浏览代码

Merge pull request #396 from mccutchen/fix-apache-ssl-config-for-wheezy

Fix apache SSL config for wheezy
Justin Plock 9 年前
父节点
当前提交
68be4f6685

+ 1
- 12
roles/blog/templates/etc_apache2_sites-available_blog.j2 查看文件

@@ -10,18 +10,7 @@
10 10
     ServerName {{ domain }}
11 11
     ServerAlias www.{{ domain }}
12 12
 
13
-    SSLEngine on
14
-    SSLProtocol ALL -SSLv2 -SSLv3
15
-    SSLHonorCipherOrder On
16
-    SSLCompression off
17
-    SSLUseStapling On
18
-    SSLStaplingResponderTimeout 5
19
-    SSLStaplingReturnResponderErrors off
20
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
21
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
22
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
23
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
24
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
13
+    Include /etc/apache2/ssl.conf
25 14
 
26 15
     DocumentRoot            "/var/www/{{ domain }}"
27 16
     DirectoryIndex          index.html

+ 7
- 0
roles/common/tasks/ssl.yml 查看文件

@@ -19,3 +19,10 @@
19 19
 
20 20
 - name: Enable NameVirtualHost for HTTPS
21 21
   lineinfile: dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443' insertafter='^<IfModule mod_ssl.c>' line='    NameVirtualHost *:443'
22
+
23
+- name: Add common Apache SSL config
24
+  template:
25
+    src=etc_apache2_ssl.conf.j2
26
+    dest=/etc/apache2/ssl.conf
27
+    owner=root
28
+    group=root

+ 14
- 0
roles/common/templates/etc_apache2_ssl.conf.j2 查看文件

@@ -0,0 +1,14 @@
1
+SSLEngine on
2
+SSLProtocol ALL -SSLv2 -SSLv3
3
+SSLHonorCipherOrder On
4
+SSLCompression off
5
+{% if ansible_distribution_release != 'wheezy' %}
6
+    SSLUseStapling On
7
+    SSLStaplingResponderTimeout 5
8
+    SSLStaplingReturnResponderErrors off
9
+{% endif %}
10
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
11
+SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
12
+SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
13
+SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
14
+Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"

+ 1
- 13
roles/git/templates/etc_apache2_sites-available_cgit.j2 查看文件

@@ -7,19 +7,7 @@
7 7
 <VirtualHost *:443>
8 8
     ServerName {{ cgit_domain }}
9 9
 
10
-    SSLEngine on
11
-    SSLProtocol ALL -SSLv2 -SSLv3
12
-    SSLHonorCipherOrder On
13
-    SSLCompression off
14
-    SSLUseStapling On
15
-    SSLStaplingResponderTimeout 5
16
-    SSLStaplingReturnResponderErrors off
17
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
18
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
21
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
22
-
10
+    Include /etc/apache2/ssl.conf
23 11
     DocumentRoot /var/www/htdocs/cgit/
24 12
 
25 13
     <Directory "/var/www/htdocs/cgit/">

+ 1
- 12
roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2 查看文件

@@ -18,18 +18,7 @@
18 18
 <VirtualHost *:443>
19 19
     ServerName {{ mail_server_autoconfig_hostname }}
20 20
 
21
-    SSLEngine on
22
-    SSLProtocol ALL -SSLv2 -SSLv3
23
-    SSLHonorCipherOrder On
24
-    SSLCompression off
25
-    SSLUseStapling On
26
-    SSLStaplingResponderTimeout 5
27
-    SSLStaplingReturnResponderErrors off
28
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
29
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
30
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
31
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
32
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
21
+    Include /etc/apache2/ssl.conf
33 22
 
34 23
     DocumentRoot            "/var/www/autoconfig"
35 24
     Options                 -Indexes

+ 2
- 14
roles/newebe/templates/etc_apache2_sites-available_newebe.j2 查看文件

@@ -7,20 +7,8 @@
7 7
 <VirtualHost *:443>
8 8
 
9 9
     ServerName {{ newebe_domain }}
10
-    SSLEngine On
11
-
12
-    SSLEngine on
13
-    SSLProtocol ALL -SSLv2 -SSLv3
14
-    SSLHonorCipherOrder On
15
-    SSLCompression off
16
-    SSLUseStapling On
17
-    SSLStaplingResponderTimeout 5
18
-    SSLStaplingReturnResponderErrors off
19
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
20
-    SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
21
-    SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
22
-    SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
23
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
10
+
11
+    Include /etc/apache2/ssl.conf
24 12
 
25 13
     ErrorLog /var/log/apache2/newebe.info-error_log
26 14
     CustomLog /var/log/apache2/newebe.info-access_log common

+ 1
- 12
roles/news/templates/etc_apache2_sites-available_selfoss.j2 查看文件

@@ -7,18 +7,7 @@
7 7
 <VirtualHost *:443>
8 8
     ServerName {{ selfoss_domain }}
9 9
 
10
-    SSLEngine on
11
-    SSLProtocol ALL -SSLv2 -SSLv3
12
-    SSLHonorCipherOrder On
13
-    SSLCompression off
14
-    SSLUseStapling On
15
-    SSLStaplingResponderTimeout 5
16
-    SSLStaplingReturnResponderErrors off
17
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
18
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
21
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
10
+    Include /etc/apache2/ssl.conf
22 11
 
23 12
     DocumentRoot            /var/www/selfoss
24 13
     Options                 -Indexes

+ 1
- 12
roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2 查看文件

@@ -7,18 +7,7 @@
7 7
 <VirtualHost *:443>
8 8
     ServerName {{ owncloud_domain }}
9 9
 
10
-    SSLEngine on
11
-    SSLProtocol ALL -SSLv2 -SSLv3
12
-    SSLHonorCipherOrder On
13
-    SSLCompression off
14
-    SSLUseStapling On
15
-    SSLStaplingResponderTimeout 5
16
-    SSLStaplingReturnResponderErrors off
17
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
18
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
21
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
10
+    Include /etc/apache2/ssl.conf
22 11
 
23 12
     DocumentRoot            /var/www/owncloud
24 13
     Options                 -Indexes

+ 1
- 12
roles/readlater/templates/etc_apache2_sites-available_wallabag.j2 查看文件

@@ -7,18 +7,7 @@
7 7
 <VirtualHost *:443>
8 8
     ServerName {{ wallabag_domain }}
9 9
 
10
-    SSLEngine on
11
-    SSLProtocol ALL -SSLv2 -SSLv3
12
-    SSLHonorCipherOrder On
13
-    SSLCompression off
14
-    SSLUseStapling On
15
-    SSLStaplingResponderTimeout 5
16
-    SSLStaplingReturnResponderErrors off
17
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
18
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
21
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
10
+    Include /etc/apache2/ssl.conf
22 11
 
23 12
     DocumentRoot            /var/www/wallabag
24 13
     Options                 -Indexes

+ 1
- 12
roles/webmail/templates/etc_apache2_sites-available_roundcube.j2 查看文件

@@ -7,18 +7,7 @@
7 7
 <VirtualHost *:443>
8 8
     ServerName {{ webmail_domain }}
9 9
 
10
-    SSLEngine on
11
-    SSLProtocol ALL -SSLv2 -SSLv3
12
-    SSLHonorCipherOrder On
13
-    SSLCompression off
14
-    SSLUseStapling On
15
-    SSLStaplingResponderTimeout 5
16
-    SSLStaplingReturnResponderErrors off
17
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
18
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
21
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
10
+    Include /etc/apache2/ssl.conf
22 11
 
23 12
     # Those aliases do not work properly with several hosts on your apache server
24 13
     # Uncomment them to use it or adapt them to your configuration

正在加载...
取消
保存