Permalink
Browse files

Nginx Security: BEAST attack protection and fix for PCI compliance.

  • Loading branch information...
1 parent 7db8fa8 commit fc1eb4288afca054615627c688d7219310107f76 @omega8cc committed Feb 4, 2013
Showing with 11 additions and 6 deletions.
  1. +5 −0 BARRACUDA.sh.txt
  2. +2 −2 aegir/conf/nginx_wild_ssl.conf
  3. +4 −4 docs/SSL.txt
View
@@ -6133,6 +6133,11 @@ if [ "$_STATUS" = "INIT" ] ; then
mrun "sleep 8"
service nginx restart &> /dev/null
else
+ if [ -e "/var/aegir/config/server_master/nginx/pre.d/nginx_wild_ssl.conf" ] && [ ! -e "/var/log/nginx-ssl-fixed-$_INSTALLER_VERSION" ] ; then
+ sed -i "s/SSLv3 TLSv1;/SSLv3 TLSv1 TLSv1.1 TLSv1.2;/g" /var/aegir/config/server_master/nginx/pre.d/* &> /dev/null
+ sed -i "s/HIGH:\!ADH:\!MD5;/RC4:HIGH:\!aNULL:\!MD5;/g" /var/aegir/config/server_master/nginx/pre.d/* &> /dev/null
+ touch /var/log/nginx-ssl-fixed-$_INSTALLER_VERSION
+ fi
service nginx reload &> /dev/null
fi
@@ -12,8 +12,8 @@ server {
ssl_certificate /etc/ssl/private/nginx-wild-ssl.crt;
ssl_certificate_key /etc/ssl/private/nginx-wild-ssl.key;
ssl_session_timeout 5m;
- ssl_protocols SSLv3 TLSv1;
- ssl_ciphers HIGH:!ADH:!MD5;
+ ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 70;
###
View
@@ -79,8 +79,8 @@ server {
ssl_certificate /etc/ssl/private/abc-ssl-enabled-domain.crt;
ssl_certificate_key /etc/ssl/private/abc-ssl-enabled-domain.key;
ssl_session_timeout 5m;
- ssl_protocols SSLv3 TLSv1;
- ssl_ciphers HIGH:!ADH:!MD5;
+ ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 70;
###
@@ -127,8 +127,8 @@ server {
ssl_certificate /etc/ssl/private/xyz-ssl-enabled-domain.crt;
ssl_certificate_key /etc/ssl/private/xyz-ssl-enabled-domain.key;
ssl_session_timeout 5m;
- ssl_protocols SSLv3 TLSv1;
- ssl_ciphers HIGH:!ADH:!MD5;
+ ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
keepalive_timeout 70;
###

0 comments on commit fc1eb42

Please sign in to comment.