f78e07d515b49de563ca5fbcd83be0d015 Mon Sep 17 00:00:00 2001 From: kwadronaut Date: Tue, 17 Sep 2013 20:09:10 +0200 Subject: adding fqdn as default servername and moving service.domain to ServerAlias (fixing #3384) node name and dns fqdn could be different Also note that on local deploys that warning from #3384 will continue to exist (because of dns) --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 ++- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'puppet/modules/site_apache/templates') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index bc5ff156..2cac297e 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -7,7 +7,8 @@ Listen 0.0.0.0:<%= api_port %> > - ServerName <%= api_domain %> + ServerName <%= domain_name %> + ServerAlias <%= api_domain %> SSLEngine on SSLProtocol -all +SSLv3 +TLSv1 diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 5e3960c2..3b376839 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -6,7 +6,8 @@ - ServerName <%= domain %> + ServerName <%= domain_name %> + ServerAlias <%= domain %> ServerAlias www.<%= domain %> SSLEngine on -- cgit v1.2.3 From 9fae612bd8d147321e0cb553610fcaf0140e84eb Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 09:23:54 +0200 Subject: move commercial x509 deployment to site_x509 (Feature #3889) --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_apache/templates') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 3b376839..6059453b 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -16,9 +16,9 @@ SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_webapp.pem - SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key - SSLCertificateFile /etc/x509/certs/leap_webapp.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' -- cgit v1.2.3 From 02f17c426e6288f898a66a1a687b413ffe9a9b95 Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 24 Sep 2013 11:01:19 +0200 Subject: Webapp doesn't serve commercial cert (Bug #3916) --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'puppet/modules/site_apache/templates') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 9e2dbcaf..5f1f4c1d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -7,8 +7,7 @@ Listen 0.0.0.0:<%= api_port %> > - ServerName <%= domain_name %> - ServerAlias <%= api_domain %> + ServerName <%= api_domain %> SSLEngine on SSLProtocol -all +SSLv3 +TLSv1 -- cgit v1.2.3 From 9074a7bce264d64f467bc628f06e37a5802043bd Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 17 Oct 2013 23:09:49 +0200 Subject: "Header set X-Frame-Options: Allow" only for nagios (Bug #4169) Nagios won't work with setting this option to "DENY", as set in conf.d/security (#4169). Therefor we allow it here, only for nagios. --- puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'puppet/modules/site_apache/templates') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 6059453b..afc19782 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -18,7 +18,7 @@ SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' @@ -49,6 +49,10 @@ PassengerEnabled off AllowOverride all + # Nagios won't work with setting this option to "DENY", + # as set in conf.d/security (#4169). Therefor we allow + # it here, only for nagios. + Header set X-Frame-Options: "ALLOW" <% end -%> -- cgit v1.2.3 From 289a00a149ac08d01b8ee638620d8c2928966fa3 Mon Sep 17 00:00:00 2001 From: elijah Date: Fri, 15 Nov 2013 01:02:25 -0800 Subject: improvements to webapp deployment: allow for greater customization, allow for custom git source, improve apache config. --- .../modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'puppet/modules/site_apache/templates') diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index afc19782..a001552a 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -45,6 +45,14 @@ PassengerFriendlyErrorPages off SetEnv TMPDIR /var/tmp + # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) + + Header unset ETag + FileETag None + ExpiresActive On + ExpiresDefault "access plus 1 year" + + <% if (defined? @services) and (@services.include? 'monitor') -%> PassengerEnabled off -- cgit v1.2.3 From 6255e58bf9ff3489bf2707bc2be9759ec5c7db68 Mon Sep 17 00:00:00 2001 From: varac Date: Thu, 6 Feb 2014 15:36:12 +0100 Subject: move leap_webapp.conf template to common.conf which is included by the nagios and webapp node (#5096) --- .../site_apache/templates/vhosts.d/common.conf.erb | 72 ++++++++++++++++++++++ .../templates/vhosts.d/leap_webapp.conf.erb | 67 -------------------- 2 files changed, 72 insertions(+), 67 deletions(-) create mode 100644 puppet/modules/site_apache/templates/vhosts.d/common.conf.erb delete mode 100644 puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb (limited to 'puppet/modules/site_apache/templates') diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb new file mode 100644 index 00000000..30f0a6b1 --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -0,0 +1,72 @@ + + ServerName <%= domain %> + ServerAlias www.<%= domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] + + + + ServerName <%= domain_name %> + ServerAlias <%= domain %> + ServerAlias www.<%= domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + +<% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%> + Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" +<% end -%> + Header always unset X-Powered-By + Header always unset X-Runtime + + +<% if (defined? @services) and (@services.include? 'webapp') -%> + DocumentRoot /srv/leap/webapp/public + + RewriteEngine On + # Check for maintenance file and redirect all requests + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp + + # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) + + Header unset ETag + FileETag None + ExpiresActive On + ExpiresDefault "access plus 1 year" + +<% end -%> + + +<% if (defined? @services) and (@services.include? 'monitor') -%> + + <% if (defined? @services) and (@services.include? 'webapp') -%> + PassengerEnabled off + <% end -%> + AllowOverride all + # Nagios won't work with setting this option to "DENY", + # as set in conf.d/security (#4169). Therefor we allow + # it here, only for nagios. + Header set X-Frame-Options: "ALLOW" + +<% end -%> + + diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb deleted file mode 100644 index a001552a..00000000 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ /dev/null @@ -1,67 +0,0 @@ - - ServerName <%= domain %> - ServerAlias www.<%= domain %> - RewriteEngine On - RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] - - - - ServerName <%= domain_name %> - ServerAlias <%= domain %> - ServerAlias www.<%= domain %> - - SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH - SSLHonorCipherOrder on - - SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt - SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key - SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt - - RequestHeader set X_FORWARDED_PROTO 'https' - - -<% if @webapp['secure'] -%> - Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" -<% end -%> - Header always unset X-Powered-By - Header always unset X-Runtime - - - DocumentRoot /srv/leap/webapp/public - - RewriteEngine On - # Check for maintenance file and redirect all requests - RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f - RewriteCond %{SCRIPT_FILENAME} !maintenance.html - RewriteCond %{REQUEST_URI} !/images/maintenance.jpg - RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] - - # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt - AllowEncodedSlashes on - PassengerAllowEncodedSlashes on - PassengerFriendlyErrorPages off - SetEnv TMPDIR /var/tmp - - # Allow rails assets to be cached for a very long time (since the URLs change whenever the content changes) - - Header unset ETag - FileETag None - ExpiresActive On - ExpiresDefault "access plus 1 year" - - - <% if (defined? @services) and (@services.include? 'monitor') -%> - - PassengerEnabled off - AllowOverride all - # Nagios won't work with setting this option to "DENY", - # as set in conf.d/security (#4169). Therefor we allow - # it here, only for nagios. - Header set X-Frame-Options: "ALLOW" - - <% end -%> - - -- cgit v1.2.3 From 5cca6d100ffd991e6f943d916361bf0497728d70 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Wed, 2 Apr 2014 13:17:20 -0400 Subject: Update TLS apache vhost TLS configuration (#5137): . We want to allow for TLS1.2 to be enabled (supported in wheezy) . Explicitly disable SSLCompression. This aids in protecting against the BREACH attack: see http://breachattack.com), and SPDY version 3 is vulnerable to the CRIME attack when compression is on . Switch the cipher suites to match https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for these reasons: . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many implementations support this, and there are no known attacks). . Prefer AES128 to AES256 because the key schedule in AES256 is considered weaker, and maybe AES128 is more resistant to timing attacks . Prefer AES to RC4. BEAST attacks on AES are mitigated in >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and likely to become more dangerous . RC4 is on the path to removal, but still present for backward compatibility Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043 --- puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 5 +++-- puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_apache/templates') diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 5f1f4c1d..3360ac59 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -10,9 +10,10 @@ Listen 0.0.0.0:<%= api_port %> ServerName <%= api_domain %> SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb index 30f0a6b1..ed430510 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb @@ -11,9 +11,10 @@ ServerAlias www.<%= domain %> SSLEngine on - SSLProtocol -all +SSLv3 +TLSv1 - SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLProtocol all -SSLv2 SSLHonorCipherOrder on + SSLCompression off + SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt -- cgit v1.2.3