Bladeren bron

Manage TLS defaults

master
Alexander Weidinger 7 jaren geleden
bovenliggende
commit
d3110f93f6
5 gewijzigde bestanden met toevoegingen van 74 en 1 verwijderingen
  1. +4
    -0
      apache/files/FreeBSD/apache-2.4.config.jinja
  2. +4
    -0
      apache/files/Suse/apache-2.4.config.jinja
  3. +18
    -0
      apache/files/tls-defaults.conf.jinja
  4. +32
    -0
      apache/mod_ssl.sls
  5. +16
    -1
      pillar.example

+ 4
- 0
apache/files/FreeBSD/apache-2.4.config.jinja Bestand weergeven

@@ -526,5 +526,9 @@ TraceEnable Off
# Well, IncludeOptional behaved lile Include
IncludeOptional etc/apache24/extra/security.con[f]

{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
Include etc/apache24/extra/tls-defaults.conf
{%- endif %}

Include etc/apache24/Includes/*.conf


+ 4
- 0
apache/files/Suse/apache-2.4.config.jinja Bestand weergeven

@@ -163,6 +163,10 @@ Include /etc/apache2/errors.conf
# any virtual host
Include /etc/apache2/ssl-global.conf

{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) -%}
Include /etc/apache24/conf.d/tls-defaults.conf
{%- %}

# global (server-wide) protocol configuration, that is not specific
# to any virtual host
Include /etc/apache2/protocols.conf

+ 18
- 0
apache/files/tls-defaults.conf.jinja Bestand weergeven

@@ -0,0 +1,18 @@
# Managed by saltstack

{% set data = {
'SSLCipherSuite': 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA',
'SSLCompression': 'Off',
'SSLProtocol': 'all -SSLv2 -SSLv3 -TLSv1',
'SSLHonorCipherOrder': 'On',
'SSLOptions': '+StrictRequire',
} -%}
{%- do data.update(salt['pillar.get']('apache:mod_ssl', {})) %}

<IfModule mod_ssl.c>
{%- for key, value in data.items() %}
{%- if not key == 'manage_tls_defaults' %}
{{ key }} {{ value }}
{%- endif %}
{%- endfor %}
</IfModule>

+ 32
- 0
apache/mod_ssl.sls Bestand weergeven

@@ -42,3 +42,35 @@ include:
- module: apache-restart

{% endif %}

{{ apache.confdir }}/tls-defaults.conf:
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
file.managed:
- source: salt://apache/files/tls-defaults.conf.jinja
- mode: 644
- template: jinja
{% else %}
file.absent:
{% endif %}
- require:
- pkg: apache
- watch_in:
- module: apache-restart

{% if grains['os_family']=="Debian" %}
a2endisconf tls-defaults:
cmd.run:
{% if salt['pillar.get']('apache:mod_ssl:manage_tls_defaults', False) %}
- name: a2enconf tls-defaults
- unless: test -L /etc/apache2/conf-enabled/tls-defaults.conf
{% else %}
- name: a2disconf tls-defaults
- onlyif: test -L /etc/apache2/conf-enabled/tls-defaults.conf
{% endif %}
- order: 225
- require:
- pkg: apache
- file: {{ apache.confdir }}/tls-defaults.conf
- watch_in:
- module: apache-restart
{% endif %}

+ 16
- 1
pillar.example Bestand weergeven

@@ -313,4 +313,19 @@ apache:
file: 'my name'
path: 'salt://path/to/modsecurity/custom/file'
enabled: True

mod_ssl:
# set this to True if you want to override your distributions default TLS configuration
manage_tls_defaults: False
# This stuff is deliberately not configured via map.jinja resp. apache:lookup.
# We're unable to know sane defaults for each release of every distribution.
# See https://github.com/saltstack-formulas/openssh-formula/issues/102 for a related discussion
# Have a look at bettercrypto.org for up-to-date settings.
# These are default values:
SSLCipherSuite: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
# Mitigate the CRIME attack
SSLCompression: Off
SSLProtocol: all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder: On
SSLOptions: "+StrictRequire"


Laden…
Annuleren
Opslaan