summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2015-05-23 11:23:56 -0300
committerSilvio Rhatto <rhatto@riseup.net>2015-05-23 11:23:56 -0300
commit7aeb5a4c3353b8abab3d6e6b1d32b9d1fdf09ee8 (patch)
tree10ec5ebad2f56c846cab4d031aa1f1eebb8aa32d
parentd0e87a428f8fa9a6e6463751e07663848d282f3e (diff)
downloadpuppet-nginx-7aeb5a4c3353b8abab3d6e6b1d32b9d1fdf09ee8.tar.gz
puppet-nginx-7aeb5a4c3353b8abab3d6e6b1d32b9d1fdf09ee8.tar.bz2
Logjam attack protection (stronger Diffie-Hellman for TLS)
-rw-r--r--manifests/init.pp17
1 files changed, 13 insertions, 4 deletions
diff --git a/manifests/init.pp b/manifests/init.pp
index eaeea8a..7c827de 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -21,6 +21,15 @@ class nginx inherits nginx::base(
) {
include ssl
+ # See https://weakdh.org/
+ exec { 'openssl-nginx-gendh-2048':
+ command => 'openssl dhparam -out /etc/ssl/private/dhparams.pem 2048',
+ user => root,
+ group => root,
+ creates => '/etc/ssl/private/dh_2048.pem',
+ notify => Service['nginx'],
+ }
+
case $deploy_certs {
true: {
ssl::cert { "$::domain":
@@ -38,10 +47,10 @@ class nginx inherits nginx::base(
}
Service["nginx"] {
- require => [ Package["nginx"],
- File["/etc/nginx/sites-enabled/${::domain}"],
- File["/etc/ssl/private/${::domain}.pem"],
- File["/etc/ssl/certs/${::domain}.crt"] ],
+ require => [ Package["nginx"],
+ File["/etc/nginx/sites-enabled/${::domain}"],
+ File["/etc/ssl/private/${::domain}.pem"],
+ File["/etc/ssl/certs/${::domain}.crt"] ],
}
}
}