From aed223ad42635370bdbc1b239ed43a1330698c5e Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 4 Feb 2015 14:03:31 -0800 Subject: consolidate sources into common.json --- puppet/modules/site_nickserver/manifests/init.pp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'puppet/modules/site_nickserver') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index eaf90d55..c2deab0f 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -34,11 +34,12 @@ class site_nickserver { # See site_webapp/templates/haproxy_couchdb.cfg.erg $couchdb_port = '4096' + $sources = hiera('sources') + # temporarily for now: $domain = hiera('domain') $address_domain = $domain['full_suffix'] - include site_config::x509::cert include site_config::x509::key include site_config::x509::ca @@ -69,9 +70,9 @@ class site_nickserver { vcsrepo { '/srv/leap/nickserver': ensure => present, - revision => 'origin/master', - provider => git, - source => 'https://leap.se/git/nickserver', + revision => $sources['nickserver']['revision'], + provider => $sources['nickserver']['type'], + source => $sources['nickserver']['source'], owner => 'nickserver', group => 'nickserver', require => [ User['nickserver'], Group['nickserver'] ], -- cgit v1.2.3 From b77e3f7e87bc64ffaaa608e5b6a6ef385b8054d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 May 2015 22:23:22 -0400 Subject: Implement weakdh recommendations for cipher suites (#7024) This is a first step mitigation until we can have a newer apache that will allow us to specify dh parameters other than the default. Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d --- .../modules/site_nickserver/templates/nickserver-proxy.conf.erb | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_nickserver') diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index 56a8d9f6..d4e734c3 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -8,17 +8,13 @@ Listen 0.0.0.0:<%= @nickserver_port -%> ServerName <%= @nickserver_domain %> ServerAlias <%= @address_domain %> - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLHonorCipherOrder on - SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" - SSLCACertificatePath /etc/ssl/certs SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt + Include include.d/ssl_common.inc + ProxyPass / http://localhost:<%= @nickserver_local_port %>/ ProxyPreserveHost On # preserve Host header in HTTP request -- cgit v1.2.3