From 9ab4e3f41140eb8de5d8b959a7ae9a61a17dd9ad Mon Sep 17 00:00:00 2001 From: Tobias Macey Date: Mon, 19 Sep 2016 11:35:30 -0400 Subject: [PATCH 1/5] Added dhparam file creation In order to improve security and ease of use, added creation/generation of dhparam file. --- nginx/ng/certificates.sls | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/nginx/ng/certificates.sls b/nginx/ng/certificates.sls index 8fdc54f..ea74c28 100644 --- a/nginx/ng/certificates.sls +++ b/nginx/ng/certificates.sls @@ -2,6 +2,24 @@ include: - nginx.ng.service {% set certificates_path = salt['pillar.get']('nginx:ng:certificates_path', '/etc/nginx/ssl') %} + +{% if salt.pillar.get('nginx:ng:dh_contents') %} +create_nginx_dhparam_key: + file.managed: + - name: {{ certificates_path }}/dhparam.pem + - contents_pillar: nginx:ng:dh_contents + - makedirs: True +{% elif salt.pillar.get('nginx:ng:dh_keygen', False) %} +generate_nginx_dhparam_key: + file.directory: + - name: {{ certificates_path }} + - makedirs: True + cmd.run: + - name: openssl dhparam -out dhparam.pem {{ salt.pillar.get('nginx:ng:dh_keysize', 2048) }} + - cwd: {{ certificates_path }} + - creates: {{ certificates_path }}/dhparam.pem +{% endif %} + {%- for domain in salt['pillar.get']('nginx:ng:certificates', {}).keys() %} nginx_{{ domain }}_ssl_certificate: From 19ab90ebb56440db09b70436c60421125dbc7cf8 Mon Sep 17 00:00:00 2001 From: Gilles Dartiguelongue Date: Thu, 4 May 2017 18:34:22 +0200 Subject: [PATCH 2/5] Add example for DH management --- pillar.example | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/pillar.example b/pillar.example index 3c63029..61e6171 100644 --- a/pillar.example +++ b/pillar.example @@ -153,6 +153,14 @@ nginx: (Your Private Key: www.example.com.key) -----END RSA PRIVATE KEY----- + dh_contents: | + -----BEGIN DH PARAMETERS----- + (Your custom DH prime) + -----END DH PARAMETERS----- + # or to generate one on-the-fly + dh_keygen: true + dh_keysize: 2048 + # Passenger configuration # Default passenger configuration is provided, and will be deployed in # /etc/nginx/conf.d/passenger.conf @@ -160,4 +168,3 @@ nginx: passenger_root: /usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini passenger_ruby: /usr/bin/ruby passenger_instance_registry_dir: /var/run/passenger-instreg - From db2db31300c967e1dba700ee57a6ea14764fbfb3 Mon Sep 17 00:00:00 2001 From: Gilles Dartiguelongue Date: Tue, 11 Jul 2017 11:31:17 +0200 Subject: [PATCH 3/5] Handle installation of openssl to generate DH param --- nginx/ng/certificates.sls | 4 ++++ nginx/ng/map.jinja | 8 +++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/nginx/ng/certificates.sls b/nginx/ng/certificates.sls index ea74c28..a9e2659 100644 --- a/nginx/ng/certificates.sls +++ b/nginx/ng/certificates.sls @@ -1,3 +1,5 @@ +{% from 'nginx/ng/map.jinja' import nginx with context %} + include: - nginx.ng.service @@ -11,6 +13,8 @@ create_nginx_dhparam_key: - makedirs: True {% elif salt.pillar.get('nginx:ng:dh_keygen', False) %} generate_nginx_dhparam_key: + pkg.installed: + - name: {{ nginx.lookup.openssl_package }} file.directory: - name: {{ certificates_path }} - makedirs: True diff --git a/nginx/ng/map.jinja b/nginx/ng/map.jinja index fc3c45d..e2f70d4 100644 --- a/nginx/ng/map.jinja +++ b/nginx/ng/map.jinja @@ -16,6 +16,7 @@ 'server_enabled': '/etc/nginx/sites-enabled', 'server_use_symlink': True, 'pid_file': '/run/nginx.pid', + 'openssl_package': 'openssl', }, 'CentOS': { 'package': 'nginx', @@ -30,6 +31,7 @@ 'rh_os_releasever': '$releasever', 'gpg_check': False, 'gpg_key': 'http://nginx.org/keys/nginx_signing.key', + 'openssl_package': 'openssl', }, 'RedHat': { 'package': 'nginx', @@ -49,6 +51,7 @@ 'passenger_instance_registry_dir': ' /var/run/passenger-instreg', 'passenger_ruby': '/usr/bin/ruby', }, + 'openssl_package': 'openssl', }, 'Suse': { 'package': 'nginx', @@ -60,7 +63,8 @@ 'server_use_symlink': False, 'pid_file': '/run/nginx.pid', 'gpg_check': True, - 'gpg_key': 'http://download.opensuse.org/repositories/server:/http/openSUSE_13.2/repodata/repomd.xml.key' + 'gpg_key': 'http://download.opensuse.org/repositories/server:/http/openSUSE_13.2/repodata/repomd.xml.key', + 'openssl_package': 'openssl', }, 'Arch': { 'package': 'nginx', @@ -70,6 +74,7 @@ 'server_available': '/etc/nginx/sites-available', 'server_enabled': '/etc/nginx/sites-enabled', 'server_use_symlink': True, + 'openssl_package': 'openssl', }, 'Gentoo': { 'package': 'www-servers/nginx', @@ -79,6 +84,7 @@ 'server_available': '/etc/nginx/sites-available', 'server_enabled': '/etc/nginx/sites-enabled', 'server_use_symlink': True, + 'openssl_package': 'dev-libs/openssl', }, }, default='Debian' ), 'install_from_source': False, From d2bc1e6d7c4e0dc0b50da8fa2b68eb71ec601f5f Mon Sep 17 00:00:00 2001 From: Gilles Dartiguelongue Date: Tue, 11 Jul 2017 12:19:47 +0200 Subject: [PATCH 4/5] Add support for specifying dh_param file name --- nginx/ng/certificates.sls | 20 +++++++++++--------- pillar.example | 15 ++++++++------- 2 files changed, 19 insertions(+), 16 deletions(-) diff --git a/nginx/ng/certificates.sls b/nginx/ng/certificates.sls index a9e2659..7bd01aa 100644 --- a/nginx/ng/certificates.sls +++ b/nginx/ng/certificates.sls @@ -5,24 +5,26 @@ include: {% set certificates_path = salt['pillar.get']('nginx:ng:certificates_path', '/etc/nginx/ssl') %} -{% if salt.pillar.get('nginx:ng:dh_contents') %} -create_nginx_dhparam_key: +{%- for dh_param, value in salt.pillar.get('nginx:ng:dh_param').items() %} +{%- if value is string %} +create_nginx_dhparam_{{ dh_param }}_key: file.managed: - - name: {{ certificates_path }}/dhparam.pem - - contents_pillar: nginx:ng:dh_contents + - name: {{ certificates_path }}/{{ dh_param }} + - contents_pillar: nginx:ng:dh_param:{{ dh_param }} - makedirs: True -{% elif salt.pillar.get('nginx:ng:dh_keygen', False) %} -generate_nginx_dhparam_key: +{%- else %} +generate_nginx_dhparam_{{ dh_param }}_key: pkg.installed: - name: {{ nginx.lookup.openssl_package }} file.directory: - name: {{ certificates_path }} - makedirs: True cmd.run: - - name: openssl dhparam -out dhparam.pem {{ salt.pillar.get('nginx:ng:dh_keysize', 2048) }} + - name: openssl dhparam -out {{ dh_param }} {{ value.get('keysize', 2048) }} - cwd: {{ certificates_path }} - - creates: {{ certificates_path }}/dhparam.pem -{% endif %} + - creates: {{ certificates_path }}/{{ dh_param }} +{%- endif %} +{%- endfor %} {%- for domain in salt['pillar.get']('nginx:ng:certificates', {}).keys() %} diff --git a/pillar.example b/pillar.example index 61e6171..c879065 100644 --- a/pillar.example +++ b/pillar.example @@ -153,13 +153,14 @@ nginx: (Your Private Key: www.example.com.key) -----END RSA PRIVATE KEY----- - dh_contents: | - -----BEGIN DH PARAMETERS----- - (Your custom DH prime) - -----END DH PARAMETERS----- - # or to generate one on-the-fly - dh_keygen: true - dh_keysize: 2048 + dh_param: + 'mydhparam1.pem': | + -----BEGIN DH PARAMETERS----- + (Your custom DH prime) + -----END DH PARAMETERS----- + # or to generate one on-the-fly + 'mydhparam2.pem': + keysize: 2048 # Passenger configuration # Default passenger configuration is provided, and will be deployed in From 43c4eca3bbdce189e715d2d5e8289fa0a74d4cf0 Mon Sep 17 00:00:00 2001 From: Gilles Dartiguelongue Date: Tue, 11 Jul 2017 11:44:40 +0200 Subject: [PATCH 5/5] Add missing dependency on nginx_service --- nginx/ng/certificates.sls | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nginx/ng/certificates.sls b/nginx/ng/certificates.sls index 7bd01aa..dbc8cbd 100644 --- a/nginx/ng/certificates.sls +++ b/nginx/ng/certificates.sls @@ -12,6 +12,8 @@ create_nginx_dhparam_{{ dh_param }}_key: - name: {{ certificates_path }}/{{ dh_param }} - contents_pillar: nginx:ng:dh_param:{{ dh_param }} - makedirs: True + - watch_in: + - service: nginx_service {%- else %} generate_nginx_dhparam_{{ dh_param }}_key: pkg.installed: @@ -23,6 +25,8 @@ generate_nginx_dhparam_{{ dh_param }}_key: - name: openssl dhparam -out {{ dh_param }} {{ value.get('keysize', 2048) }} - cwd: {{ certificates_path }} - creates: {{ certificates_path }}/{{ dh_param }} + - watch_in: + - service: nginx_service {%- endif %} {%- endfor %}