From 3dc0af70d7df2d5e15c1d68534e0c456de7d7898 Mon Sep 17 00:00:00 2001 From: Salt Date: Thu, 4 Jun 2020 19:35:59 -0500 Subject: [PATCH] Disable outdated TLS versions hopefully this fixes git --- inventory/group_vars/webservers.yml | 3 ++- roles/dokuwiki/templates/apache2-vhost-ssl.conf | 1 + roles/gitea/templates/apache2-vhost-ssl.conf | 1 + roles/gitlab/templates/apache2-vhost-ssl.conf | 1 + roles/gitweb/templates/apache2-vhost-ssl.conf | 1 + roles/grafana/templates/apache2-vhost-ssl.conf | 2 ++ roles/nextcloud/templates/apache2-vhost-ssl.conf | 1 + roles/redirect/templates/apache2-redirect.conf | 2 ++ 8 files changed, 11 insertions(+), 1 deletion(-) diff --git a/inventory/group_vars/webservers.yml b/inventory/group_vars/webservers.yml index 732d161..163442b 100644 --- a/inventory/group_vars/webservers.yml +++ b/inventory/group_vars/webservers.yml @@ -1,4 +1,5 @@ #!/usr/bin/ansible-playbook # vim:ft=ansible: backups_outdir: "/cold/backups" -ssl_cipher_suite: "!SHA1:!SHA256:!SHA384" +ssl_protocol: "all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" +ssl_cipher_suite: "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" diff --git a/roles/dokuwiki/templates/apache2-vhost-ssl.conf b/roles/dokuwiki/templates/apache2-vhost-ssl.conf index 4b100fd..6a8e20d 100644 --- a/roles/dokuwiki/templates/apache2-vhost-ssl.conf +++ b/roles/dokuwiki/templates/apache2-vhost-ssl.conf @@ -14,6 +14,7 @@ SSLStrictSNIVHostCheck off SSLCertificateFile /etc/pki/cert/crt/{{ dokuwiki_url }}.crt SSLCertificateKeyFile /etc/pki/cert/private/{{ dokuwiki_url }}.key SSLCertificateChainFile /etc/pki/cert/crt/{{ dokuwiki_url}}-fullchain.crt + SSLProtocol {{ ssl_protocol }} SSLCipherSuite {{ ssl_cipher_suite }} \ SSLOptions +StdEnvVars diff --git a/roles/gitea/templates/apache2-vhost-ssl.conf b/roles/gitea/templates/apache2-vhost-ssl.conf index 5f7e5ae..c0f7337 100644 --- a/roles/gitea/templates/apache2-vhost-ssl.conf +++ b/roles/gitea/templates/apache2-vhost-ssl.conf @@ -16,6 +16,7 @@ SSLProxyEngine on SSLCertificateFile /etc/pki/cert/crt/{{ gitea_url }}.crt SSLCertificateKeyFile /etc/pki/cert/private/{{ gitea_url }}.key SSLCertificateChainFile /etc/pki/cert/crt/{{ gitea_url }}-fullchain.crt + SSLProtocol {{ ssl_protocol }} SSLCipherSuite {{ ssl_cipher_suite }} ServerName {{ gitea_url }} DocumentRoot {{ gitea_webroot }} diff --git a/roles/gitlab/templates/apache2-vhost-ssl.conf b/roles/gitlab/templates/apache2-vhost-ssl.conf index f6a9c0d..186af2d 100644 --- a/roles/gitlab/templates/apache2-vhost-ssl.conf +++ b/roles/gitlab/templates/apache2-vhost-ssl.conf @@ -14,6 +14,7 @@ SSLStrictSNIVHostCheck off SSLCertificateFile /etc/pki/cert/crt/{{ gitlab_url }}.crt SSLCertificateKeyFile /etc/pki/cert/private/{{ gitlab_url }}.key SSLCertificateChainFile /etc/pki/cert/crt/{{ gitlab_url }}-fullchain.crt + SSLProtocol {{ ssl_protocol }} SSLCipherSuite {{ ssl_cipher_suite }} ServerName {{ gitlab_url }} DocumentRoot {{ gitlab_webroot }} diff --git a/roles/gitweb/templates/apache2-vhost-ssl.conf b/roles/gitweb/templates/apache2-vhost-ssl.conf index 9fee433..701bed0 100644 --- a/roles/gitweb/templates/apache2-vhost-ssl.conf +++ b/roles/gitweb/templates/apache2-vhost-ssl.conf @@ -14,6 +14,7 @@ SSLStrictSNIVHostCheck off SSLCertificateFile /etc/pki/cert/crt/{{ gitweb_url }}.crt SSLCertificateKeyFile /etc/pki/cert/private/{{ gitweb_url }}.key SSLCertificateChainFile /etc/pki/cert/crt/{{ gitweb_url}}-fullchain.crt + SSLProtocol {{ ssl_protocol }} SSLCipherSuite {{ ssl_cipher_suite }} \ SSLOptions +StdEnvVars diff --git a/roles/grafana/templates/apache2-vhost-ssl.conf b/roles/grafana/templates/apache2-vhost-ssl.conf index 9397bcd..c7c5140 100644 --- a/roles/grafana/templates/apache2-vhost-ssl.conf +++ b/roles/grafana/templates/apache2-vhost-ssl.conf @@ -16,6 +16,8 @@ SSLProxyEngine on SSLCertificateFile /etc/pki/cert/crt/{{ grafana_url }}.crt SSLCertificateKeyFile /etc/pki/cert/private/{{ grafana_url }}.key SSLCertificateChainFile /etc/pki/cert/crt/{{ grafana_url }}-fullchain.crt + SSLProtocol {{ ssl_protocol }} + SSLCipherSuite {{ ssl_cipher_suite }} ServerName {{ grafana_url }} DocumentRoot {{ grafana_webroot }} diff --git a/roles/nextcloud/templates/apache2-vhost-ssl.conf b/roles/nextcloud/templates/apache2-vhost-ssl.conf index 09aeae5..95ba657 100644 --- a/roles/nextcloud/templates/apache2-vhost-ssl.conf +++ b/roles/nextcloud/templates/apache2-vhost-ssl.conf @@ -14,6 +14,7 @@ SSLStrictSNIVHostCheck off SSLCertificateFile /etc/pki/cert/crt/{{ nextcloud_url }}.crt SSLCertificateKeyFile /etc/pki/cert/private/{{ nextcloud_url }}.key SSLCertificateChainFile /etc/pki/cert/crt/{{ nextcloud_url}}-fullchain.crt + SSLProtocol {{ ssl_protocol }} SSLCipherSuite {{ ssl_cipher_suite }} \ SSLOptions +StdEnvVars diff --git a/roles/redirect/templates/apache2-redirect.conf b/roles/redirect/templates/apache2-redirect.conf index 2b73bb5..b7a1275 100644 --- a/roles/redirect/templates/apache2-redirect.conf +++ b/roles/redirect/templates/apache2-redirect.conf @@ -15,6 +15,8 @@ SSLStrictSNIVHostCheck off SSLCertificateFile /etc/pki/cert/crt/{{ redirect_from }}.crt SSLCertificateKeyFile /etc/pki/cert/private/{{ redirect_from }}.key SSLCertificateChainFile /etc/pki/cert/crt/{{ redirect_from}}-fullchain.crt + SSLProtocol {{ ssl_protocol }} + SSLCipherSuite {{ ssl_cipher_suite }} ServerName {{ redirect_from }} Redirect permanent / https://{{ redirect_to }}/