Browse Source

Merge pull request #396 from mccutchen/fix-apache-ssl-config-for-wheezy

Fix apache SSL config for wheezy
Justin Plock 9 years ago
parent
commit
68be4f6685

+ 1
- 12
roles/blog/templates/etc_apache2_sites-available_blog.j2 View File

10
     ServerName {{ domain }}
10
     ServerName {{ domain }}
11
     ServerAlias www.{{ domain }}
11
     ServerAlias www.{{ domain }}
12
 
12
 
13
-    SSLEngine on
14
-    SSLProtocol ALL -SSLv2 -SSLv3
15
-    SSLHonorCipherOrder On
16
-    SSLCompression off
17
-    SSLUseStapling On
18
-    SSLStaplingResponderTimeout 5
19
-    SSLStaplingReturnResponderErrors off
20
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
21
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
22
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
23
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
24
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
13
+    Include /etc/apache2/ssl.conf
25
 
14
 
26
     DocumentRoot            "/var/www/{{ domain }}"
15
     DocumentRoot            "/var/www/{{ domain }}"
27
     DirectoryIndex          index.html
16
     DirectoryIndex          index.html

+ 7
- 0
roles/common/tasks/ssl.yml View File

19
 
19
 
20
 - name: Enable NameVirtualHost for HTTPS
20
 - name: Enable NameVirtualHost for HTTPS
21
   lineinfile: dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443' insertafter='^<IfModule mod_ssl.c>' line='    NameVirtualHost *:443'
21
   lineinfile: dest=/etc/apache2/ports.conf regexp='^    NameVirtualHost \*:443' insertafter='^<IfModule mod_ssl.c>' line='    NameVirtualHost *:443'
22
+
23
+- name: Add common Apache SSL config
24
+  template:
25
+    src=etc_apache2_ssl.conf.j2
26
+    dest=/etc/apache2/ssl.conf
27
+    owner=root
28
+    group=root

+ 14
- 0
roles/common/templates/etc_apache2_ssl.conf.j2 View File

1
+SSLEngine on
2
+SSLProtocol ALL -SSLv2 -SSLv3
3
+SSLHonorCipherOrder On
4
+SSLCompression off
5
+{% if ansible_distribution_release != 'wheezy' %}
6
+    SSLUseStapling On
7
+    SSLStaplingResponderTimeout 5
8
+    SSLStaplingReturnResponderErrors off
9
+{% endif %}
10
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
11
+SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
12
+SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
13
+SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
14
+Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"

+ 1
- 13
roles/git/templates/etc_apache2_sites-available_cgit.j2 View File

7
 <VirtualHost *:443>
7
 <VirtualHost *:443>
8
     ServerName {{ cgit_domain }}
8
     ServerName {{ cgit_domain }}
9
 
9
 
10
-    SSLEngine on
11
-    SSLProtocol ALL -SSLv2 -SSLv3
12
-    SSLHonorCipherOrder On
13
-    SSLCompression off
14
-    SSLUseStapling On
15
-    SSLStaplingResponderTimeout 5
16
-    SSLStaplingReturnResponderErrors off
17
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
18
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
21
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
22
-
10
+    Include /etc/apache2/ssl.conf
23
     DocumentRoot /var/www/htdocs/cgit/
11
     DocumentRoot /var/www/htdocs/cgit/
24
 
12
 
25
     <Directory "/var/www/htdocs/cgit/">
13
     <Directory "/var/www/htdocs/cgit/">

+ 1
- 12
roles/mailserver/templates/etc_apache2_sites-available_autoconfig.j2 View File

18
 <VirtualHost *:443>
18
 <VirtualHost *:443>
19
     ServerName {{ mail_server_autoconfig_hostname }}
19
     ServerName {{ mail_server_autoconfig_hostname }}
20
 
20
 
21
-    SSLEngine on
22
-    SSLProtocol ALL -SSLv2 -SSLv3
23
-    SSLHonorCipherOrder On
24
-    SSLCompression off
25
-    SSLUseStapling On
26
-    SSLStaplingResponderTimeout 5
27
-    SSLStaplingReturnResponderErrors off
28
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
29
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
30
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
31
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
32
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
21
+    Include /etc/apache2/ssl.conf
33
 
22
 
34
     DocumentRoot            "/var/www/autoconfig"
23
     DocumentRoot            "/var/www/autoconfig"
35
     Options                 -Indexes
24
     Options                 -Indexes

+ 2
- 14
roles/newebe/templates/etc_apache2_sites-available_newebe.j2 View File

7
 <VirtualHost *:443>
7
 <VirtualHost *:443>
8
 
8
 
9
     ServerName {{ newebe_domain }}
9
     ServerName {{ newebe_domain }}
10
-    SSLEngine On
11
-
12
-    SSLEngine on
13
-    SSLProtocol ALL -SSLv2 -SSLv3
14
-    SSLHonorCipherOrder On
15
-    SSLCompression off
16
-    SSLUseStapling On
17
-    SSLStaplingResponderTimeout 5
18
-    SSLStaplingReturnResponderErrors off
19
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
20
-    SSLCertificateFile /etc/ssl/certs/wildcard_public_cert.crt
21
-    SSLCertificateKeyFile /etc/ssl/private/wildcard_private.key
22
-    SSLCACertificateFile /etc/ssl/certs/wildcard_ca.pem
23
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
10
+
11
+    Include /etc/apache2/ssl.conf
24
 
12
 
25
     ErrorLog /var/log/apache2/newebe.info-error_log
13
     ErrorLog /var/log/apache2/newebe.info-error_log
26
     CustomLog /var/log/apache2/newebe.info-access_log common
14
     CustomLog /var/log/apache2/newebe.info-access_log common

+ 1
- 12
roles/news/templates/etc_apache2_sites-available_selfoss.j2 View File

7
 <VirtualHost *:443>
7
 <VirtualHost *:443>
8
     ServerName {{ selfoss_domain }}
8
     ServerName {{ selfoss_domain }}
9
 
9
 
10
-    SSLEngine on
11
-    SSLProtocol ALL -SSLv2 -SSLv3
12
-    SSLHonorCipherOrder On
13
-    SSLCompression off
14
-    SSLUseStapling On
15
-    SSLStaplingResponderTimeout 5
16
-    SSLStaplingReturnResponderErrors off
17
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
18
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
21
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
10
+    Include /etc/apache2/ssl.conf
22
 
11
 
23
     DocumentRoot            /var/www/selfoss
12
     DocumentRoot            /var/www/selfoss
24
     Options                 -Indexes
13
     Options                 -Indexes

+ 1
- 12
roles/owncloud/templates/etc_apache2_sites-available_owncloud.j2 View File

7
 <VirtualHost *:443>
7
 <VirtualHost *:443>
8
     ServerName {{ owncloud_domain }}
8
     ServerName {{ owncloud_domain }}
9
 
9
 
10
-    SSLEngine on
11
-    SSLProtocol ALL -SSLv2 -SSLv3
12
-    SSLHonorCipherOrder On
13
-    SSLCompression off
14
-    SSLUseStapling On
15
-    SSLStaplingResponderTimeout 5
16
-    SSLStaplingReturnResponderErrors off
17
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
18
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
21
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
10
+    Include /etc/apache2/ssl.conf
22
 
11
 
23
     DocumentRoot            /var/www/owncloud
12
     DocumentRoot            /var/www/owncloud
24
     Options                 -Indexes
13
     Options                 -Indexes

+ 1
- 12
roles/readlater/templates/etc_apache2_sites-available_wallabag.j2 View File

7
 <VirtualHost *:443>
7
 <VirtualHost *:443>
8
     ServerName {{ wallabag_domain }}
8
     ServerName {{ wallabag_domain }}
9
 
9
 
10
-    SSLEngine on
11
-    SSLProtocol ALL -SSLv2 -SSLv3
12
-    SSLHonorCipherOrder On
13
-    SSLCompression off
14
-    SSLUseStapling On
15
-    SSLStaplingResponderTimeout 5
16
-    SSLStaplingReturnResponderErrors off
17
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
18
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
21
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
10
+    Include /etc/apache2/ssl.conf
22
 
11
 
23
     DocumentRoot            /var/www/wallabag
12
     DocumentRoot            /var/www/wallabag
24
     Options                 -Indexes
13
     Options                 -Indexes

+ 1
- 12
roles/webmail/templates/etc_apache2_sites-available_roundcube.j2 View File

7
 <VirtualHost *:443>
7
 <VirtualHost *:443>
8
     ServerName {{ webmail_domain }}
8
     ServerName {{ webmail_domain }}
9
 
9
 
10
-    SSLEngine on
11
-    SSLProtocol ALL -SSLv2 -SSLv3
12
-    SSLHonorCipherOrder On
13
-    SSLCompression off
14
-    SSLUseStapling On
15
-    SSLStaplingResponderTimeout 5
16
-    SSLStaplingReturnResponderErrors off
17
-    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
18
-    SSLCertificateFile      /etc/ssl/certs/wildcard_public_cert.crt
19
-    SSLCertificateKeyFile   /etc/ssl/private/wildcard_private.key
20
-    SSLCACertificateFile    /etc/ssl/certs/wildcard_ca.pem
21
-    Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"
10
+    Include /etc/apache2/ssl.conf
22
 
11
 
23
     # Those aliases do not work properly with several hosts on your apache server
12
     # Those aliases do not work properly with several hosts on your apache server
24
     # Uncomment them to use it or adapt them to your configuration
13
     # Uncomment them to use it or adapt them to your configuration

Loading…
Cancel
Save