Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Sebastien Robin
slapos
Commits
1ae0ad0d
Commit
1ae0ad0d
authored
Apr 13, 2016
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
SSL: use the same configuration everywhere.
parent
4652ced7
Changes
25
Show whitespace changes
Inline
Side-by-side
Showing
25 changed files
with
64 additions
and
52 deletions
+64
-52
slapos/recipe/apache_zope_backend/template/snippet.ssl.in
slapos/recipe/apache_zope_backend/template/snippet.ssl.in
+3
-3
slapos/recipe/erp5/template/apache.ssl-snippet.conf.in
slapos/recipe/erp5/template/apache.ssl-snippet.conf.in
+3
-3
slapos/recipe/erp5testnode/template/httpd.conf.in
slapos/recipe/erp5testnode/template/httpd.conf.in
+3
-3
software/apache-frontend/README.apache_frontend.txt
software/apache-frontend/README.apache_frontend.txt
+3
-3
software/apache-frontend/common.cfg
software/apache-frontend/common.cfg
+2
-2
software/apache-frontend/templates/apache.conf.in
software/apache-frontend/templates/apache.conf.in
+2
-1
software/apache-frontend/templates/trafficserver/records.config.jinja2
...he-frontend/templates/trafficserver/records.config.jinja2
+7
-6
software/gateone/software.cfg
software/gateone/software.cfg
+1
-1
software/gateone/templates/nginx.conf.in
software/gateone/templates/nginx.conf.in
+3
-2
software/html5ide/software.cfg
software/html5ide/software.cfg
+1
-1
software/html5ide/template/httpd.conf.jinja2
software/html5ide/template/httpd.conf.jinja2
+3
-3
software/kvm/common.cfg
software/kvm/common.cfg
+1
-1
software/kvm/template/apache.conf.in
software/kvm/template/apache.conf.in
+3
-1
software/monitor/cgi-httpd.conf.in
software/monitor/cgi-httpd.conf.in
+3
-3
software/re6stnet/apache.conf.in
software/re6stnet/apache.conf.in
+3
-1
software/re6stnet/software.cfg
software/re6stnet/software.cfg
+1
-1
software/slapos-master/apache.conf.in
software/slapos-master/apache.conf.in
+4
-2
software/slapos-master/software.cfg
software/slapos-master/software.cfg
+1
-1
software/slaprunner/common.cfg
software/slaprunner/common.cfg
+2
-2
software/slaprunner/httpd_conf.in
software/slaprunner/httpd_conf.in
+3
-3
software/slaprunner/nginx_conf.in
software/slaprunner/nginx_conf.in
+3
-2
stack/erp5/apache.conf.in
stack/erp5/apache.conf.in
+4
-2
stack/erp5/buildout.cfg
stack/erp5/buildout.cfg
+1
-1
stack/monitor/buildout.cfg
stack/monitor/buildout.cfg
+1
-1
stack/monitor/templates/monitor-httpd.conf.in
stack/monitor/templates/monitor-httpd.conf.in
+3
-3
No files found.
slapos/recipe/apache_zope_backend/template/snippet.ssl.in
View file @
1ae0ad0d
...
...
@@ -2,8 +2,8 @@ SSLCertificateFile %(certificate)s
SSLCertificateKeyFile %(key)s
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
SSLSessionCache shmcb:%(ssl_session_cache)s(512000)
SSLProxyEngine On
slapos/recipe/erp5/template/apache.ssl-snippet.conf.in
View file @
1ae0ad0d
...
...
@@ -3,7 +3,7 @@ SSLCertificateFile %(login_certificate)s
SSLCertificateKeyFile %(login_key)s
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSLCipherSuite
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLProtocol
all -SSLv2 -SSLv3
SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
SSLProxyEngine On
slapos/recipe/erp5testnode/template/httpd.conf.in
View file @
1ae0ad0d
...
...
@@ -45,9 +45,9 @@ SSLCertificateFile %(certificate)s
SSLCertificateKeyFile %(key)s
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
SSLProxyEngine On
...
...
software/apache-frontend/README.apache_frontend.txt
View file @
1ae0ad0d
...
...
@@ -440,9 +440,9 @@ the proxy::
ServerAdmin example.org
SSLEngine on
SSLProxyEngine on
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
# Use personal ssl certificates
SSLCertificateFile %(ssl_crt)s
SSLCertificateKeyFile %(ssl_key)s
...
...
software/apache-frontend/common.cfg
View file @
1ae0ad0d
...
...
@@ -96,7 +96,7 @@ mode = 640
[template-apache-frontend-configuration]
recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/templates/apache.conf.in
md5sum =
09ffa9a94cc7506d32c2c422853106b6
md5sum =
8ff17b2a0d0495ec935e378f3976de71
mode = 640
[template-apache-cached-configuration]
...
...
@@ -164,7 +164,7 @@ md5sum = 8cde04bfd0c0e9bd56744b988275cfd8
[template-trafficserver-records-config]
recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/templates/trafficserver/${:filename}
md5sum =
c68fc90886c3314466b459520692e145
md5sum =
65afeef0229430ad8a6fbc57298b787b
location = ${buildout:parts-directory}/${:_buildout_section_name_}
filename = records.config.jinja2
download-only = true
...
...
software/apache-frontend/templates/apache.conf.in
View file @
1ae0ad0d
...
...
@@ -123,7 +123,8 @@ SSLSessionCacheTimeout 300
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
...
...
software/apache-frontend/templates/trafficserver/records.config.jinja2
View file @
1ae0ad0d
...
...
@@ -492,18 +492,19 @@ CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
# proxy.config.exec_thread.autoconfig.scale by default. You can
# override that here (set it to a non-zero value).
CONFIG proxy.config.ssl.number.threads INT 0
# The following three variables can be
# set to 0 to disable SSLv2, SSLv3, and/or TLSv1.
# SSLv2 is disabled by default for security concern.
# The following variables control SSL protocols.
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT
1
CONFIG proxy.config.ssl.SSLv3 INT
0
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
# The following two variables control the Cipher Suite traffic Server
# uses for HTTPS connnections and whether to prefer the client
# selected (default) or the server selected
# Our default SSL Cipher Suite tries to be reasonably fast and strong.
CONFIG proxy.config.ssl.server.cipher_suite STRING RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
CONFIG proxy.config.ssl.server.honor_cipher_order INT 0
CONFIG proxy.config.ssl.server.cipher_suite STRING ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
# Control if SSL should perform content compression or not
CONFIG proxy.config.ssl.compression INT 0
# Client certification level should be:
...
...
software/gateone/software.cfg
View file @
1ae0ad0d
...
...
@@ -111,7 +111,7 @@ extra-context =
< = download-base
url = ${:_profile_base_location_}/templates/${:filename}.in
filename = nginx.conf
md5sum =
72f4cc110f618b317793e21124f45121
md5sum =
3d80d73a9cfffca6687813d86ddc25ba
[check-recipe]
recipe = plone.recipe.command
...
...
software/gateone/templates/nginx.conf.in
View file @
1ae0ad0d
...
...
@@ -24,8 +24,9 @@ http {
server_name _;
ssl_certificate {{ parameter_dict['ssl-certificate'] }};
ssl_certificate_key {{ parameter_dict['ssl-key'] }};
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
ssl_prefer_server_ciphers on;
keepalive_timeout 90s;
client_body_temp_path {{ param_tempdir['client_body_temp_path'] }};
proxy_temp_path {{ param_tempdir['proxy_temp_path'] }};
...
...
software/html5ide/software.cfg
View file @
1ae0ad0d
...
...
@@ -32,7 +32,7 @@ mode = 0644
recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/template/httpd.conf.jinja2
download-only = true
md5sum =
0c9e75bcbaf5ed97f7b33d472107b634
md5sum =
97d84138323b1e3214847b1b7de9a10e
filename = httpd_conf.in
mode = 0644
...
...
software/html5ide/template/httpd.conf.jinja2
View file @
1ae0ad0d
...
...
@@ -35,9 +35,9 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
SSLEngine On
...
...
software/kvm/common.cfg
View file @
1ae0ad0d
...
...
@@ -203,7 +203,7 @@ recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/template/apache.conf.in
mode = 644
filename = apache.conf.in
md5sum =
355fdabdb86fee8e9714b6d357149958
md5sum =
ac97f6a52e1c5a19a646242ef85abb8a
download-only = true
on-update = true
...
...
software/kvm/template/apache.conf.in
View file @
1ae0ad0d
...
...
@@ -33,7 +33,9 @@ SSLCertificateFile {{ cert }}
SSLCertificateKeyFile {{ key }}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol All -SSLv2
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
SSLProxyEngine On
DocumentRoot {{ document_root }}
...
...
software/monitor/cgi-httpd.conf.in
View file @
1ae0ad0d
...
...
@@ -46,9 +46,9 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
SSLSessionCache shmcb:/{{ directory.get("mod-ssl") }}/ssl_scache(512000)
SSLSessionCacheTimeout 300
</IfDefine>
...
...
software/re6stnet/apache.conf.in
View file @
1ae0ad0d
...
...
@@ -37,7 +37,9 @@ SSLCertificateFile {{ certificate }}
SSLCertificateKeyFile {{ key }}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol ALL -SSLv2
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
{% endif -%}
<Directory />
...
...
software/re6stnet/software.cfg
View file @
1ae0ad0d
...
...
@@ -91,7 +91,7 @@ extra-context =
[template-apache-conf]
< = download-base
filename = apache.conf.in
md5sum =
6fcf417f6b9651b1ed442f00c094f50c
md5sum =
d64cafda1139b740a49a9f5e30a1b57b
[template-re6st-registry-conf]
< = download-base
...
...
software/slapos-master/apache.conf.in
View file @
1ae0ad0d
...
...
@@ -36,10 +36,12 @@ SSLCertificateFile {{ parameter_dict['cert'] }}
SSLCertificateKeyFile {{ parameter_dict['key'] }}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol
All -SSLv2
#
SSLHonorCipherOrder on
SSLProtocol
all -SSLv2 -SSLv3
SSLHonorCipherOrder on
{% if parameter_dict['cipher'] -%}
SSLCipherSuite {{ parameter_dict['cipher'] }}
{% else %}
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
{%- endif %}
SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
SSLProxyEngine On
...
...
software/slapos-master/software.cfg
View file @
1ae0ad0d
...
...
@@ -74,7 +74,7 @@ md5sum = 02c258e51ff4619efe258bbf24b9ceed
[template-apache-conf]
< = download-base-part
filename = apache.conf.in
md5sum =
77c9e3cd1e95279761310cd0eeda78b3
md5sum =
6a9426138d46ba5de75a86199be4f8d1
[template-create-erp5-site-real]
< = download-base-part
...
...
software/slaprunner/common.cfg
View file @
1ae0ad0d
...
...
@@ -106,7 +106,7 @@ mode = 0644
recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/nginx_conf.in
download-only = true
md5sum =
5bbe62827d232b3bbac3d5eb03e2d648
md5sum =
2ccfb122a6e8e4cce0d98e9db28be749
filename = nginx_conf.in
mode = 0644
...
...
@@ -114,7 +114,7 @@ mode = 0644
recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/httpd_conf.in
download-only = true
md5sum =
21009dac6e9868bed61a669632103830
md5sum =
505edf5a6a39edf0238bd42934503f1b
filename = httpd_conf.in
mode = 0644
...
...
software/slaprunner/httpd_conf.in
View file @
1ae0ad0d
...
...
@@ -44,9 +44,9 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
SSLEngine On
Include {{ parameters.httpd_cors_file }}
...
...
software/slaprunner/nginx_conf.in
View file @
1ae0ad0d
...
...
@@ -24,8 +24,9 @@ http {
server_name _;
ssl_certificate {{ param_nginx_frontend['ssl-certificate'] }};
ssl_certificate_key {{ param_nginx_frontend['ssl-key'] }};
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
ssl_prefer_server_ciphers on;
keepalive_timeout 90s;
client_body_temp_path {{ param_tempdir['client_body_temp_path'] }};
proxy_temp_path {{ param_tempdir['proxy_temp_path'] }};
...
...
stack/erp5/apache.conf.in
View file @
1ae0ad0d
...
...
@@ -36,10 +36,12 @@ SSLCertificateFile {{ parameter_dict['cert'] }}
SSLCertificateKeyFile {{ parameter_dict['key'] }}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol
All -SSLv2
#
SSLHonorCipherOrder on
SSLProtocol
all -SSLv2 -SSLv3
SSLHonorCipherOrder on
{% if parameter_dict['cipher'] -%}
SSLCipherSuite {{ parameter_dict['cipher'] }}
{% else %}
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
{%- endif %}
SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
SSLProxyEngine On
...
...
stack/erp5/buildout.cfg
View file @
1ae0ad0d
...
...
@@ -370,7 +370,7 @@ md5sum = ec9321514674c084e509ca070763b4a1
[template-apache-conf]
<= download-base
filename = apache.conf.in
md5sum =
713b22938d7212c8506449bc0508452b
md5sum =
cbe53c1879db9601a521e3ce1d546116
[template-haproxy-cfg]
<= download-base
...
...
stack/monitor/buildout.cfg
View file @
1ae0ad0d
...
...
@@ -60,7 +60,7 @@ eggs =
# Monitor templates files
[monitor-httpd-conf]
<= monitor-template-base
md5sum =
08137be9b80e0e13d9a906c264a2f51f
md5sum =
e023ede69a0bfb59165c75b1c16719f7
filename = monitor-httpd.conf.in
[monitor-service-conf-template]
...
...
stack/monitor/templates/monitor-httpd.conf.in
View file @
1ae0ad0d
...
...
@@ -45,9 +45,9 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
</IfDefine>
AddType application/hal+json .haljson
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment