Permalink
Browse files

Squashed commit of the following:

commit e4a1d09085e65b2e96f00c9bf2859f44de26e006
Author: Juan Treminio <jtreminio@gmail.com>
Date:   Fri May 8 14:31:53 2015 -0500

    Adds ssl protocols and ciphers to default values; #1617

commit 2107cd72d22b0cb6715542109747a8ec444aa99d
Author: Juan Treminio <jtreminio@gmail.com>
Date:   Fri May 8 14:31:35 2015 -0500

    Moves hidden SSL fields to be in proper order in config file. #1617

commit c25054e037cee696d24e2857bc2725596277fa3f
Author: Juan Treminio <jtreminio@gmail.com>
Date:   Fri May 8 13:47:15 2015 -0500

    Forces apache vhost to always return an ssl value; #1617

commit 0dd150115ecf3f39cecece680869a648293beae5
Author: Juan Treminio <jtreminio@gmail.com>
Date:   Fri May 8 13:43:56 2015 -0500

    Sets proper Apache ciphers/protocols. #1617

commit 4d250190bedd6a1f0337a4df18ea5c44805910ca
Author: Juan Treminio <jtreminio@gmail.com>
Date:   Fri May 8 12:54:05 2015 -0500

    Sets proper Nginx ciphers/protocols. #1617
  • Loading branch information...
jtreminio committed May 8, 2015
1 parent f72f57d commit 142439552679c7937e1f669052cee0b7c6f57709
@@ -130,27 +130,42 @@
require => Exec['Create apache webroot'],
}
$ssl = array_true($vhost, 'ssl')
$allowed_ciphers = [
'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES128-GCM-SHA256',
'DHE-RSA-AES256-GCM-SHA384', 'DHE-RSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-SHA384', 'ECDHE-RSA-AES128-SHA256', 'ECDHE-RSA-AES256-SHA',
'ECDHE-RSA-AES128-SHA', 'DHE-RSA-AES256-SHA256', 'DHE-RSA-AES128-SHA256',
'DHE-RSA-AES256-SHA', 'DHE-RSA-AES128-SHA', 'ECDHE-RSA-DES-CBC3-SHA',
'EDH-RSA-DES-CBC3-SHA', 'AES256-GCM-SHA384', 'AES128-GCM-SHA256', 'AES256-SHA256',
'AES128-SHA256', 'AES256-SHA', 'AES128-SHA', 'DES-CBC3-SHA',
'HIGH', '!aNULL', '!eNULL', '!EXPORT', '!DES', '!MD5', '!PSK', '!RC4'
]
$ssl = array_true($vhost, 'ssl')
$ssl_cert = array_true($vhost, 'ssl_cert') ? {
true => $vhost['ssl_cert'],
default => $puphpet::params::ssl_cert_location
}
$ssl_key = array_true($vhost, 'ssl_key') ? {
true => $vhost['ssl_key'],
default => $puphpet::params::ssl_key_location
}
$ssl_chain = array_true($vhost, 'ssl_chain') ? {
true => $vhost['ssl_chain'],
default => undef
}
$ssl_certs_dir = array_true($vhost, 'ssl_certs_dir') ? {
true => $vhost['ssl_certs_dir'],
default => undef
}
$ssl_protocol = array_true($vhost, 'ssl_protocol') ? {
true => $vhost['ssl_protocol'],
default => 'TLSv1 TLSv1.1 TLSv1.2',
}
$ssl_cipher = array_true($vhost, 'ssl_cipher') ? {
true => $vhost['ssl_cipher'],
default => join($allowed_ciphers, ':'),
}
if array_true($vhost, 'directories') {
$directories_hash = $vhost['directories']
@@ -172,6 +187,8 @@
'ssl_key' => $ssl_key,
'ssl_chain' => $ssl_chain,
'ssl_certs_dir' => $ssl_certs_dir,
'ssl_protocol' => $ssl_protocol,
'ssl_cipher' => "\"${ssl_cipher}\"",
'custom_fragment' => $vhost_custom_fragment,
'manage_docroot' => false
})
@@ -200,6 +200,17 @@
concat([$vhost['server_name']], $vhost['server_aliases'])
))
$allowed_ciphers = [
'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES128-GCM-SHA256',
'DHE-RSA-AES256-GCM-SHA384', 'DHE-RSA-AES128-GCM-SHA256',
'ECDHE-RSA-AES256-SHA384', 'ECDHE-RSA-AES128-SHA256', 'ECDHE-RSA-AES256-SHA',
'ECDHE-RSA-AES128-SHA', 'DHE-RSA-AES256-SHA256', 'DHE-RSA-AES128-SHA256',
'DHE-RSA-AES256-SHA', 'DHE-RSA-AES128-SHA', 'ECDHE-RSA-DES-CBC3-SHA',
'EDH-RSA-DES-CBC3-SHA', 'AES256-GCM-SHA384', 'AES128-GCM-SHA256', 'AES256-SHA256',
'AES128-SHA256', 'AES256-SHA', 'AES128-SHA', 'DES-CBC3-SHA',
'HIGH', '!aNULL', '!eNULL', '!EXPORT', '!DES', '!MD5', '!PSK', '!RC4'
]
$ssl = array_true($vhost, 'ssl') ? {
true => true,
default => false,
@@ -216,6 +227,14 @@
true => $vhost['ssl_port'],
default => '443',
}
$ssl_protocols = array_true($vhost, 'ssl_protocols') ? {
true => $vhost['ssl_protocols'],
default => 'TLSv1 TLSv1.1 TLSv1.2',
}
$ssl_ciphers = array_true($vhost, 'ssl_ciphers') ? {
true => $vhost['ssl_ciphers'],
default => join($allowed_ciphers, ':'),
}
$rewrite_to_https = $ssl and array_true($vhost, 'rewrite_to_https') ? {
true => true,
default => undef,
@@ -234,6 +253,8 @@
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $ssl_port,
'ssl_protocols' => $ssl_protocols,
'ssl_ciphers' => "\"${ssl_ciphers}\"",
'rewrite_to_https' => $rewrite_to_https,
}), ['server_aliases', 'proxy', 'locations'])
@@ -41,3 +41,5 @@ vhosts:
ssl_key: ~
ssl_chain: ~
ssl_certs_dir: ~
ssl_protocol: ~
ssl_cipher: ~
@@ -20,6 +20,8 @@ vhosts:
ssl_port: 443
ssl_cert: ''
ssl_key: ''
ssl_protocols: ~
ssl_ciphers: ~
rewrite_to_https: 0
spdy: 0
index_files:
@@ -6,6 +6,8 @@
{% set ssl_cert = (vhost.ssl_cert is defined) ? vhost.ssl_cert : '' %}
{% set ssl_key = (vhost.ssl_key is defined) ? vhost.ssl_key : '' %}
{% set ssl_certs_dir = (vhost.ssl_certs_dir is defined) ? vhost.ssl_certs_dir : '' %}
{% set ssl_protocol = (vhost.ssl_protocol is defined) ? vhost.ssl_protocol : '' %}
{% set ssl_cipher = (vhost.ssl_cipher is defined) ? vhost.ssl_cipher : '' %}
{% set directories = (vhost.directories is defined) ? vhost.directories : [] %}
<div class="nested-block" id="{{ uniqid }}">
@@ -128,6 +130,8 @@
<fieldset>
<legend>SSL Options</legend>
<input type="hidden" name="apache[vhosts][{{ uniqid }}][ssl]" value="0" />
<div class="form-group col-xs-6">
<div class="help-text">
<p>Absolute path to SSL Certificate File. Usually ends in .crt.
@@ -199,6 +203,9 @@
value="{{ ssl_certs_dir }}" />
</div>
<input type="hidden" name="apache[vhosts][{{ uniqid }}][ssl_protocol]" value="{{ ssl_protocol }}" />
<input type="hidden" name="apache[vhosts][{{ uniqid }}][ssl_cipher]" value="{{ ssl_cipher }}" />
<div class="clearfix"></div>
<div class="help-block">
@@ -5,6 +5,8 @@
{% set ssl_cert = (vhost.ssl_cert is defined) ? vhost.ssl_cert : '' %}
{% set ssl_key = (vhost.ssl_key is defined) ? vhost.ssl_key : '' %}
{% set ssl_port = (vhost.ssl_port is defined) ? vhost.ssl_port : '' %}
{% set ssl_protocols = (vhost.ssl_protocols is defined) ? vhost.ssl_protocols : '' %}
{% set ssl_ciphers = (vhost.ssl_ciphers is defined) ? vhost.ssl_ciphers : '' %}
{% set rewrite_to_https = (vhost.rewrite_to_https is defined) ? true : false %}
{% set spdy = (vhost.spdy is defined) ? true : false %}
{% set locations = (vhost.locations is defined) ? vhost.locations : [] %}
@@ -99,11 +101,12 @@
<div class="form-group">
<div class="clearfix"><label>Enable SSL</label></div>
<input type="hidden" name="nginx[vhosts][{{ uniqid }}][ssl]" value="0" />
<label class="radio-tile mini set-width">
<span class="help-text">
Check to enable SSL options.
</span>
<input type="hidden" name="nginx[vhosts][{{ uniqid }}][ssl]" value="0" />
<input type="checkbox" name="nginx[vhosts][{{ uniqid }}][ssl]"
class="invisible toggle-on-select"
{% if ssl %}checked{% endif %}
@@ -170,6 +173,10 @@
value="{{ ssl_port }}" />
</div>
<input type="hidden" name="nginx[vhosts][{{ uniqid }}][ssl_protocols]" value="{{ ssl_protocols }}" />
<input type="hidden" name="nginx[vhosts][{{ uniqid }}][ssl_ciphers]" value="{{ ssl_ciphers }}" />
<div class="clearfix"></div>
<div class="form-group col-xs-12">

0 comments on commit 1424395

Please sign in to comment.