[MediaWiki-commits] [Gerrit] toollabs: Tweak SSL config to match prod - change (operations/puppet)

Mon, 30 Jun 2014 08:54:57 -0700 

coren has submitted this change and it was merged.

Change subject: toollabs: Tweak SSL config to match prod
......................................................................


toollabs: Tweak SSL config to match prod

Taken from https://gerrit.wikimedia.org/r/#/c/132393/

Change-Id: I5f43b54ed68dd3a5606ea51b23d3dddce30d5ac1
---
M modules/dynamicproxy/templates/urlproxy.conf
1 file changed, 4 insertions(+), 1 deletion(-)

Approvals:
  coren: Looks good to me, approved
  jenkins-bot: Verified



diff --git a/modules/dynamicproxy/templates/urlproxy.conf 
b/modules/dynamicproxy/templates/urlproxy.conf
index 020aeec..dba2baf 100644
--- a/modules/dynamicproxy/templates/urlproxy.conf
+++ b/modules/dynamicproxy/templates/urlproxy.conf
@@ -44,10 +44,13 @@
     # it will be used for all virtual hosts. 1m = 4000 active sessions,
     # so we are allowing 200,000 active sessions.
     ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 5m;
     # SSLv2 is insecure, only allow SSLv3 and TLSv1
     ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
     # Limit ciphers allowed
-    ssl_ciphers AES128-GCM-SHA256:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA;
+    # We strongly prefer forward-secret chiphers using ECDHE and GCM for 
encrypting
+    # data, for performance reasons
+    ssl_ciphers 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH;
     # Prefer server ciphers (Prefer RC4 first to combat BEAST)
     ssl_prefer_server_ciphers on;
     <%- end -%>

-- 
To view, visit https://gerrit.wikimedia.org/r/142208
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I5f43b54ed68dd3a5606ea51b23d3dddce30d5ac1
Gerrit-PatchSet: 2
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <[email protected]>
Gerrit-Reviewer: coren <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to