From f1dd7a74327b5c9a22e159b0fa5a4de815303864 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 30 Aug 2016 19:36:53 +0000 Subject: [PATCH] Unify all ssl cipher suite configurations Signed-off-by: Patrick Uiterwijk --- files/httpd/newvirtualhost.conf.j2 | 5 ++--- files/lists-dev/apache.conf.j2 | 4 ++-- roles/batcave/tasks/main.yml | 2 +- .../infrastructure.fedoraproject.org.conf.j2} | 4 ++-- roles/copr/frontend/tasks/main.yml | 2 +- .../frontend/{files => templates}/httpd/coprs_ssl.conf | 8 ++++---- roles/distgit/tasks/main.yml | 2 +- roles/distgit/{files => templates}/lookaside-upload.conf | 3 ++- roles/distgit/{files => templates}/lookaside.conf | 0 roles/download/tasks/main.yml | 2 +- .../{files => templates}/httpd/dl.fedoraproject.org.conf | 4 ++-- roles/graphite/grafana/templates/grafana.conf | 4 ++-- roles/graphite/graphite/templates/graphite-web.conf | 4 ++-- roles/httpd/templates/website.conf.j2 | 4 ++-- roles/httpd/website/templates/website.conf | 4 ++-- roles/infinote/tasks/main.yml | 2 +- .../{files => templates}/infinote.fedoraproject.org.conf | 4 ++-- roles/keyserver/tasks/main.yml | 4 ++-- roles/keyserver/{files => templates}/sks.conf | 8 ++++---- roles/keyserver/{files => templates}/ssl.conf | 4 ++-- roles/koji_hub/tasks/main.yml | 4 ++-- roles/koji_hub/{files => templates}/koji-ssl.conf | 4 ++-- roles/koji_hub/{files => templates}/koji-ssl.conf.arm | 4 ++-- roles/koji_hub/{files => templates}/koji-ssl.conf.ppc | 4 ++-- roles/koji_hub/{files => templates}/koji-ssl.conf.s390 | 4 ++-- roles/koji_hub/{files => templates}/koji-ssl.conf.stg | 7 +++---- roles/people/tasks/main.yml | 6 +++++- roles/people/{files => templates}/people.conf | 4 ++-- roles/phabricator/templates/phabricator.conf.j2 | 5 ++--- roles/planet/tasks/main.yml | 2 +- roles/planet/{files => templates}/planet.conf | 4 ++-- roles/taskotron/ssl-taskotron/templates/ssl.conf.j2 | 4 ++-- roles/taskotron/ssl-taskotron/templates/ssl.conf.rhel.j2 | 4 ++-- vars/global.yml | 3 +++ 34 files changed, 69 insertions(+), 64 deletions(-) rename roles/batcave/{files/infrastructure.fedoraproject.org.conf => templates/infrastructure.fedoraproject.org.conf.j2} (89%) rename roles/copr/frontend/{files => templates}/httpd/coprs_ssl.conf (86%) rename roles/distgit/{files => templates}/lookaside-upload.conf (97%) rename roles/distgit/{files => templates}/lookaside.conf (100%) rename roles/download/{files => templates}/httpd/dl.fedoraproject.org.conf (63%) rename roles/infinote/{files => templates}/infinote.fedoraproject.org.conf (83%) rename roles/keyserver/{files => templates}/sks.conf (68%) rename roles/keyserver/{files => templates}/ssl.conf (94%) rename roles/koji_hub/{files => templates}/koji-ssl.conf (99%) rename roles/koji_hub/{files => templates}/koji-ssl.conf.arm (99%) rename roles/koji_hub/{files => templates}/koji-ssl.conf.ppc (99%) rename roles/koji_hub/{files => templates}/koji-ssl.conf.s390 (99%) rename roles/koji_hub/{files => templates}/koji-ssl.conf.stg (98%) rename roles/people/{files => templates}/people.conf (92%) rename roles/planet/{files => templates}/planet.conf (79%) diff --git a/files/httpd/newvirtualhost.conf.j2 b/files/httpd/newvirtualhost.conf.j2 index 18c7a2e8ad..a00dd53db6 100644 --- a/files/httpd/newvirtualhost.conf.j2 +++ b/files/httpd/newvirtualhost.conf.j2 @@ -15,13 +15,12 @@ # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: - SSLProtocol all -SSLv2 + SSLProtocol {{ ssl_protocols }} # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW - SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 + SSLCipherSuite {{ ssl_ciphers }} # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If diff --git a/files/lists-dev/apache.conf.j2 b/files/lists-dev/apache.conf.j2 index c45d4208f6..96e9bea5b2 100644 --- a/files/lists-dev/apache.conf.j2 +++ b/files/lists-dev/apache.conf.j2 @@ -11,7 +11,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key #SSLCertificateChainFile /etc/pki/tls/cert.pem SSLHonorCipherOrder On - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK - SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 + SSLCipherSuite {{ ssl_ciphers }} + SSLProtocol {{ ssl_protocols }} diff --git a/roles/batcave/tasks/main.yml b/roles/batcave/tasks/main.yml index 9ad153cd25..33b341be14 100644 --- a/roles/batcave/tasks/main.yml +++ b/roles/batcave/tasks/main.yml @@ -252,7 +252,7 @@ - httpd - name: install web server config for batcave (main config) - copy: src=infrastructure.fedoraproject.org.conf dest=/etc/httpd/conf.d/infrastructure.fedoraproject.org.conf mode=0644 + template: src=infrastructure.fedoraproject.org.conf.j2 dest=/etc/httpd/conf.d/infrastructure.fedoraproject.org.conf mode=0644 tags: - batcave - config diff --git a/roles/batcave/files/infrastructure.fedoraproject.org.conf b/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2 similarity index 89% rename from roles/batcave/files/infrastructure.fedoraproject.org.conf rename to roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2 index 9b5bd50424..a266c05f62 100644 --- a/roles/batcave/files/infrastructure.fedoraproject.org.conf +++ b/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2 @@ -121,8 +121,8 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 # If you change the protocols or cipher suites, you should probably update # modules/squid/files/squid.conf-el6 too, to keep it in sync. - SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} # robots location Alias /robots.txt /srv/web/robots.txt.lockbox01 diff --git a/roles/copr/frontend/tasks/main.yml b/roles/copr/frontend/tasks/main.yml index 08cc5bea30..dc2b948534 100644 --- a/roles/copr/frontend/tasks/main.yml +++ b/roles/copr/frontend/tasks/main.yml @@ -44,7 +44,7 @@ - config - name: install copr-frontend ssl vhost for production - copy: src="httpd/coprs_ssl.conf" dest="/etc/httpd/conf.d/copr_ssl.conf" + template: src="httpd/coprs_ssl.conf.j2" dest="/etc/httpd/conf.d/copr_ssl.conf" when: not devel tags: - config diff --git a/roles/copr/frontend/files/httpd/coprs_ssl.conf b/roles/copr/frontend/templates/httpd/coprs_ssl.conf similarity index 86% rename from roles/copr/frontend/files/httpd/coprs_ssl.conf rename to roles/copr/frontend/templates/httpd/coprs_ssl.conf index 3a41cfd2e0..4b79dc48ad 100644 --- a/roles/copr/frontend/files/httpd/coprs_ssl.conf +++ b/roles/copr/frontend/templates/httpd/coprs_ssl.conf @@ -1,8 +1,8 @@ SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 + SSLProtocol {{ ssl_protocols }} # Use secure TLSv1.1 and TLSv1.2 ciphers - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 + SSLCipherSuite {{ ssl_ciphers }} SSLHonorCipherOrder on Header always add Strict-Transport-Security "max-age=15768000; preload" @@ -44,9 +44,9 @@ SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 + SSLProtocol {{ ssl_protocols }} # Use secure TLSv1.1 and TLSv1.2 ciphers - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 + SSLCipherSuite {{ ssl_ciphers }} SSLHonorCipherOrder on Header always add Strict-Transport-Security "max-age=15768000; preload" diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml index c871b5477c..dd9ca73699 100644 --- a/roles/distgit/tasks/main.yml +++ b/roles/distgit/tasks/main.yml @@ -274,7 +274,7 @@ # -- Lookaside Cache ------------------------------------- # This is the annex to Dist Git, where we host source tarballs. - name: install the Lookaside Cache httpd configs - copy: src={{item}} dest=/etc/httpd/conf.d/pkgs.fedoraproject.org/{{item}} + template: src={{item}} dest=/etc/httpd/conf.d/pkgs.fedoraproject.org/{{item}} with_items: - lookaside.conf - lookaside-upload.conf diff --git a/roles/distgit/files/lookaside-upload.conf b/roles/distgit/templates/lookaside-upload.conf similarity index 97% rename from roles/distgit/files/lookaside-upload.conf rename to roles/distgit/templates/lookaside-upload.conf index 348c049b56..8c812b4ec2 100644 --- a/roles/distgit/files/lookaside-upload.conf +++ b/roles/distgit/templates/lookaside-upload.conf @@ -28,7 +28,8 @@ SSLCryptoDevice builtin SSLCACertificateFile conf/cacert.pem SSLCARevocationFile /etc/pki/tls/crl.pem - SSLCipherSuite RSA:!EXPORT:!DH:!LOW:!NULL:+MEDIUM:+HIGH + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} # Must be 'optional' everywhere in order to have POST operations work to upload.cgi SSLVerifyClient optional diff --git a/roles/distgit/files/lookaside.conf b/roles/distgit/templates/lookaside.conf similarity index 100% rename from roles/distgit/files/lookaside.conf rename to roles/distgit/templates/lookaside.conf diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index 7cbe3469c1..553bdfbee5 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -68,7 +68,7 @@ copy: src="{{private}}/files/httpd/wildcard-2014.fedoraproject.org.intermediate.cert" dest=/etc/pki/tls/certs/wildcard-2014.fedoraproject.org.intermediate.cert owner=root group=root mode=0644 - name: Configure httpd dl main conf - copy: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf + template: src=httpd/dl.fedoraproject.org.conf dest=/etc/httpd/conf.d/dl.fedoraproject.org.conf notify: - reload httpd diff --git a/roles/download/files/httpd/dl.fedoraproject.org.conf b/roles/download/templates/httpd/dl.fedoraproject.org.conf similarity index 63% rename from roles/download/files/httpd/dl.fedoraproject.org.conf rename to roles/download/templates/httpd/dl.fedoraproject.org.conf index aaa3872cf4..c14a92158a 100644 --- a/roles/download/files/httpd/dl.fedoraproject.org.conf +++ b/roles/download/templates/httpd/dl.fedoraproject.org.conf @@ -24,8 +24,8 @@ # If you change the protocols or cipher suites, you should probably update # modules/squid/files/squid.conf-el6 too, to keep it in sync. - SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} Include "conf.d/dl.fedoraproject.org/*.conf" diff --git a/roles/graphite/grafana/templates/grafana.conf b/roles/graphite/grafana/templates/grafana.conf index a6ecc8123a..f9025b3e23 100644 --- a/roles/graphite/grafana/templates/grafana.conf +++ b/roles/graphite/grafana/templates/grafana.conf @@ -19,8 +19,8 @@ SSLCertificateKeyFile /etc/letsencrypt/live/grafana.cloud.fedoraproject.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/grafana.cloud.fedoraproject.org/fullchain.pem SSLHonorCipherOrder On - SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL - SSLProtocol ALL -SSLv2 + SSLCipherSuite {{ ssl_ciphers }} + SSLProtocol {{ ssl_protocols }} ProxyPass / http://localhost:3000/ ProxyPassReverse / http://localhost:3000/ diff --git a/roles/graphite/graphite/templates/graphite-web.conf b/roles/graphite/graphite/templates/graphite-web.conf index 5789d9a242..691ada9ffd 100644 --- a/roles/graphite/graphite/templates/graphite-web.conf +++ b/roles/graphite/graphite/templates/graphite-web.conf @@ -37,8 +37,8 @@ SSLCertificateKeyFile /etc/letsencrypt/live/graphite.cloud.fedoraproject.org/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/graphite.cloud.fedoraproject.org/fullchain.pem SSLHonorCipherOrder On - SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL - SSLProtocol ALL -SSLv2 + SSLCipherSuite {{ ssl_ciphers }} + SSLProtocol {{ ssl_protocols }} ProxyPass / http://graphite.cloud.fedoraproject.org/ ProxyPassReverse / http://graphite.cloud.fedoraproject.org/ diff --git a/roles/httpd/templates/website.conf.j2 b/roles/httpd/templates/website.conf.j2 index 466b2b0d12..f22546dbe8 100644 --- a/roles/httpd/templates/website.conf.j2 +++ b/roles/httpd/templates/website.conf.j2 @@ -42,8 +42,8 @@ # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 # If you change the protocols or cipher suites, you should probably update # modules/squid/files/squid.conf-el6 too, to keep it in sync. - SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} Include "conf.d/{{ name }}/*.conf" diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf index e45e805c27..654745225e 100644 --- a/roles/httpd/website/templates/website.conf +++ b/roles/httpd/website/templates/website.conf @@ -42,8 +42,8 @@ # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 # If you change the protocols or cipher suites, you should probably update # modules/squid/files/squid.conf-el6 too, to keep it in sync. - SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} {% if sslonly %} Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" diff --git a/roles/infinote/tasks/main.yml b/roles/infinote/tasks/main.yml index 697427174e..e1703cf77c 100644 --- a/roles/infinote/tasks/main.yml +++ b/roles/infinote/tasks/main.yml @@ -21,7 +21,7 @@ - config - name: Setup basic apache config - copy: src=infinote.fedoraproject.org.conf dest=/etc/httpd/conf.d/infinote.fedoraproject.org.conf + template: src=infinote.fedoraproject.org.conf dest=/etc/httpd/conf.d/infinote.fedoraproject.org.conf tags: - infinote - config diff --git a/roles/infinote/files/infinote.fedoraproject.org.conf b/roles/infinote/templates/infinote.fedoraproject.org.conf similarity index 83% rename from roles/infinote/files/infinote.fedoraproject.org.conf rename to roles/infinote/templates/infinote.fedoraproject.org.conf index 554a59bb37..da6f179302 100644 --- a/roles/infinote/files/infinote.fedoraproject.org.conf +++ b/roles/infinote/templates/infinote.fedoraproject.org.conf @@ -82,8 +82,8 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14 # If you change the protocols or cipher suites, you should probably update # modules/squid/files/squid.conf-el6 too, to keep it in sync. - SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} # robots location Alias /robots.txt /srv/web/robots.txt.lockbox01 diff --git a/roles/keyserver/tasks/main.yml b/roles/keyserver/tasks/main.yml index 09ed0d0b62..021c199c65 100644 --- a/roles/keyserver/tasks/main.yml +++ b/roles/keyserver/tasks/main.yml @@ -43,12 +43,12 @@ - config - name: /etc/httpd/conf.d/sks.conf - copy: src="sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644 + template: src="sks.conf" dest=/etc/httpd/conf.d/sks.conf owner=root group=root mode=0644 tags: - config - name: /etc/httpd/conf.d/ssl.conf - copy: src="ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644 + template: src="ssl.conf" dest=/etc/httpd/conf.d/ssl.conf owner=root group=root mode=0644 tags: - config diff --git a/roles/keyserver/files/sks.conf b/roles/keyserver/templates/sks.conf similarity index 68% rename from roles/keyserver/files/sks.conf rename to roles/keyserver/templates/sks.conf index 3fb60c9ec0..b11d8e50b1 100644 --- a/roles/keyserver/files/sks.conf +++ b/roles/keyserver/templates/sks.conf @@ -56,8 +56,8 @@ NameVirtualHost *:443 SSLCertificateFile /etc/pki/tls/wildcard-2014.fedoraproject.org.cert SSLCertificateChainFile /etc/pki/tls/wildcard-2014.fedoraproject.org.intermediate.cert SSLCertificateKeyFile /etc/pki/tls/wildcard-2014.fedoraproject.org.key - SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} ProxyPass / http://localhost:11371/ ProxyPassReverse / http://localhost:11371/ @@ -73,8 +73,8 @@ NameVirtualHost *:443 SSLEngine on SSLCertificateFile /etc/pki/tls/keys_fedoraproject_org.crt.pem SSLCertificateKeyFile /etc/pki/tls/keys_fedoraproject_org.key - SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} ProxyPass / http://localhost:11371/ ProxyPassReverse / http://localhost:11371/ diff --git a/roles/keyserver/files/ssl.conf b/roles/keyserver/templates/ssl.conf similarity index 94% rename from roles/keyserver/files/ssl.conf rename to roles/keyserver/templates/ssl.conf index c755f1dd67..dd9c7e791e 100644 --- a/roles/keyserver/files/ssl.conf +++ b/roles/keyserver/templates/ssl.conf @@ -92,12 +92,12 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 +SSLProtocol {{ ssl_protocols }} # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK +SSLCipherSuite {{ ssl_ciphers }} # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If diff --git a/roles/koji_hub/tasks/main.yml b/roles/koji_hub/tasks/main.yml index 3a3431080c..d6d6a21c81 100644 --- a/roles/koji_hub/tasks/main.yml +++ b/roles/koji_hub/tasks/main.yml @@ -297,7 +297,7 @@ when: env == "staging" - name: koji staging ssl config - copy: src=koji-ssl.conf.stg dest=/etc/httpd/conf.d/ssl.conf + template: src=koji-ssl.conf.stg dest=/etc/httpd/conf.d/ssl.conf tags: - config - koji_hub @@ -305,7 +305,7 @@ when: env == "staging" - name: koji ssl config - copy: src=koji-ssl.conf dest=/etc/httpd/conf.d/ssl.conf + template: src=koji-ssl.conf dest=/etc/httpd/conf.d/ssl.conf tags: - config - koji_hub diff --git a/roles/koji_hub/files/koji-ssl.conf b/roles/koji_hub/templates/koji-ssl.conf similarity index 99% rename from roles/koji_hub/files/koji-ssl.conf rename to roles/koji_hub/templates/koji-ssl.conf index 40c0a028c8..328cf62539 100644 --- a/roles/koji_hub/files/koji-ssl.conf +++ b/roles/koji_hub/templates/koji-ssl.conf @@ -72,12 +72,12 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +SSLProtocol {{ ssl_protocols }} # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 +SSLCipherSuite {{ ssl_ciphers }} # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.), diff --git a/roles/koji_hub/files/koji-ssl.conf.arm b/roles/koji_hub/templates/koji-ssl.conf.arm similarity index 99% rename from roles/koji_hub/files/koji-ssl.conf.arm rename to roles/koji_hub/templates/koji-ssl.conf.arm index 40c0a028c8..328cf62539 100644 --- a/roles/koji_hub/files/koji-ssl.conf.arm +++ b/roles/koji_hub/templates/koji-ssl.conf.arm @@ -72,12 +72,12 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +SSLProtocol {{ ssl_protocols }} # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 +SSLCipherSuite {{ ssl_ciphers }} # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.), diff --git a/roles/koji_hub/files/koji-ssl.conf.ppc b/roles/koji_hub/templates/koji-ssl.conf.ppc similarity index 99% rename from roles/koji_hub/files/koji-ssl.conf.ppc rename to roles/koji_hub/templates/koji-ssl.conf.ppc index 40c0a028c8..328cf62539 100644 --- a/roles/koji_hub/files/koji-ssl.conf.ppc +++ b/roles/koji_hub/templates/koji-ssl.conf.ppc @@ -72,12 +72,12 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +SSLProtocol {{ ssl_protocols }} # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 +SSLCipherSuite {{ ssl_ciphers }} # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.), diff --git a/roles/koji_hub/files/koji-ssl.conf.s390 b/roles/koji_hub/templates/koji-ssl.conf.s390 similarity index 99% rename from roles/koji_hub/files/koji-ssl.conf.s390 rename to roles/koji_hub/templates/koji-ssl.conf.s390 index 40c0a028c8..328cf62539 100644 --- a/roles/koji_hub/files/koji-ssl.conf.s390 +++ b/roles/koji_hub/templates/koji-ssl.conf.s390 @@ -72,12 +72,12 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +SSLProtocol {{ ssl_protocols }} # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 +SSLCipherSuite {{ ssl_ciphers }} # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.), diff --git a/roles/koji_hub/files/koji-ssl.conf.stg b/roles/koji_hub/templates/koji-ssl.conf.stg similarity index 98% rename from roles/koji_hub/files/koji-ssl.conf.stg rename to roles/koji_hub/templates/koji-ssl.conf.stg index 88b12c06d9..64032a4f73 100644 --- a/roles/koji_hub/files/koji-ssl.conf.stg +++ b/roles/koji_hub/templates/koji-ssl.conf.stg @@ -72,12 +72,12 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol all -SSLv2 +SSLProtocol {{ ssl_protocols }} # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 +SSLCipherSuite {{ ssl_ciphers }} # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.), @@ -89,8 +89,7 @@ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 # have perfect forward secrecy - if the server's key is # compromised, captures of past or future traffic must be # considered compromised, too. -#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 -#SSLHonorCipherOrder on +SSLHonorCipherOrder on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If diff --git a/roles/people/tasks/main.yml b/roles/people/tasks/main.yml index e8b13050c4..a5627e988f 100644 --- a/roles/people/tasks/main.yml +++ b/roles/people/tasks/main.yml @@ -20,11 +20,15 @@ - packages - people +- name: install main httpd config + template: src=people.conf dest=/etc/httpd/conf.d/people.conf + tags: + - people + - name: install httpd config copy: src={{item}} dest=/etc/httpd/conf.d/{{item}} with_items: - cgit.conf - - people.conf - ssl.conf - userdir.conf tags: diff --git a/roles/people/files/people.conf b/roles/people/templates/people.conf similarity index 92% rename from roles/people/files/people.conf rename to roles/people/templates/people.conf index 4c357d9ebb..b7652b5639 100644 --- a/roles/people/files/people.conf +++ b/roles/people/templates/people.conf @@ -31,8 +31,8 @@ NameVirtualHost *:80 SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2014.fedorapeople.org.key SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert SSLHonorCipherOrder On - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA - SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 + SSLCipherSuite {{ ssl_ciphers }} + SSLProtocol {{ ssl_protocols }} Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" diff --git a/roles/phabricator/templates/phabricator.conf.j2 b/roles/phabricator/templates/phabricator.conf.j2 index ad7cb59687..f606ceeb63 100644 --- a/roles/phabricator/templates/phabricator.conf.j2 +++ b/roles/phabricator/templates/phabricator.conf.j2 @@ -16,13 +16,12 @@ # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: - SSLProtocol all -SSLv2 + SSLProtocol {{ ssl_protocols }} # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - #SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW - SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 + SSLCipherSuite {{ ssl_ciphers }} # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If diff --git a/roles/planet/tasks/main.yml b/roles/planet/tasks/main.yml index 01a0ad12c6..a7d4676592 100644 --- a/roles/planet/tasks/main.yml +++ b/roles/planet/tasks/main.yml @@ -30,7 +30,7 @@ - planet_server - name: copy the planet http config file - copy: src=planet.conf dest=/etc/httpd/conf.d/planet.conf + template: src=planet.conf dest=/etc/httpd/conf.d/planet.conf tags: - planet_server diff --git a/roles/planet/files/planet.conf b/roles/planet/templates/planet.conf similarity index 79% rename from roles/planet/files/planet.conf rename to roles/planet/templates/planet.conf index 58a48b5140..a5591c3079 100644 --- a/roles/planet/files/planet.conf +++ b/roles/planet/templates/planet.conf @@ -65,8 +65,8 @@ SSLCertificateKeyFile /etc/pki/tls/private/planet.fedoraproject.org.key SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert SSLHonorCipherOrder On - SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK - SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} DocumentRoot "/srv/planet/site/" diff --git a/roles/taskotron/ssl-taskotron/templates/ssl.conf.j2 b/roles/taskotron/ssl-taskotron/templates/ssl.conf.j2 index f7ac939596..f3482414a5 100644 --- a/roles/taskotron/ssl-taskotron/templates/ssl.conf.j2 +++ b/roles/taskotron/ssl-taskotron/templates/ssl.conf.j2 @@ -76,12 +76,12 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 +SSLProtocol {{ ssl_protocols }} # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 +SSLCipherSuite {{ ssl_ciphers }} # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.), diff --git a/roles/taskotron/ssl-taskotron/templates/ssl.conf.rhel.j2 b/roles/taskotron/ssl-taskotron/templates/ssl.conf.rhel.j2 index da5eb78f45..fdd0e8ede1 100644 --- a/roles/taskotron/ssl-taskotron/templates/ssl.conf.rhel.j2 +++ b/roles/taskotron/ssl-taskotron/templates/ssl.conf.rhel.j2 @@ -92,12 +92,12 @@ SSLEngine on # SSL Protocol support: # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: -SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 +SSLProtocol {{ ssl_protocols }} # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW +SSLCipherSuite {{ ssl_ciphers }} # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If diff --git a/vars/global.yml b/vars/global.yml index 267fdc87ec..7f1761deb2 100644 --- a/vars/global.yml +++ b/vars/global.yml @@ -46,6 +46,9 @@ centos66_x86_64: CentOS-6-x86_64-GenericCloud-20141129_01 rhel70_x86_64: rhel-guest-image-7.0-20140930.0.x86_64 rhel66_x86_64: rhel-guest-image-6.6-20141222.0.x86_64 +ssl_protocols: "-All +TLSv1 +TLSv1.1 +TLSv1.2" +ssl_ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK" + # Set a default hostname base to transient. Override in host vars or command line. hostbase: transient global_pkgs_inst: ['bind-utils', 'mailx', 'nc', 'openssh-clients',