Dzahn has submitted this change and it was merged.
Change subject: stats.wm.org - use ssl_ciphersuite
......................................................................
stats.wm.org - use ssl_ciphersuite
In the past, when we changed SSL cipher settings
we had to create many changes, usually one per service.
Then Giuseppe introduced ssl_ciphersuite in I9bc1104b7f770d9
which moves the settings into a centralized function.
This change makes it actually use the new function.
One last time we are going through all of the services,
but in the future we will be able make a single change
to update ciphers across misc. services.
Change-Id: I0cb4100a527b7cabb3f0e548d942959bfcf93c0d
---
M manifests/misc/statistics.pp
M templates/apache/sites/stats.wikimedia.org.erb
2 files changed, 4 insertions(+), 3 deletions(-)
Approvals:
jenkins-bot: Verified
Dzahn: Looks good to me, approved
diff --git a/manifests/misc/statistics.pp b/manifests/misc/statistics.pp
index d0391f3..c162c98 100644
--- a/manifests/misc/statistics.pp
+++ b/manifests/misc/statistics.pp
@@ -327,6 +327,9 @@
group => 'root',
source => 'puppet:///files/apache/ports.conf.ssl',
}
+
+ $ssl_settings = ssl_ciphersuite('apache-2.2', 'compat')
+
}
# community-analytics.wikimedia.org
diff --git a/templates/apache/sites/stats.wikimedia.org.erb
b/templates/apache/sites/stats.wikimedia.org.erb
index a489360..6c328b3 100644
--- a/templates/apache/sites/stats.wikimedia.org.erb
+++ b/templates/apache/sites/stats.wikimedia.org.erb
@@ -82,12 +82,10 @@
RewriteRule ^(.*)$ https://stats.wikimedia.org$1 [R=301,L]
SSLEngine on
- SSLProtocol +ALL -SSLv2
- SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!DH
- SSLHonorCipherOrder on
SSLCertificateFile /etc/ssl/certs/stats.wikimedia.org.pem
SSLCertificateKeyFile /etc/ssl/private/stats.wikimedia.org.key
SSLCertificateChainFile /etc/ssl/certs/stats.wikimedia.org.chained.pem
+ <%= @ssl_settings.join("\n") %>
# Settings for geowiki's private data
<Directory "<%=
scope.lookupvar('misc::statistics::sites::stats::geowiki_private_directory')
%>">
--
To view, visit https://gerrit.wikimedia.org/r/153977
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I0cb4100a527b7cabb3f0e548d942959bfcf93c0d
Gerrit-PatchSet: 6
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <[email protected]>
Gerrit-Reviewer: Alexandros Kosiaris <[email protected]>
Gerrit-Reviewer: Chmarkine <[email protected]>
Gerrit-Reviewer: Dzahn <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: JanZerebecki <[email protected]>
Gerrit-Reviewer: Ori.livneh <[email protected]>
Gerrit-Reviewer: QChris <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
