diff --git a/apache/files/FreeBSD/apache-2.4.config.jinja b/apache/files/FreeBSD/apache-2.4.config.jinja index d9e1639..0d9d19a 100644 --- a/apache/files/FreeBSD/apache-2.4.config.jinja +++ b/apache/files/FreeBSD/apache-2.4.config.jinja @@ -526,5 +526,9 @@ TraceEnable Off # Well, IncludeOptional behaved lile Include IncludeOptional etc/apache24/extra/security.con[f] +{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%} +Include etc/apache24/extra/tls-defaults.conf +{%- endif %} + Include etc/apache24/Includes/*.conf diff --git a/apache/files/Suse/apache-2.4.config.jinja b/apache/files/Suse/apache-2.4.config.jinja index 4b2c40d..310ba7f 100644 --- a/apache/files/Suse/apache-2.4.config.jinja +++ b/apache/files/Suse/apache-2.4.config.jinja @@ -163,6 +163,10 @@ Include /etc/apache2/errors.conf # any virtual host Include /etc/apache2/ssl-global.conf +{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%} +Include /etc/apache24/conf.d/tls-defaults.conf +{%- %} + # global (server-wide) protocol configuration, that is not specific # to any virtual host Include /etc/apache2/protocols.conf diff --git a/apache/files/tls-defaults.conf.jinja b/apache/files/tls-defaults.conf.jinja new file mode 100644 index 0000000..9ee0a67 --- /dev/null +++ b/apache/files/tls-defaults.conf.jinja @@ -0,0 +1,18 @@ +# Managed by saltstack + +{% set data = { + 'SSLCipherSuite': 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA', + 'SSLCompression': 'Off', + 'SSLProtocol': 'all -SSLv2 -SSLv3 -TLSv1', + 'SSLHonorCipherOrder': 'On', + 'SSLOptions': '+StrictRequire', +} -%} +{%- do data.update(salt['pillar.get']('apache:mod_ssl', {})) %} + + +{%- for key, value in data.items() %} +{%- if not key == 'manage_tls_defaults' %} +{{ key }} {{ value }} +{%- endif %} +{%- endfor %} + diff --git a/apache/map.jinja b/apache/map.jinja index 38b10c1..cae2034 100644 --- a/apache/map.jinja +++ b/apache/map.jinja @@ -38,7 +38,7 @@ 'mod_fastcgi': 'libapache2-mod-fastcgi', 'vhostdir': '/etc/apache2/sites-available', - 'confdir': '/etc/apache2/conf.d', + 'confdir': '/etc/apache2/conf-available', 'confext': '.conf', 'default_site': 'default', 'default_site_ssl': 'default-ssl', @@ -89,27 +89,27 @@ 'wwwdir': '/srv/www', }, 'FreeBSD': { - 'server': 'apache22', - 'service': 'apache22', + 'server': 'apache24', + 'service': 'apache24', 'user': 'www', 'group': 'www', - 'configfile': '/usr/local/etc/apache22/httpd.conf', - 'portsfile': '/usr/local/etc/apache22/ports.conf', + 'configfile': '/usr/local/etc/apache24/httpd.conf', + 'portsfile': '/usr/local/etc/apache24/ports.conf', 'mod_php5': 'mod_php56', - 'mod_perl2': 'ap22-mod_perl2', - 'mod_wsgi': 'ap22-mod_wsgi3', + 'mod_perl2': 'ap24-mod_perl2', + 'mod_wsgi': 'ap24-mod_wsgi3', - 'vhostdir': '/usr/local/etc/apache22/Includes', - 'confdir': '/usr/local/etc/apache22/extra', - 'modulesdir': '/usr/local/etc/apache22/modules.d', - 'global_document_root': '/usr/local/www/apache22/data', + 'vhostdir': '/usr/local/etc/apache24/Includes', + 'confdir': '/usr/local/etc/apache24/extra', + 'modulesdir': '/usr/local/etc/apache24/modules.d', + 'global_document_root': '/usr/local/www/apache24/data', 'confext': '', 'default_site': 'default', 'default_site_ssl': 'default-ssl', 'logdir': '/var/log/', - 'wwwdir': '/usr/local/www/apache22/', + 'wwwdir': '/usr/local/www/apache24/', }, 'Arch': { 'server': 'apache', diff --git a/apache/mod_ssl.sls b/apache/mod_ssl.sls index 744115b..e11557d 100644 --- a/apache/mod_ssl.sls +++ b/apache/mod_ssl.sls @@ -42,3 +42,35 @@ include: - module: apache-restart {% endif %} + +{{ apache.confdir }}/tls-defaults.conf: +{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %} + file.managed: + - source: salt://apache/files/tls-defaults.conf.jinja + - mode: 644 + - template: jinja +{% else %} + file.absent: +{% endif %} + - require: + - pkg: apache + - watch_in: + - module: apache-restart + +{% if grains['os_family']=="Debian" %} +a2endisconf tls-defaults: + cmd.run: +{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %} + - name: a2enconf tls-defaults + - unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf +{% else %} + - name: a2disconf tls-defaults + - onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf +{% endif %} + - order: 225 + - require: + - pkg: apache + - file: {{ apache.confdir }}/tls-defaults.conf + - watch_in: + - module: apache-restart +{% endif %} diff --git a/pillar.example b/pillar.example index 845a131..185a535 100644 --- a/pillar.example +++ b/pillar.example @@ -313,4 +313,19 @@ apache: file: 'my name' path: 'salt://path/to/modsecurity/custom/file' enabled: True - + + mod_ssl: + # set this to True if you want to override your distributions default TLS configuration + manage_tls_defaults: False + # This stuff is deliberately not configured via map.jinja resp. apache:lookup. + # We're unable to know sane defaults for each release of every distribution. + # See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion + # Have a look at bettercrypto.org for up-to-date settings. + # These are default values: + SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA + # Mitigate the CRIME attack + SSLCompression: Off + SSLProtocol: all -SSLv2 -SSLv3 -TLSv1 + SSLHonorCipherOrder: On + SSLOptions: "+StrictRequire" +