From 0d46876a37334e71634eeaa77546d3fa5d1fde55 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 14 Jan 2015 13:27:45 -0800 Subject: static site service: pin amber gem to 0.3.4 --- puppet/modules/site_static/manifests/init.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index aed9775e..ce79c00f 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -44,7 +44,7 @@ class site_static { if (member($formats, 'amber')) { include site_config::ruby::dev - rubygems::gem{'amber-0.3.0': } + rubygems::gem{'amber-0.3.4': } } create_resources(site_static::domain, $domains) -- cgit v1.2.3 From f8c359d8795d216dd5ce1cc9e3e14b3b7933a718 Mon Sep 17 00:00:00 2001 From: elijah Date: Thu, 2 Apr 2015 15:46:16 -0700 Subject: static: restart apache when tls certs change --- puppet/modules/site_static/manifests/domain.pp | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 6941b1a3..b9177f25 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -12,9 +12,18 @@ define site_static::domain ( create_resources(site_static::location, $locations) - x509::cert { $domain: content => $cert } - x509::key { $domain: content => $key } - x509::ca { "${domain}_ca": content => $ca_cert } + x509::cert { $domain: + content => $cert, + notify => Service[apache] + } + x509::key { $domain: + content => $key, + notify => Service[apache] + } + x509::ca { "${domain}_ca": + content => $ca_cert, + notify => Service[apache] + } apache::vhost::file { $domain: content => template('site_static/apache.conf.erb') -- cgit v1.2.3 From b77e3f7e87bc64ffaaa608e5b6a6ef385b8054d3 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 May 2015 22:23:22 -0400 Subject: Implement weakdh recommendations for cipher suites (#7024) This is a first step mitigation until we can have a newer apache that will allow us to specify dh parameters other than the default. Change-Id: Ibfcee53b331e8919466027dde1a93117b5210d9d --- puppet/modules/site_static/templates/apache.conf.erb | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_static') diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 9b516a10..4d61cc08 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -45,12 +45,8 @@ #RewriteLog "/var/log/apache2/rewrite.log" #RewriteLogLevel 3 - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLHonorCipherOrder on - SSLCompression off - SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" - + Include include.d/ssl_common.inc + <%- if @tls_only -%> Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" <%- end -%> -- cgit v1.2.3