[MediaWiki-commits] [Gerrit] ssl proxies: use ssl_ciphersuite - change (operations/puppet)

Mon, 25 Aug 2014 06:31:13 -0700 

Giuseppe Lavagetto has submitted this change and it was merged.

Change subject: ssl proxies: use ssl_ciphersuite
......................................................................


ssl proxies: use ssl_ciphersuite

Change-Id: If21d6912d8095b4520f79bfdfdf8c182f7c2057a
Signed-off-by: Giuseppe Lavagetto <glavage...@wikimedia.org>
---
M manifests/role/protoproxy.pp
M templates/nginx/nginx.conf.erb
2 files changed, 2 insertions(+), 7 deletions(-)

Approvals:
  Giuseppe Lavagetto: Looks good to me, approved
  JanZerebecki: Looks good to me, but someone else must approve
  jenkins-bot: Verified
  Dzahn: Looks good to me, but someone else must approve



diff --git a/manifests/role/protoproxy.pp b/manifests/role/protoproxy.pp
index 71a2da3..c4a6019 100644
--- a/manifests/role/protoproxy.pp
+++ b/manifests/role/protoproxy.pp
@@ -22,6 +22,7 @@
 
     $nginx_worker_connections = '32768'
     $nginx_use_ssl = true
+    $nginx_ssl_conf = ssl_ciphersuite('nginx', 'compat')
 
     class { 'nginx': managed => false, }
 
diff --git a/templates/nginx/nginx.conf.erb b/templates/nginx/nginx.conf.erb
index 2ad93e8..3045eed 100644
--- a/templates/nginx/nginx.conf.erb
+++ b/templates/nginx/nginx.conf.erb
@@ -62,13 +62,7 @@
     # so we are allowing 200,000 active sessions.
     ssl_session_cache shared:SSL:50m;
     ssl_session_timeout 5m;
-    # SSLv2 is insecure, only allow SSLv3 and TLSv1
-    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
-    # Limit ciphers allowed
-    # We strongly prefer forward-secret chiphers using ECDHE and GCM for 
encrypting data, for performance reasons.
-    ssl_ciphers 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH;
-    # Prefer server ciphers
-    ssl_prefer_server_ciphers on;
+    <%= @nginx_ssl_conf.join("\n")  %>
     <% end %>
 
     include /etc/nginx/conf.d/*.conf;

-- 
To view, visit https://gerrit.wikimedia.org/r/152248
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: If21d6912d8095b4520f79bfdfdf8c182f7c2057a
Gerrit-PatchSet: 6
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org>
Gerrit-Reviewer: Dzahn <dz...@wikimedia.org>
Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org>
Gerrit-Reviewer: JanZerebecki <jan.wikime...@zerebecki.de>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to