Use "modern" SSLCipherSuite per Mozilla recommendations.
See https://wiki.mozilla.org/Security/Server_Side_TLS for details.
Removes RC4 cipher. Fixes issue #341.
Also explicitly disabled SSLCompression and enables OCSP stapling.
We should put all these settings in
/etc/apache2/mods-enabled/ssl.conf
to avoid duplication...
Install lua-sec-prosody package on Debian Wheezy and Ubuntu Precise
This is the updated version from the prosody repository because
these distributions have an old version of the lua-sec package
that lacks PFS and other features. Second commit for issue #285.
ahbl is no longer being maintained and has been configured to return a
positive value for every host. This means I get a cron warning every
day reporting that my mailserver is in ircbl.ahbl.org and
dnsbl.ahbl.org.
lukecyca/check-rbl#1 has removed ahbl from the blacklists that it
checks. This just pulls in that change.
Unfortunately, ansible's get_url won't update files which have been
downloaded already unless you set force=yes, which will cause ansible to
pull down the file from github on every single run, which isn't really
acceptable. I have filed ansible/ansible-modules-core#625 to ask that
get_url redownload if and only if the sha256sum differs. In the
meantime, you have to manually delete /opt/check-rbl.pl before rerunning
ansible to pull in the update. However, at least this will work fine
for new installs.
Related to #338 (though I don't know if it truly fixes it).
Add a status vhost to apache, so that monit's http monitoring will work.
It doesn't particularly matter to the monit check what this vhost does
as long as it returns 200, but I thought it would be nice to use
apache's builtin status functionality. Ideas cribbed from [1]. It
might also be possible to use monit's apache-status functionality to
alert on more sophisticated criteria, but this will do for now.
Open question: does collectd support apache-status? Might it also be
interested in this vhost?
Fixes #299.
[1] http://mmonit.com/wiki/Monit/MonitorApacheStatus
On fresh installs of Debian 7.6, the current order of steps will lock you
out of SSH. This will enable UFW after creating rules for http, https, ssh,
and DNS. Fix comes from @Debugreality in issue #303:
https://github.com/al3x/sovereign/issues/303