From 7d1f286e571af299fa88881393876dc6fb494256 Mon Sep 17 00:00:00 2001
From: guido <guido@bruo.org>
Date: Mon, 22 Dec 2014 10:52:38 -0300
Subject: Adds a ssl_common.inc file to use inside vhosts for the SSL config
 (solves #5103)

Change-Id: I717bf7ca2c5679165a99370c4540f8b8dc1a48ea
---
 puppet/modules/site_apache/files/include.d/ssl_common.inc     | 7 +++++++
 puppet/modules/site_apache/manifests/common.pp                | 1 +
 puppet/modules/site_apache/templates/vhosts.d/api.conf.erb    | 8 +-------
 puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 8 +-------
 4 files changed, 10 insertions(+), 14 deletions(-)
 create mode 100644 puppet/modules/site_apache/files/include.d/ssl_common.inc

(limited to 'puppet/modules/site_apache')

diff --git a/puppet/modules/site_apache/files/include.d/ssl_common.inc b/puppet/modules/site_apache/files/include.d/ssl_common.inc
new file mode 100644
index 00000000..08b993cc
--- /dev/null
+++ b/puppet/modules/site_apache/files/include.d/ssl_common.inc
@@ -0,0 +1,7 @@
+SSLEngine on
+SSLProtocol all -SSLv2 -SSLv3
+SSLHonorCipherOrder on
+SSLCompression off
+SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
+
+RequestHeader set X_FORWARDED_PROTO 'https'
\ No newline at end of file
diff --git a/puppet/modules/site_apache/manifests/common.pp b/puppet/modules/site_apache/manifests/common.pp
index 72f24838..2b83ffa5 100644
--- a/puppet/modules/site_apache/manifests/common.pp
+++ b/puppet/modules/site_apache/manifests/common.pp
@@ -23,4 +23,5 @@ class site_apache::common {
       content => template('site_apache/vhosts.d/common.conf.erb')
   }
 
+  apache::config::include{ 'ssl_common.inc': }
 }
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index e4732289..0396f54b 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -11,18 +11,12 @@ Listen 0.0.0.0:<%= api_port %>
   ServerName <%= api_domain %>
   CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
 
-  SSLEngine on
-  SSLProtocol all -SSLv2 -SSLv3
-  SSLHonorCipherOrder on
-  SSLCompression off
-  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
-
   SSLCACertificatePath /etc/ssl/certs
   SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
   SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
   SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt
 
-  RequestHeader set X_FORWARDED_PROTO 'https'
+  Include include.d/ssl_common.inc
 
   <IfModule mod_headers.c>
 <% if @webapp['secure'] -%>
diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index a9733a97..a5f1fc51 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -12,18 +12,12 @@
   ServerAlias www.<%= domain %>
   CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
 
-  SSLEngine on
-  SSLProtocol all -SSLv2 -SSLv3
-  SSLHonorCipherOrder on
-  SSLCompression off
-  SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
-
   SSLCACertificatePath /etc/ssl/certs
   SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt
   SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key
   SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt
 
-  RequestHeader set X_FORWARDED_PROTO 'https'
+  Include include.d/ssl_common.inc
 
   <IfModule mod_headers.c>
 <% if (defined? @services) and (@services.include? 'webapp') and (@webapp['secure']) -%>
-- 
cgit v1.2.3


From 53b87cc2b283df665a46a5781974f9ffd047c72c Mon Sep 17 00:00:00 2001
From: guido <guido@bruo.org>
Date: Mon, 12 Jan 2015 12:43:35 -0300
Subject: Adds apache support for webapp.domain if defined. Fixes #6632

Change-Id: If63aac60e44c4a68f030f93e20e8dc071f9df610
---
 puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'puppet/modules/site_apache')

diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index a5f1fc51..87c40005 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -7,7 +7,9 @@
 </VirtualHost>
 
 <VirtualHost *:443>
-  ServerName <%= domain_name %>
+
+  ServerName <%= webapp_domain %>
+  ServerAlias <%= domain_name %>
   ServerAlias <%= domain %>
   ServerAlias www.<%= domain %>
   CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log common
-- 
cgit v1.2.3


From 252bb2121c87a2c650551fc306f7ee41c17e8d9f Mon Sep 17 00:00:00 2001
From: guido <guido@bruo.org>
Date: Mon, 30 Mar 2015 16:55:27 -0300
Subject: Adds apache support for webapp.domain if defined on :80, completes
 fix for #6632

---
 puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'puppet/modules/site_apache')

diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index 87c40005..43bd1076 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -1,5 +1,7 @@
 <VirtualHost *:80>
-  ServerName <%= domain %>
+  ServerName <%= webapp_domain %>
+  ServerAlias <%= domain_name %>
+  ServerAlias <%= domain %>
   ServerAlias www.<%= domain %>
   RewriteEngine On
   RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L]
@@ -7,7 +9,6 @@
 </VirtualHost>
 
 <VirtualHost *:443>
-
   ServerName <%= webapp_domain %>
   ServerAlias <%= domain_name %>
   ServerAlias <%= domain %>
-- 
cgit v1.2.3


From 27cd49653769979c3797df340d761a184cea0fec Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Tue, 7 Apr 2015 16:20:39 -0400
Subject: Disable passenger when pnp4nagios is being fetched, this is part of

Change-Id: I21e9af3ef76f19924e58df5b40f4097d42fbf1cd
---
 puppet/modules/site_apache/templates/vhosts.d/common.conf.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'puppet/modules/site_apache')

diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index 43bd1076..ee5cd707 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -57,7 +57,7 @@
 
 
 <% if (defined? @services) and (@services.include? 'monitor') -%>
- <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
+ <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets|/usr/share/pnp4nagios)>
  <% if (defined? @services) and (@services.include? 'webapp') -%>
     PassengerEnabled off
  <% end -%>
-- 
cgit v1.2.3


From b77e3f7e87bc64ffaaa608e5b6a6ef385b8054d3 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Tue, 26 May 2015 22:23:22 -0400
Subject: Implement weakdh recommendations for cipher suites (#7024)

This is a first step mitigation until we can have a newer apache that
will allow us to specify dh parameters other than the default.

Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d
---
 puppet/modules/site_apache/files/include.d/ssl_common.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'puppet/modules/site_apache')

diff --git a/puppet/modules/site_apache/files/include.d/ssl_common.inc b/puppet/modules/site_apache/files/include.d/ssl_common.inc
index 08b993cc..2d282c84 100644
--- a/puppet/modules/site_apache/files/include.d/ssl_common.inc
+++ b/puppet/modules/site_apache/files/include.d/ssl_common.inc
@@ -2,6 +2,6 @@ SSLEngine on
 SSLProtocol all -SSLv2 -SSLv3
 SSLHonorCipherOrder on
 SSLCompression off
-SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
+SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!MD5:!PSK!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
 
 RequestHeader set X_FORWARDED_PROTO 'https'
\ No newline at end of file
-- 
cgit v1.2.3