Merge pull request #211 from saltstack-formulas/manage-tls-defaults
Manage tls defaults
This commit is contained in:
commit
c6018aeac1
@ -526,5 +526,9 @@ TraceEnable Off
|
||||
# Well, IncludeOptional behaved lile Include
|
||||
IncludeOptional etc/apache24/extra/security.con[f]
|
||||
|
||||
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
|
||||
Include etc/apache24/extra/tls-defaults.conf
|
||||
{%- endif %}
|
||||
|
||||
Include etc/apache24/Includes/*.conf
|
||||
|
||||
|
@ -163,6 +163,10 @@ Include /etc/apache2/errors.conf
|
||||
# any virtual host
|
||||
Include /etc/apache2/ssl-global.conf
|
||||
|
||||
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
|
||||
Include /etc/apache24/conf.d/tls-defaults.conf
|
||||
{%- %}
|
||||
|
||||
# global (server-wide) protocol configuration, that is not specific
|
||||
# to any virtual host
|
||||
Include /etc/apache2/protocols.conf
|
||||
|
18
apache/files/tls-defaults.conf.jinja
Normal file
18
apache/files/tls-defaults.conf.jinja
Normal file
@ -0,0 +1,18 @@
|
||||
# Managed by saltstack
|
||||
|
||||
{% set data = {
|
||||
'SSLCipherSuite': 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA',
|
||||
'SSLCompression': 'Off',
|
||||
'SSLProtocol': 'all -SSLv2 -SSLv3 -TLSv1',
|
||||
'SSLHonorCipherOrder': 'On',
|
||||
'SSLOptions': '+StrictRequire',
|
||||
} -%}
|
||||
{%- do data.update(salt['pillar.get']('apache:mod_ssl', {})) %}
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
{%- for key, value in data.items() %}
|
||||
{%- if not key == 'manage_tls_defaults' %}
|
||||
{{ key }} {{ value }}
|
||||
{%- endif %}
|
||||
{%- endfor %}
|
||||
</IfModule>
|
@ -38,7 +38,7 @@
|
||||
'mod_fastcgi': 'libapache2-mod-fastcgi',
|
||||
|
||||
'vhostdir': '/etc/apache2/sites-available',
|
||||
'confdir': '/etc/apache2/conf.d',
|
||||
'confdir': '/etc/apache2/conf-available',
|
||||
'confext': '.conf',
|
||||
'default_site': 'default',
|
||||
'default_site_ssl': 'default-ssl',
|
||||
@ -89,27 +89,27 @@
|
||||
'wwwdir': '/srv/www',
|
||||
},
|
||||
'FreeBSD': {
|
||||
'server': 'apache22',
|
||||
'service': 'apache22',
|
||||
'server': 'apache24',
|
||||
'service': 'apache24',
|
||||
'user': 'www',
|
||||
'group': 'www',
|
||||
'configfile': '/usr/local/etc/apache22/httpd.conf',
|
||||
'portsfile': '/usr/local/etc/apache22/ports.conf',
|
||||
'configfile': '/usr/local/etc/apache24/httpd.conf',
|
||||
'portsfile': '/usr/local/etc/apache24/ports.conf',
|
||||
|
||||
'mod_php5': 'mod_php56',
|
||||
'mod_perl2': 'ap22-mod_perl2',
|
||||
'mod_wsgi': 'ap22-mod_wsgi3',
|
||||
'mod_perl2': 'ap24-mod_perl2',
|
||||
'mod_wsgi': 'ap24-mod_wsgi3',
|
||||
|
||||
'vhostdir': '/usr/local/etc/apache22/Includes',
|
||||
'confdir': '/usr/local/etc/apache22/extra',
|
||||
'modulesdir': '/usr/local/etc/apache22/modules.d',
|
||||
'global_document_root': '/usr/local/www/apache22/data',
|
||||
'vhostdir': '/usr/local/etc/apache24/Includes',
|
||||
'confdir': '/usr/local/etc/apache24/extra',
|
||||
'modulesdir': '/usr/local/etc/apache24/modules.d',
|
||||
'global_document_root': '/usr/local/www/apache24/data',
|
||||
|
||||
'confext': '',
|
||||
'default_site': 'default',
|
||||
'default_site_ssl': 'default-ssl',
|
||||
'logdir': '/var/log/',
|
||||
'wwwdir': '/usr/local/www/apache22/',
|
||||
'wwwdir': '/usr/local/www/apache24/',
|
||||
},
|
||||
'Arch': {
|
||||
'server': 'apache',
|
||||
|
@ -42,3 +42,35 @@ include:
|
||||
- module: apache-restart
|
||||
|
||||
{% endif %}
|
||||
|
||||
{{ apache.confdir }}/tls-defaults.conf:
|
||||
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
|
||||
file.managed:
|
||||
- source: salt://apache/files/tls-defaults.conf.jinja
|
||||
- mode: 644
|
||||
- template: jinja
|
||||
{% else %}
|
||||
file.absent:
|
||||
{% endif %}
|
||||
- require:
|
||||
- pkg: apache
|
||||
- watch_in:
|
||||
- module: apache-restart
|
||||
|
||||
{% if grains['os_family']=="Debian" %}
|
||||
a2endisconf tls-defaults:
|
||||
cmd.run:
|
||||
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
|
||||
- name: a2enconf tls-defaults
|
||||
- unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf
|
||||
{% else %}
|
||||
- name: a2disconf tls-defaults
|
||||
- onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf
|
||||
{% endif %}
|
||||
- order: 225
|
||||
- require:
|
||||
- pkg: apache
|
||||
- file: {{ apache.confdir }}/tls-defaults.conf
|
||||
- watch_in:
|
||||
- module: apache-restart
|
||||
{% endif %}
|
||||
|
@ -314,3 +314,18 @@ apache:
|
||||
path: 'salt://path/to/modsecurity/custom/file'
|
||||
enabled: True
|
||||
|
||||
mod_ssl:
|
||||
# set this to True if you want to override your distributions default TLS configuration
|
||||
manage_tls_defaults: False
|
||||
# This stuff is deliberately not configured via map.jinja resp. apache:lookup.
|
||||
# We're unable to know sane defaults for each release of every distribution.
|
||||
# See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
|
||||
# Have a look at bettercrypto.org for up-to-date settings.
|
||||
# These are default values:
|
||||
SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
|
||||
# Mitigate the CRIME attack
|
||||
SSLCompression: Off
|
||||
SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
|
||||
SSLHonorCipherOrder: On
|
||||
SSLOptions: "+StrictRequire"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user