jenkins-bot has submitted this change and it was merged.
Change subject: Update nginx ssl configuration
......................................................................
Update nginx ssl configuration
* Separate ssl config into includable file.
* Some tweaks based on analysis of ssllabs test.
Change-Id: I6c309df6fbeb190cd615839d17e5224d9970676d
---
M puppet/modules/awstats/files/stats.translatewiki.net
A puppet/modules/nginx/files/ssl.conf
M puppet/modules/nginx/files/translatewiki.net
M puppet/modules/nginx/manifests/ssl.pp
4 files changed, 36 insertions(+), 26 deletions(-)
Approvals:
Nikerabbit: Looks good to me, approved
jenkins-bot: Verified
diff --git a/puppet/modules/awstats/files/stats.translatewiki.net
b/puppet/modules/awstats/files/stats.translatewiki.net
index 32dd9c9..6066248 100644
--- a/puppet/modules/awstats/files/stats.translatewiki.net
+++ b/puppet/modules/awstats/files/stats.translatewiki.net
@@ -4,9 +4,7 @@
listen 443 ssl spdy;
listen [2a03:4000:6:b01e::1]:443 ssl spdy;
- ssl_certificate /etc/ssl/private/translatewiki.net.pem;
- ssl_certificate_key /etc/ssl/private/translatewiki.net.key;
- spdy_headers_comp 7;
+ include includes/ssl.conf;
server_name stats.translatewiki.net;
root /www/stats.translatewiki.net;
diff --git a/puppet/modules/nginx/files/ssl.conf
b/puppet/modules/nginx/files/ssl.conf
new file mode 100644
index 0000000..0c007d2
--- /dev/null
+++ b/puppet/modules/nginx/files/ssl.conf
@@ -0,0 +1,24 @@
+# https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
+ssl_certificate /etc/ssl/private/translatewiki.net.pem;
+ssl_certificate_key /etc/ssl/private/translatewiki.net.key;
+ssl_session_timeout 5m;
+ssl_session_cache shared:SSL:5m;
+
+ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
+# Intermediate configuration.
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
+ssl_prefer_server_ciphers on;
+
+add_header Strict-Transport-Security "max-age=31536000";
+
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate /etc/ssl/private/rapidssl.pem;
+resolver 8.8.8.8;
+
+ssl_buffer_size 4k;
+
+spdy_headers_comp 7;
+
diff --git a/puppet/modules/nginx/files/translatewiki.net
b/puppet/modules/nginx/files/translatewiki.net
index 124610d..7fbe401 100644
--- a/puppet/modules/nginx/files/translatewiki.net
+++ b/puppet/modules/nginx/files/translatewiki.net
@@ -8,30 +8,10 @@
}
server {
- listen 443 ssl default_server spdy;
- listen [2a03:4000:6:b01e::1]:443 ssl spdy;
+ listen 443 ssl default_server deferred spdy;
+ listen [2a03:4000:6:b01e::1]:443 default_server deferred ssl spdy;
- # https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
- ssl_certificate /etc/ssl/private/translatewiki.net.pem;
- ssl_certificate_key /etc/ssl/private/translatewiki.net.key;
- ssl_session_timeout 5m;
- ssl_session_cache shared:SSL:5m;
-
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
-
- # Intermediate configuration.
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
- ssl_prefer_server_ciphers on;
-
- add_header Strict-Transport-Security "max-age=31536000";
-
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_trusted_certificate /etc/ssl/private/rapidssl.pem;
- resolver 8.8.8.8;
-
- spdy_headers_comp 7;
+ include includes/ssl.conf;
server_name translatewiki.net dev.translatewiki.net;
root /www/$host/docroot;
diff --git a/puppet/modules/nginx/manifests/ssl.pp
b/puppet/modules/nginx/manifests/ssl.pp
index d4c3620..b661c93 100755
--- a/puppet/modules/nginx/manifests/ssl.pp
+++ b/puppet/modules/nginx/manifests/ssl.pp
@@ -9,4 +9,12 @@
command => '/usr/bin/openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048',
creates => '/etc/ssl/certs/dhparam.pem'
}
+
+ file { '/etc/nginx/includes':
+ ensure => 'directory',
+ }
+
+ file { '/etc/nginx/includes/ssl.conf':
+ source => 'puppet:///modules/nginx/ssl.conf',
+ }
}
--
To view, visit https://gerrit.wikimedia.org/r/231766
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I6c309df6fbeb190cd615839d17e5224d9970676d
Gerrit-PatchSet: 1
Gerrit-Project: translatewiki
Gerrit-Branch: master
Gerrit-Owner: Nikerabbit <[email protected]>
Gerrit-Reviewer: Nikerabbit <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
