Giuseppe Lavagetto has submitted this change and it was merged. Change subject: ssl proxies: use ssl_ciphersuite ......................................................................
ssl proxies: use ssl_ciphersuite Change-Id: If21d6912d8095b4520f79bfdfdf8c182f7c2057a Signed-off-by: Giuseppe Lavagetto <glavage...@wikimedia.org> --- M manifests/role/protoproxy.pp M templates/nginx/nginx.conf.erb 2 files changed, 2 insertions(+), 7 deletions(-) Approvals: Giuseppe Lavagetto: Looks good to me, approved JanZerebecki: Looks good to me, but someone else must approve jenkins-bot: Verified Dzahn: Looks good to me, but someone else must approve diff --git a/manifests/role/protoproxy.pp b/manifests/role/protoproxy.pp index 71a2da3..c4a6019 100644 --- a/manifests/role/protoproxy.pp +++ b/manifests/role/protoproxy.pp @@ -22,6 +22,7 @@ $nginx_worker_connections = '32768' $nginx_use_ssl = true + $nginx_ssl_conf = ssl_ciphersuite('nginx', 'compat') class { 'nginx': managed => false, } diff --git a/templates/nginx/nginx.conf.erb b/templates/nginx/nginx.conf.erb index 2ad93e8..3045eed 100644 --- a/templates/nginx/nginx.conf.erb +++ b/templates/nginx/nginx.conf.erb @@ -62,13 +62,7 @@ # so we are allowing 200,000 active sessions. ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; - # SSLv2 is insecure, only allow SSLv3 and TLSv1 - ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; - # Limit ciphers allowed - # We strongly prefer forward-secret chiphers using ECDHE and GCM for encrypting data, for performance reasons. - ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH; - # Prefer server ciphers - ssl_prefer_server_ciphers on; + <%= @nginx_ssl_conf.join("\n") %> <% end %> include /etc/nginx/conf.d/*.conf; -- To view, visit https://gerrit.wikimedia.org/r/152248 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: If21d6912d8095b4520f79bfdfdf8c182f7c2057a Gerrit-PatchSet: 6 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: Dzahn <dz...@wikimedia.org> Gerrit-Reviewer: Giuseppe Lavagetto <glavage...@wikimedia.org> Gerrit-Reviewer: JanZerebecki <jan.wikime...@zerebecki.de> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits