Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Add Zanata id.fp.o TLSv1 workaround

Browse source 
Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
This commit is contained in:
Patrick Uiterwijk 2019-04-13 21:15:41 +02:00
parent b99a18cf04
commit 14ea88dd85
2 changed files with 40 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

29
files/httpd/website_id_fp_o_zanata.conf Normal file
View file

@ -0,0 +1,29 @@
# This is an HTTP config purely for Zanata, which mirrors id.fp.o
# They run on old Java, which means that they do not support TLSv1.2, so let's
# give them TLSv1.0 as well.
# On how this works, look at the proxies' iptables: they will have a rule that
# forwards a limited set of IP addresses' 443/tcp to 44342/tcp.
Listen 44342 https
<VirtualHost *:44342>
ServerName id.fedoraproject.org
ServerAdmin webmaster@fedoraproject.org
RequestHeader unset X-Forwarded-For
Protocols h2 http/1.1
SSLEngine on
SSLUseStapling on
SSLCertificateFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.cert
SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key
SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.intermediate.cert
SSLHonorCipherOrder On
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Header always add Strict-Transport-Security "max-age=31536000; preload"
Include "conf.d/id.fedoraproject.org/*.conf"
</VirtualHost>

11
playbooks/groups/proxies.yml
View file

@ -128,6 +128,17 @@
notify:
- reload proxyhttpd
# This really doesn't belong here, but it really shouldn't be needed to begin
# with. See the comments in the file as to why this exists.
- copy:
src="{{ files }}/httpd/website_id_fp_o_zanata.conf"
dest=/etc/httpd/conf.d/id.fedoraproject.org.zanata.conf
notify:
- reload apache
tags:
- config
- apache
#
# If this is an initial deployment, make sure docs are synced over.
# Do not count these as changed ever