Update nginx to 1.17.3, enable TLS 1.3

Uses the current intermediate recommended config from https://ssl-config.mozilla.org Closes #92
2019-08-30 11:57:38 +02:00 · 2019-08-30 11:57:38 +02:00 · dfa709c9df
parent 61ebd76590
commit dfa709c9df
3 changed files with 13 additions and 8 deletions
--- a/site-cookbooks/kosmos-nginx/files/default/nginx_tls_config.conf
+++ b/site-cookbooks/kosmos-nginx/files/default/nginx_tls_config.conf
@ -3,12 +3,10 @@ ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
 ssl_session_tickets off;
 # Disable insecure cyphers
-ssl_protocols TLSv1.2;
-ssl_prefer_server_ciphers on;
-# From https://mozilla.github.io/server-side-tls/ssl-config-generator/
-# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
-# We don't have a lot of those cyphers (using Ubuntu 15.04), but CBC is insecure:
-# https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+# From https://ssl-config.mozilla.org
+# Oldest compatible clients:  Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9
+ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
 # Unique DH Group, see https://weakdh.org/sysadmin.html
 ssl_dhparam /etc/ssl/private/dhparams.pem;
--- a/site-cookbooks/kosmos-nginx/metadata.rb
+++ b/site-cookbooks/kosmos-nginx/metadata.rb
@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
 license          'MIT'
 description      'Installs/Configures kosmos-nginx'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.2.0'
+version          '0.3.0'

 depends 'nginx'
 depends 'firewall'
--- a/site-cookbooks/kosmos-nginx/recipes/default.rb
+++ b/site-cookbooks/kosmos-nginx/recipes/default.rb
@ -44,6 +44,13 @@ node.override['nginx']['repo_source'] = 'nginx' # Install from official repo
 node.override['nginx']['upstream_repository'] = "http://nginx.org/packages/mainline/#{node['platform']}"
 include_recipe 'nginx'

+# Override the nginx package resource to set a specific version, allowing
+# to upgrade it
+edit_resource!(:package, 'nginx') do
+  version "1.17.3-1~#{node['lsb']['codename']}"
+  notifies :reload, 'ohai[reload_nginx]', :immediately
+end
+
 # Generate Strong Diffie-Hellman Group (increases security)
 # https://weakdh.org/sysadmin.html
 openssl_dhparam "/etc/ssl/private/dhparams.pem" do