Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jean-Paul Smets
slapos
Commits
1ae0ad0d
Commit
1ae0ad0d
authored
Apr 13, 2016
by
Kazuhiko Shiozaki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
SSL: use the same configuration everywhere.
parent
4652ced7
Changes
25
Hide whitespace changes
Inline
Side-by-side
Showing
25 changed files
with
64 additions
and
52 deletions
+64
-52
slapos/recipe/apache_zope_backend/template/snippet.ssl.in
slapos/recipe/apache_zope_backend/template/snippet.ssl.in
+3
-3
slapos/recipe/erp5/template/apache.ssl-snippet.conf.in
slapos/recipe/erp5/template/apache.ssl-snippet.conf.in
+3
-3
slapos/recipe/erp5testnode/template/httpd.conf.in
slapos/recipe/erp5testnode/template/httpd.conf.in
+3
-3
software/apache-frontend/README.apache_frontend.txt
software/apache-frontend/README.apache_frontend.txt
+3
-3
software/apache-frontend/common.cfg
software/apache-frontend/common.cfg
+2
-2
software/apache-frontend/templates/apache.conf.in
software/apache-frontend/templates/apache.conf.in
+2
-1
software/apache-frontend/templates/trafficserver/records.config.jinja2
...he-frontend/templates/trafficserver/records.config.jinja2
+7
-6
software/gateone/software.cfg
software/gateone/software.cfg
+1
-1
software/gateone/templates/nginx.conf.in
software/gateone/templates/nginx.conf.in
+3
-2
software/html5ide/software.cfg
software/html5ide/software.cfg
+1
-1
software/html5ide/template/httpd.conf.jinja2
software/html5ide/template/httpd.conf.jinja2
+3
-3
software/kvm/common.cfg
software/kvm/common.cfg
+1
-1
software/kvm/template/apache.conf.in
software/kvm/template/apache.conf.in
+3
-1
software/monitor/cgi-httpd.conf.in
software/monitor/cgi-httpd.conf.in
+3
-3
software/re6stnet/apache.conf.in
software/re6stnet/apache.conf.in
+3
-1
software/re6stnet/software.cfg
software/re6stnet/software.cfg
+1
-1
software/slapos-master/apache.conf.in
software/slapos-master/apache.conf.in
+4
-2
software/slapos-master/software.cfg
software/slapos-master/software.cfg
+1
-1
software/slaprunner/common.cfg
software/slaprunner/common.cfg
+2
-2
software/slaprunner/httpd_conf.in
software/slaprunner/httpd_conf.in
+3
-3
software/slaprunner/nginx_conf.in
software/slaprunner/nginx_conf.in
+3
-2
stack/erp5/apache.conf.in
stack/erp5/apache.conf.in
+4
-2
stack/erp5/buildout.cfg
stack/erp5/buildout.cfg
+1
-1
stack/monitor/buildout.cfg
stack/monitor/buildout.cfg
+1
-1
stack/monitor/templates/monitor-httpd.conf.in
stack/monitor/templates/monitor-httpd.conf.in
+3
-3
No files found.
slapos/recipe/apache_zope_backend/template/snippet.ssl.in
View file @
1ae0ad0d
...
...
@@ -2,8 +2,8 @@ SSLCertificateFile %(certificate)s
SSLCertificateKeyFile %(key)s
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
SSLSessionCache shmcb:%(ssl_session_cache)s(512000)
SSLProxyEngine On
slapos/recipe/erp5/template/apache.ssl-snippet.conf.in
View file @
1ae0ad0d
...
...
@@ -3,7 +3,7 @@ SSLCertificateFile %(login_certificate)s
SSLCertificateKeyFile %(login_key)s
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSLCipherSuite
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLProtocol
all -SSLv2 -SSLv3
SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
SSLProxyEngine On
slapos/recipe/erp5testnode/template/httpd.conf.in
View file @
1ae0ad0d
...
...
@@ -45,9 +45,9 @@ SSLCertificateFile %(certificate)s
SSLCertificateKeyFile %(key)s
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
SSLProxyEngine On
...
...
software/apache-frontend/README.apache_frontend.txt
View file @
1ae0ad0d
...
...
@@ -440,9 +440,9 @@ the proxy::
ServerAdmin example.org
SSLEngine on
SSLProxyEngine on
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
# Use personal ssl certificates
SSLCertificateFile %(ssl_crt)s
SSLCertificateKeyFile %(ssl_key)s
...
...
software/apache-frontend/common.cfg
View file @
1ae0ad0d
...
...
@@ -96,7 +96,7 @@ mode = 640
[template-apache-frontend-configuration]
recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/templates/apache.conf.in
md5sum =
09ffa9a94cc7506d32c2c422853106b6
md5sum =
8ff17b2a0d0495ec935e378f3976de71
mode = 640
[template-apache-cached-configuration]
...
...
@@ -164,7 +164,7 @@ md5sum = 8cde04bfd0c0e9bd56744b988275cfd8
[template-trafficserver-records-config]
recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/templates/trafficserver/${:filename}
md5sum =
c68fc90886c3314466b459520692e145
md5sum =
65afeef0229430ad8a6fbc57298b787b
location = ${buildout:parts-directory}/${:_buildout_section_name_}
filename = records.config.jinja2
download-only = true
...
...
software/apache-frontend/templates/apache.conf.in
View file @
1ae0ad0d
...
...
@@ -123,7 +123,8 @@ SSLSessionCacheTimeout 300
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
...
...
software/apache-frontend/templates/trafficserver/records.config.jinja2
View file @
1ae0ad0d
...
...
@@ -492,18 +492,19 @@ CONFIG proxy.config.url_remap.pristine_host_hdr INT 1
# proxy.config.exec_thread.autoconfig.scale by default. You can
# override that here (set it to a non-zero value).
CONFIG proxy.config.ssl.number.threads INT 0
# The following three variables can be
# set to 0 to disable SSLv2, SSLv3, and/or TLSv1.
# SSLv2 is disabled by default for security concern.
# The following variables control SSL protocols.
CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT
1
CONFIG proxy.config.ssl.SSLv3 INT
0
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
# The following two variables control the Cipher Suite traffic Server
# uses for HTTPS connnections and whether to prefer the client
# selected (default) or the server selected
# Our default SSL Cipher Suite tries to be reasonably fast and strong.
CONFIG proxy.config.ssl.server.cipher_suite STRING RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
CONFIG proxy.config.ssl.server.honor_cipher_order INT 0
CONFIG proxy.config.ssl.server.cipher_suite STRING ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
# Control if SSL should perform content compression or not
CONFIG proxy.config.ssl.compression INT 0
# Client certification level should be:
...
...
software/gateone/software.cfg
View file @
1ae0ad0d
...
...
@@ -111,7 +111,7 @@ extra-context =
< = download-base
url = ${:_profile_base_location_}/templates/${:filename}.in
filename = nginx.conf
md5sum =
72f4cc110f618b317793e21124f45121
md5sum =
3d80d73a9cfffca6687813d86ddc25ba
[check-recipe]
recipe = plone.recipe.command
...
...
software/gateone/templates/nginx.conf.in
View file @
1ae0ad0d
...
...
@@ -24,8 +24,9 @@ http {
server_name _;
ssl_certificate {{ parameter_dict['ssl-certificate'] }};
ssl_certificate_key {{ parameter_dict['ssl-key'] }};
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
ssl_prefer_server_ciphers on;
keepalive_timeout 90s;
client_body_temp_path {{ param_tempdir['client_body_temp_path'] }};
proxy_temp_path {{ param_tempdir['proxy_temp_path'] }};
...
...
software/html5ide/software.cfg
View file @
1ae0ad0d
...
...
@@ -32,7 +32,7 @@ mode = 0644
recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/template/httpd.conf.jinja2
download-only = true
md5sum =
0c9e75bcbaf5ed97f7b33d472107b634
md5sum =
97d84138323b1e3214847b1b7de9a10e
filename = httpd_conf.in
mode = 0644
...
...
software/html5ide/template/httpd.conf.jinja2
View file @
1ae0ad0d
...
...
@@ -35,9 +35,9 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
SSLEngine On
...
...
software/kvm/common.cfg
View file @
1ae0ad0d
...
...
@@ -203,7 +203,7 @@ recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/template/apache.conf.in
mode = 644
filename = apache.conf.in
md5sum =
355fdabdb86fee8e9714b6d357149958
md5sum =
ac97f6a52e1c5a19a646242ef85abb8a
download-only = true
on-update = true
...
...
software/kvm/template/apache.conf.in
View file @
1ae0ad0d
...
...
@@ -33,7 +33,9 @@ SSLCertificateFile {{ cert }}
SSLCertificateKeyFile {{ key }}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol All -SSLv2
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
SSLProxyEngine On
DocumentRoot {{ document_root }}
...
...
software/monitor/cgi-httpd.conf.in
View file @
1ae0ad0d
...
...
@@ -46,9 +46,9 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
SSLSessionCache shmcb:/{{ directory.get("mod-ssl") }}/ssl_scache(512000)
SSLSessionCacheTimeout 300
</IfDefine>
...
...
software/re6stnet/apache.conf.in
View file @
1ae0ad0d
...
...
@@ -37,7 +37,9 @@ SSLCertificateFile {{ certificate }}
SSLCertificateKeyFile {{ key }}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol ALL -SSLv2
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
{% endif -%}
<Directory />
...
...
software/re6stnet/software.cfg
View file @
1ae0ad0d
...
...
@@ -91,7 +91,7 @@ extra-context =
[template-apache-conf]
< = download-base
filename = apache.conf.in
md5sum =
6fcf417f6b9651b1ed442f00c094f50c
md5sum =
d64cafda1139b740a49a9f5e30a1b57b
[template-re6st-registry-conf]
< = download-base
...
...
software/slapos-master/apache.conf.in
View file @
1ae0ad0d
...
...
@@ -36,10 +36,12 @@ SSLCertificateFile {{ parameter_dict['cert'] }}
SSLCertificateKeyFile {{ parameter_dict['key'] }}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol
All -SSLv2
#
SSLHonorCipherOrder on
SSLProtocol
all -SSLv2 -SSLv3
SSLHonorCipherOrder on
{% if parameter_dict['cipher'] -%}
SSLCipherSuite {{ parameter_dict['cipher'] }}
{% else %}
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
{%- endif %}
SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
SSLProxyEngine On
...
...
software/slapos-master/software.cfg
View file @
1ae0ad0d
...
...
@@ -74,7 +74,7 @@ md5sum = 02c258e51ff4619efe258bbf24b9ceed
[template-apache-conf]
< = download-base-part
filename = apache.conf.in
md5sum =
77c9e3cd1e95279761310cd0eeda78b3
md5sum =
6a9426138d46ba5de75a86199be4f8d1
[template-create-erp5-site-real]
< = download-base-part
...
...
software/slaprunner/common.cfg
View file @
1ae0ad0d
...
...
@@ -106,7 +106,7 @@ mode = 0644
recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/nginx_conf.in
download-only = true
md5sum =
5bbe62827d232b3bbac3d5eb03e2d648
md5sum =
2ccfb122a6e8e4cce0d98e9db28be749
filename = nginx_conf.in
mode = 0644
...
...
@@ -114,7 +114,7 @@ mode = 0644
recipe = hexagonit.recipe.download
url = ${:_profile_base_location_}/httpd_conf.in
download-only = true
md5sum =
21009dac6e9868bed61a669632103830
md5sum =
505edf5a6a39edf0238bd42934503f1b
filename = httpd_conf.in
mode = 0644
...
...
software/slaprunner/httpd_conf.in
View file @
1ae0ad0d
...
...
@@ -44,9 +44,9 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
SSLEngine On
Include {{ parameters.httpd_cors_file }}
...
...
software/slaprunner/nginx_conf.in
View file @
1ae0ad0d
...
...
@@ -24,8 +24,9 @@ http {
server_name _;
ssl_certificate {{ param_nginx_frontend['ssl-certificate'] }};
ssl_certificate_key {{ param_nginx_frontend['ssl-key'] }};
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
ssl_prefer_server_ciphers on;
keepalive_timeout 90s;
client_body_temp_path {{ param_tempdir['client_body_temp_path'] }};
proxy_temp_path {{ param_tempdir['proxy_temp_path'] }};
...
...
stack/erp5/apache.conf.in
View file @
1ae0ad0d
...
...
@@ -36,10 +36,12 @@ SSLCertificateFile {{ parameter_dict['cert'] }}
SSLCertificateKeyFile {{ parameter_dict['key'] }}
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLProtocol
All -SSLv2
#
SSLHonorCipherOrder on
SSLProtocol
all -SSLv2 -SSLv3
SSLHonorCipherOrder on
{% if parameter_dict['cipher'] -%}
SSLCipherSuite {{ parameter_dict['cipher'] }}
{% else %}
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
{%- endif %}
SSLSessionCache shmcb:{{ parameter_dict['ssl-session-cache'] }}(512000)
SSLProxyEngine On
...
...
stack/erp5/buildout.cfg
View file @
1ae0ad0d
...
...
@@ -370,7 +370,7 @@ md5sum = ec9321514674c084e509ca070763b4a1
[template-apache-conf]
<= download-base
filename = apache.conf.in
md5sum =
713b22938d7212c8506449bc0508452b
md5sum =
cbe53c1879db9601a521e3ce1d546116
[template-haproxy-cfg]
<= download-base
...
...
stack/monitor/buildout.cfg
View file @
1ae0ad0d
...
...
@@ -60,7 +60,7 @@ eggs =
# Monitor templates files
[monitor-httpd-conf]
<= monitor-template-base
md5sum =
08137be9b80e0e13d9a906c264a2f51f
md5sum =
e023ede69a0bfb59165c75b1c16719f7
filename = monitor-httpd.conf.in
[monitor-service-conf-template]
...
...
stack/monitor/templates/monitor-httpd.conf.in
View file @
1ae0ad0d
...
...
@@ -45,9 +45,9 @@ SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
SSLProtocol
-ALL +SSLv3 +TLSv1
SSL
HonorCipherOrder On
SSL
CipherSuite RC4-SHA:HIGH:!ADH
SSLProtocol
all -SSLv2 -SSLv3
SSL
CipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSL
HonorCipherOrder on
</IfDefine>
AddType application/hal+json .haljson
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment