Commit b04fe71

mo khan <mo@mokhan.ca>
2015-11-14 04:30:43
harden ssl config to protect from DH attacks.
master
1 parent 94eb2f9
Changed files (4)
recipes
nginx.rb
templates
nginx.conf.erb
ssl.crt.erb
ssl.key.erb
recipes/nginx.rb
@@ -14,21 +14,20 @@ template "/etc/nginx/nginx.conf" do
   notifies :restart, 'service[nginx]'
 end
 
-directory "/etc/nginx/ssl" do
+file "/etc/ssl/certs/#{configuration['domain']}.crt" do
   mode "0644"
+  content configuration['ssl']['crt']
+  notifies :restart, "service[nginx]"
 end
 
-template "/etc/nginx/ssl/#{configuration['domain']}.crt" do
-  source "ssl.crt.erb"
+file "/etc/ssl/private/#{configuration['domain']}.key" do
   mode "0644"
-  variables(configuration)
+  content configuration['ssl']['key']
   notifies :restart, "service[nginx]"
 end
 
-template "/etc/nginx/ssl/#{configuration['domain']}.key" do
-  source "ssl.key.erb"
-  mode "0644"
-  variables(configuration)
+execute "cd /etc/ssl/certs && openssl dhparam -out dhparam.pem 2048" do
+  not_if { ::File.exist?('/etc/ssl/certs/dhparam.pem') }
   notifies :restart, "service[nginx]"
 end
templates/nginx.conf.erb
@@ -34,21 +34,24 @@ http {
 
   server {
     listen 80 deferred;
+    add_header Strict-Transport-Security max-age=15768000;
     server_name <%= @domain %>;
     server_tokens off;
-    rewrite        ^ https://$server_name$request_uri? permanent;
+    rewrite ^ https://$server_name$request_uri? permanent;
   }
+
   server {
     listen 443 default_server ssl;
-    server_name  <%= @domain %>;
+    server_name <%= @domain %>;
     server_tokens off;
-    root         <%= node['stronglifters']['root_path'] %>/current/public;
-    ssl_certificate             /etc/nginx/ssl/<%= @domain %>.crt;
-    ssl_certificate_key         /etc/nginx/ssl/<%= @domain %>.key;
+    root <%= node['stronglifters']['root_path'] %>/current/public;
+    ssl_certificate /etc/ssl/certs/<%= @domain %>.crt;
+    ssl_certificate_key /etc/ssl/private/<%= @domain %>.key;
 
     ssl_session_timeout 5m;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
     ssl_prefer_server_ciphers on;
     ssl_session_cache shared:SSL:10m;
     #ssl_stapling on;
templates/ssl.crt.erb
@@ -1,1 +0,0 @@
-<%= @ssl['crt'] %>
templates/ssl.key.erb
@@ -1,1 +0,0 @@
-<%= @ssl['key'] %>