diff --git a/production/host_vars/library.kde.org.yml b/production/host_vars/library.kde.org.yml index 1a21d33..638bbdc 100644 --- a/production/host_vars/library.kde.org.yml +++ b/production/host_vars/library.kde.org.yml @@ -1,7 +1,9 @@ --- backup_directory: backups gohma_backup_user: librarybackup gohma_backup_home: BACKUP.library.kde.org allowed_ssh_users_extra: - aacid - ltoscano + +use_old_apache_config: yes diff --git a/production/host_vars/stumptown.kde.org.yml b/production/host_vars/stumptown.kde.org.yml index 6da33db..c98c154 100644 --- a/production/host_vars/stumptown.kde.org.yml +++ b/production/host_vars/stumptown.kde.org.yml @@ -1,10 +1,12 @@ --- backup_directory: backups backup_cron: hour: 5 minute: 10 weekday: sun gohma_backup_user: stumptownbackup gohma_backup_home: BACKUP.stumptown.kde.org allowed_ssh_users_extra: [osuosl] + +use_old_apache_config: yes diff --git a/production/hosts b/production/hosts index 19bf111..073e25b 100644 --- a/production/hosts +++ b/production/hosts @@ -1,104 +1,112 @@ #zivo.kde.org bluemchen.kde.org cano.kde.org seleno.kde.org #fiesta.kde.org recluse.kde.org code.kde.org ange.kde.org stumptown.kde.org dalca.kde.org dalca2.kde.org ansible_host=10.150.44.2 ansible_ssh_common_args='-o ProxyCommand="ssh -W %h:%p -q root@dalca.kde.org"' overwatch.kde.org #overwatch-test.kde.org library.kde.org rosetta.kde.org mimi.kde.org orbi.kde.org letterbox.kde.org mason.kde.org thera.kde.org mygalo.kde.org darwini.kde.org arkyid.kde.org eucten.kde.org anepsion.kde.org charlotte.kde.org halono.kde.org nephilia.kde.org komaci.kde.org edulis.kde.org nicoda.kde.org micrea.kde.org milonia.kde.org platna.kde.org capona.kde.org ctenzi.kde.org leptone.kde.org gallien.kde.org nemes.kde.org ereo.kde.org [anongit] mason.kde.org anongit_style=legacy [monitored] # Servers that are being monitored with Telegraf overwatch.kde.org #overwatch-test.kde.org bluemchen.kde.org rosetta.kde.org library.kde.org mimi.kde.org orbi.kde.org recluse.kde.org code.kde.org darwini.kde.org mason.kde.org thera.kde.org mygalo.kde.org anepsion.kde.org micrea.kde.org #fiesta.kde.org nicoda.kde.org edulis.kde.org ange.kde.org arkyid.kde.org eucten.kde.org seleno.kde.org leptone.kde.org [monitoring-server] overwatch.kde.org #overwatch-test.kde.org [apache] code.kde.org library.kde.org mason.kde.org mimi.kde.org orbi.kde.org overwatch.kde.org rosetta.kde.org stumptown.kde.org +charlotte.kde.org +edulis.kde.org +gallien.kde.org +komaci.kde.org +letterbox.kde.org +mygalo.kde.org +nemes.kde.org +thera.kde.org diff --git a/roles/apache/templates/secure-ssl.conf b/roles/apache/templates/secure-ssl.conf index a278cba..bbfcc92 100644 --- a/roles/apache/templates/secure-ssl.conf +++ b/roles/apache/templates/secure-ssl.conf @@ -1,31 +1,54 @@ +{% +set newer_distro = ( + (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '>=')) or + (ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '>=')) +) +%} +{% if newer_distro and not use_old_apache_config|default(False) %} +{# This is a newer distro version where Apache supports http2 and uses libssl 1.1.1 #} +SSLEngine off +SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +SSLHonorCipherOrder on +SSLCompression off +SSLSessionTickets off + +# Ciphers we're allowed to use +SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 +{% else %} SSLEngine off SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCompression off # Ciphers we're allowed to use SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK +{% endif %} # OCSP configuration SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingFakeTryLater off SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) # Use HSTS and other relevant headers Header always set Strict-Transport-Security "max-age=15768000" Header always setifempty Referrer-Policy "strict-origin-when-cross-origin" Header always setifempty X-XSS-Protection "1; mode=block" Header always setifempty X-Content-Type-Options "nosniff" Header always setifempty X-Frame-Options "sameorigin" # Make sure anything in the 'onsuccess' table is moved out of the way for the above headers # This works around an Apache oddity in the way it handles setting headers # The only module known to use the 'onsuccess' table is proxy_http, so in practice this has minimal risk for us # proxy_fcgi (for PHP) and regular CGI scripts use the always table and will be covered by the above Header onsuccess unset Strict-Transport-Security Header onsuccess unset Referrer-Policy Header onsuccess unset X-XSS-Protection Header onsuccess unset X-Content-Type-Options Header onsuccess unset X-Frame-Options +{% if newer_distro and not use_old_apache_config|default(False) %} + +# Permit HTTP/2 +Protocols h2 http/1.1 +{% endif %}