apache-frontend: update security settings

399ac485 · Cédric Le Ninivin · 435dd59d · 399ac485 · 399ac485 · 399ac485
Commit 399ac485 authored Jun 24, 2015 by Cédric Le Ninivin
4 changed files
--- a/software/apache-frontend/common.cfg
+++ b/software/apache-frontend/common.cfg
@@ -102,7 +102,7 @@ mode = 640
 [template-apache-cached-configuration]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/templates/apache_cached.conf.in
-md5sum = 0c4393db80670daf18b432b7f07383e9
+md5sum = 116271eafe80309a99203fd8a11a4558
 mode = 640
 [template-rewrite-cached]
@@ -127,13 +127,13 @@ mode = 640
 [template-default-virtualhost]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/templates/000.conf.in
-md5sum = ed1b680e31e30596bf051682ec0270b4
+md5sum = d98a01182f38868612948c87d5231428
 mode = 640
 [template-default-slave-virtualhost]
 recipe = slapos.recipe.build:download
 url = ${:_profile_base_location_}/templates/default-virtualhost.conf.in
-md5sum = 5463dd67f1b1bea0bee57a421e371dd0
+md5sum = 5dbfd59f9316b8a629f9f098a1cc1c72
 mode = 640
 [template-log-access]

--- a/software/apache-frontend/templates/000.conf.in
+++ b/software/apache-frontend/templates/000.conf.in
@@ -2,16 +2,15 @@
  ServerName www.example.org
  SSLEngine on
  SSLProxyEngine on
-  SSLProtocol ALL -SSLv2 -SSLv3
+  SSLProtocol all -SSLv2 -SSLv3
-  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
+  SSLHonorCipherOrder on
  # Rewrite part
-  ProxyVia On
  ProxyPreserveHost On
  ProxyTimeout 600
  RewriteEngine On
  ErrorDocument 404 /notfound.html
 </VirtualHost>

--- a/software/apache-frontend/templates/apache_cached.conf.in
+++ b/software/apache-frontend/templates/apache_cached.conf.in
@@ -105,9 +105,10 @@ SSLSessionCache shmcb:/{{ httpd_mod_ssl_cache_directory }}/ssl_scache(512000)
 SSLSessionCacheTimeout  300
 SSLRandomSeed startup /dev/urandom 256
 SSLRandomSeed connect builtin
-SSLProtocol -ALL +SSLv3 +TLSv1
+SSLProtocol all -SSLv2 -SSLv3
-SSLHonorCipherOrder On
+SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
-SSLCipherSuite RC4-SHA:HIGH:!ADH
+SSLHonorCipherOrder on
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
 </FilesMatch>
@@ -119,7 +120,6 @@ SSLProxyCheckPeerExpire off
 <VirtualHost *:{{ cached_port }}>
  SSLProxyEngine on
  # Rewrite part
-  ProxyVia On
  ProxyPreserveHost On
  ProxyTimeout 600
  RewriteEngine On

--- a/software/apache-frontend/templates/default-virtualhost.conf.in
+++ b/software/apache-frontend/templates/default-virtualhost.conf.in
@@ -16,8 +16,8 @@
  SSLEngine on
  SSLProxyEngine on
  SSLProtocol all -SSLv2 -SSLv3
-  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
+  SSLHonorCipherOrder on
 {% set ssl_configuration_list = [('SSLCertificateFile', 'path_to_ssl_crt'),
       			      	 ('SSLCertificateKeyFile', 'path_to_ssl_key'),
@@ -38,7 +38,6 @@
  CustomLog "{{ slave_parameter.get('access_log') }}" combined
  # Rewrite part
-  ProxyVia On
  ProxyPreserveHost On
  ProxyTimeout 600
  RewriteEngine On
@@ -90,7 +89,6 @@
  SSLProxyEngine on
  # Rewrite part
-  ProxyVia On
  ProxyPreserveHost On
  ProxyTimeout 600
  RewriteEngine On