Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[enh] Generate custom Diffie-Hellman primes #621

Closed
wants to merge 33 commits into from
Closed

[enh] Generate custom Diffie-Hellman primes #621

Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
be53f76
dh_params
frju365 Jan 19, 2019
077f413
dh_params (forget :) )
frju365 Jan 19, 2019
3bc82d6
typo
frju365 Jan 20, 2019
7dcef3a
Update tools.py
frju365 Jan 20, 2019
4d446b2
avoid error log
frju365 Jan 20, 2019
9789b9c
redirect log to file /var/log/yunohost/dhparam_generation.log
frju365 Jan 20, 2019
f16d42e
add render for Yunohost-admin
frju365 Jan 22, 2019
761a01b
Update 15-nginx
frju365 Feb 5, 2019
b7e97a7
Update tools.py
frju365 Feb 8, 2019
c4cd135
Strange migration
frju365 Feb 18, 2019
ed85df2
Update 0009_dh_params.py
frju365 Feb 18, 2019
b971fff
indentation
frju365 Feb 18, 2019
d820cd8
remove useless import
frju365 Feb 18, 2019
04fdb9a
Update 0009_dh_params.py
frju365 Feb 18, 2019
d9f19dd
Update tools.py
frju365 Feb 18, 2019
29bc912
Update 0009_dh_params.py
frju365 Feb 18, 2019
f2ad8cb
Do some change
frju365 Feb 18, 2019
99c83f5
correc
frju365 Feb 18, 2019
4660c60
Update 0009_dh_params.py
frju365 Feb 18, 2019
833ed86
Better than False in os.path.exist : not
Psycojoker Mar 1, 2019
12c4907
fix variable : cron_job_file
frju365 Mar 1, 2019
f122440
Update 0009_dh_params.py
frju365 Mar 7, 2019
6eca4ac
Merge branch 'stretch-unstable' into patch-frju3651
frju365 Sep 29, 2019
2cbfb17
Change Name and add a function
frju365 Sep 29, 2019
f083a2c
Import the function _set_permissions
frju365 Sep 29, 2019
e067aa6
Enlever le regen_conf (inutile dans la PR).
frju365 Sep 29, 2019
d2b39d2
Function cron_add
frju365 Sep 30, 2019
fae7a99
Function cron add
frju365 Sep 30, 2019
cc8ebc0
Add set -eux
frju365 Sep 30, 2019
0b6db8f
Retry something
frju365 Oct 5, 2019
f298e8c
Retry something : separate the two if (doesn't work)
frju365 Oct 5, 2019
c706451
Bug : double "/" in xml template
frju365 Oct 5, 2019
4015dc7
Merge branch 'stretch-unstable' into patch-frju3651
frju365 Dec 1, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 7 additions & 0 deletions data/hooks/conf_regen/15-nginx
View file
Open in desktop
Expand Up @@ -49,7 +49,14 @@ do_pre_regen() {
| jq ".certificates.\"$domain\".CA_type" \
| tr -d '"')

if [[ -e "/etc/ssl/private/dh2048.pem" ]]; then
export dh_params=true
else
export dh_params=false
fi

ynh_render_template "server.tpl.conf" "${nginx_conf_dir}/${domain}.conf"
ynh_render_template "yunohost_admin.conf" "${nginx_conf_dir}/yunohost-admin.conf"
ynh_render_template "autoconfig.tpl.xml" "${mail_autoconfig_dir}/config-v1.1.xml"

[[ $main_domain != $domain ]] \
Expand Down
6 changes: 4 additions & 2 deletions data/templates/nginx/server.tpl.conf
View file
Open in desktop
Expand Up @@ -44,10 +44,12 @@ server {
#ssl_protocols TLSv1.2;
#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

{% if dh_params %}
# Uncomment the following directive after DH generation
# > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
#ssl_dhparam /etc/ssl/private/dh2048.pem;

ssl_dhparam /etc/ssl/private/dh2048.pem;
{% endif %}

# Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
# https://observatory.mozilla.org/
Expand Down
4 changes: 3 additions & 1 deletion ...templates/nginx/plain/yunohost_admin.conf → data/templates/nginx/yunohost_admin.conf
View file
Open in desktop
Expand Up @@ -43,9 +43,11 @@ server {
#ssl_protocols TLSv1.2;
#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

{% if dh_params %}
# Uncomment the following directive after DH generation
# > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048
#ssl_dhparam /etc/ssl/private/dh2048.pem;
ssl_dhparam /etc/ssl/private/dh2048.pem;
{% endif %}

# Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners
# https://wiki.mozilla.org/Security/Guidelines/Web_Security
Expand Down
30 changes: 30 additions & 0 deletions src/yunohost/data_migrations/0009_dh_params.py
View file
Open in desktop
@@ -0,0 +1,30 @@
import re
import os

from moulinette.utils.log import getActionLogger
from moulinette.utils.filesystem import chown

from yunohost.tools import Migration
from yunohost.service import service_regen_conf

command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && yunohost service regen-conf >> /var/log/yunohost/dhparam_generation.log && rm /etc/cron.hourly/yunohost-generate-dh-params\n"
frju365 marked this conversation as resolved.
Show resolved Hide resolved
dhparams_file = "/etc/ssl/private/dh2048.pem"

class MyMigration(Migration):
"This migration will add dh_params line and generate it in installed instance"

def migrate(self):

if os.path.exists(dhparams_file):
service_regen_conf(['nginx'])
frju365 marked this conversation as resolved.
Show resolved Hide resolved
else:
with open(cron_job_file, "w") as f:
frju365 marked this conversation as resolved.
Show resolved Hide resolved
f.write("#!/bin/bash\n")
frju365 marked this conversation as resolved.
Show resolved Hide resolved
f.write(command)

_set_permissions(cron_job_file, "root", "root", 0o755)


def backward(self):
if os.path.exists(dhparams_file):
os.remove(dhparams_file)
11 changes: 11 additions & 0 deletions src/yunohost/tools.py
View file
Open in desktop
Expand Up @@ -322,6 +322,17 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False,
else:
dyndns = False

cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params"
frju365 marked this conversation as resolved.
Show resolved Hide resolved

command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && chown root:ssl-cert /etc/ssl/private/dh2048.pem && yunohost service regen-conf >> /var/log/yunohost/dhparam_generation.log && rm /etc/cron.hourly/yunohost-generate-dh-params\n"


with open(cron_job_file, "w") as f:
f.write("#!/bin/bash\n")
f.write(command)

_set_permissions(cron_job_file, "root", "root", 0o755)
frju365 marked this conversation as resolved.
Show resolved Hide resolved

operation_logger.start()
logger.info(m18n.n('yunohost_installing'))

Expand Down