Hi,
Turns out that these three services were not yet using our global secure cipher set. This means that they have the Apache defaults, which are quite insecure (RC4 and no FS). Can I please get +1s to apply the underneath patch?
Patrick
commit 55183057fc95109df5d6b50258918c59c7930674 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Mar 17 23:28:19 2017 +0000
Update Pagure, anitya and piwik to use the secure cipher set
Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com
diff --git a/roles/anitya/frontend/files/0_releasemonitoring.conf b/roles/anitya/frontend/files/0_releasemonitoring.co index 56a0bfb..e054147 100644 --- a/roles/anitya/frontend/files/0_releasemonitoring.conf +++ b/roles/anitya/frontend/files/0_releasemonitoring.conf @@ -7,8 +7,8 @@ ServerName release-monitoring.org:443
SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - # Use secure TLSv1.1 and TLSv1.2 ciphers + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/release-monitoring.org.cert diff --git a/roles/pagure/frontend/templates/0_pagure.conf b/roles/pagure/frontend/templates/0_pagure.conf index a7b7e70..3c3f353 100644 --- a/roles/pagure/frontend/templates/0_pagure.conf +++ b/roles/pagure/frontend/templates/0_pagure.conf @@ -64,7 +64,8 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na ServerAdmin admin@fedoraproject.org
SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} # Use secure TLSv1.1 and TLSv1.2 ciphers Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
@@ -113,7 +114,8 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na {% endif %}
SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} # Use secure TLSv1.1 and TLSv1.2 ciphers Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
@@ -138,7 +140,8 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na WSGIScriptAlias / /var/www/docs_pagure.wsgi
SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} # Use secure TLSv1.1 and TLSv1.2 ciphers Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
diff --git a/roles/piwik/files/piwik-httpd.conf b/roles/piwik/files/piwik-httpd.conf index 4b55fdc..881c509e 100644 --- a/roles/piwik/files/piwik-httpd.conf +++ b/roles/piwik/files/piwik-httpd.conf @@ -11,8 +11,8 @@ ServerName piwik.fedorainfracloud.org
SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - # Use secure TLSv1.1 and TLSv1.2 ciphers + SSLProtocol {{ ssl_protocols }} + SSLCipherSuite {{ ssl_ciphers }} Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/piwik.fedorainfracloud.org.cert
On Fri, Mar 17, 2017 at 11:29 PM, Patrick Uiterwijk puiterwijk@redhat.com wrote:
Hi,
Turns out that these three services were not yet using our global secure cipher set. This means that they have the Apache defaults, which are quite insecure (RC4 and no FS). Can I please get +1s to apply the underneath patch?
+1 seems sane to me
Patrick
commit 55183057fc95109df5d6b50258918c59c7930674 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Mar 17 23:28:19 2017 +0000
Update Pagure, anitya and piwik to use the secure cipher set Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>diff --git a/roles/anitya/frontend/files/0_releasemonitoring.conf b/roles/anitya/frontend/files/0_releasemonitoring.co index 56a0bfb..e054147 100644 --- a/roles/anitya/frontend/files/0_releasemonitoring.conf +++ b/roles/anitya/frontend/files/0_releasemonitoring.conf @@ -7,8 +7,8 @@ ServerName release-monitoring.org:443
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- # Use secure TLSv1.1 and TLSv1.2 ciphers
- SSLProtocol {{ ssl_protocols }}
- SSLCipherSuite {{ ssl_ciphers }} Header always add Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/release-monitoring.org.certdiff --git a/roles/pagure/frontend/templates/0_pagure.conf b/roles/pagure/frontend/templates/0_pagure.conf index a7b7e70..3c3f353 100644 --- a/roles/pagure/frontend/templates/0_pagure.conf +++ b/roles/pagure/frontend/templates/0_pagure.conf @@ -64,7 +64,8 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na ServerAdmin admin@fedoraproject.org
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLProtocol {{ ssl_protocols }}
- SSLCipherSuite {{ ssl_ciphers }} # Use secure TLSv1.1 and TLSv1.2 ciphers Header always add Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"
@@ -113,7 +114,8 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na {% endif %}
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLProtocol {{ ssl_protocols }}
- SSLCipherSuite {{ ssl_ciphers }} # Use secure TLSv1.1 and TLSv1.2 ciphers Header always add Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"
@@ -138,7 +140,8 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na WSGIScriptAlias / /var/www/docs_pagure.wsgi
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLProtocol {{ ssl_protocols }}
- SSLCipherSuite {{ ssl_ciphers }} # Use secure TLSv1.1 and TLSv1.2 ciphers Header always add Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"
diff --git a/roles/piwik/files/piwik-httpd.conf b/roles/piwik/files/piwik-httpd.conf index 4b55fdc..881c509e 100644 --- a/roles/piwik/files/piwik-httpd.conf +++ b/roles/piwik/files/piwik-httpd.conf @@ -11,8 +11,8 @@ ServerName piwik.fedorainfracloud.org
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- # Use secure TLSv1.1 and TLSv1.2 ciphers
- SSLProtocol {{ ssl_protocols }}
- SSLCipherSuite {{ ssl_ciphers }} Header always add Strict-Transport-Security "max-age=15768000;
includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/piwik.fedorainfracloud.org.cert _______________________________________________ infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org
Turns out I'll need a follow-up...
Can I get +!s to also apply the following to make this actually work?
Moved roles/anitya/frontend/files/0_releasemonitoring.conf -> roles/anitya/frontend/templates/0_releasemonitoring.conf Moved roles/piwik/files/piwik-httpd.conf -> roles/piwik/templates/piwik-httpd.conf
commit 10300f667f81c690c68368bad66a2e03d8d1d1d8 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Mar 17 23:51:08 2017 +0000
Move piwik and anity configs to templates
Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com
diff --git a/roles/anitya/frontend/tasks/main.yml b/roles/anitya/frontend/tasks/main.yml index 58f1bcf..af6e6ea 100644 --- a/roles/anitya/frontend/tasks/main.yml +++ b/roles/anitya/frontend/tasks/main.yml @@ -46,7 +46,7 @@ - anitya_frontend
- name: Install the configuration file to activate https - copy: > + template: > src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root mode=0644 with_items:
diff --git a/roles/piwik/tasks/main.yml b/roles/piwik/tasks/main.yml index ce45685..f63dfeb 100644 --- a/roles/piwik/tasks/main.yml +++ b/roles/piwik/tasks/main.yml @@ -9,7 +9,7 @@ - piwik
- name: set up http configs for piwik - copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} + template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root mode=0644 with_items: - piwik-httpd.conf
Are the files also moved to the correct template directory or are they there already? If they are there already +1
On 17 March 2017 at 20:07, Patrick Uiterwijk puiterwijk@redhat.com wrote:
Turns out I'll need a follow-up...
Can I get +!s to also apply the following to make this actually work?
Moved roles/anitya/frontend/files/0_releasemonitoring.conf -> roles/anitya/frontend/templates/0_releasemonitoring.conf Moved roles/piwik/files/piwik-httpd.conf -> roles/piwik/templates/piwik-httpd.conf
commit 10300f667f81c690c68368bad66a2e03d8d1d1d8 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Fri Mar 17 23:51:08 2017 +0000
Move piwik and anity configs to templates Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>diff --git a/roles/anitya/frontend/tasks/main.yml b/roles/anitya/frontend/tasks/main.yml index 58f1bcf..af6e6ea 100644 --- a/roles/anitya/frontend/tasks/main.yml +++ b/roles/anitya/frontend/tasks/main.yml @@ -46,7 +46,7 @@
anitya_frontend
name: Install the configuration file to activate https
copy: >
- template: > src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root mode=0644 with_items:
diff --git a/roles/piwik/tasks/main.yml b/roles/piwik/tasks/main.yml index ce45685..f63dfeb 100644 --- a/roles/piwik/tasks/main.yml +++ b/roles/piwik/tasks/main.yml @@ -9,7 +9,7 @@
piwik
name: set up http configs for piwik
copy: src={{ item }} dest=/etc/httpd/conf.d/{{ item }}
- template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }} owner=root group=root mode=0644 with_items:
- piwik-httpd.conf
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org
+1 here
On 17 March 2017 at 19:33, Kevin Fenzi kevin@scrye.com wrote:
+1 here. Please do.
kevin
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org
infrastructure@lists.fedoraproject.org
-
Kevin Fenzi -
Patrick Uiterwijk -
Peter Robinson -
Stephen John Smoogen