diff options
| author | Silvio Rhatto <rhatto@riseup.net> | 2015-05-23 11:23:56 -0300 |
|---|---|---|
| committer | Silvio Rhatto <rhatto@riseup.net> | 2015-05-23 11:23:56 -0300 |
| commit | 7aeb5a4c3353b8abab3d6e6b1d32b9d1fdf09ee8 (patch) | |
| tree | 10ec5ebad2f56c846cab4d031aa1f1eebb8aa32d | |
| parent | d0e87a428f8fa9a6e6463751e07663848d282f3e (diff) | |
| download | puppet-nginx-7aeb5a4c3353b8abab3d6e6b1d32b9d1fdf09ee8.tar.gz puppet-nginx-7aeb5a4c3353b8abab3d6e6b1d32b9d1fdf09ee8.tar.bz2 | |
Logjam attack protection (stronger Diffie-Hellman for TLS)
| -rw-r--r-- | manifests/init.pp | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/manifests/init.pp b/manifests/init.pp index eaeea8a..7c827de 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -21,6 +21,15 @@ class nginx inherits nginx::base( ) { include ssl + # See https://weakdh.org/ + exec { 'openssl-nginx-gendh-2048': + command => 'openssl dhparam -out /etc/ssl/private/dhparams.pem 2048', + user => root, + group => root, + creates => '/etc/ssl/private/dh_2048.pem', + notify => Service['nginx'], + } + case $deploy_certs { true: { ssl::cert { "$::domain": @@ -38,10 +47,10 @@ class nginx inherits nginx::base( } Service["nginx"] { - require => [ Package["nginx"], - File["/etc/nginx/sites-enabled/${::domain}"], - File["/etc/ssl/private/${::domain}.pem"], - File["/etc/ssl/certs/${::domain}.crt"] ], + require => [ Package["nginx"], + File["/etc/nginx/sites-enabled/${::domain}"], + File["/etc/ssl/private/${::domain}.pem"], + File["/etc/ssl/certs/${::domain}.crt"] ], } } } |