From 7aeb5a4c3353b8abab3d6e6b1d32b9d1fdf09ee8 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 23 May 2015 11:23:56 -0300 Subject: Logjam attack protection (stronger Diffie-Hellman for TLS) --- manifests/init.pp | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/manifests/init.pp b/manifests/init.pp index eaeea8a..7c827de 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -21,6 +21,15 @@ class nginx inherits nginx::base( ) { include ssl + # See https://weakdh.org/ + exec { 'openssl-nginx-gendh-2048': + command => 'openssl dhparam -out /etc/ssl/private/dhparams.pem 2048', + user => root, + group => root, + creates => '/etc/ssl/private/dh_2048.pem', + notify => Service['nginx'], + } + case $deploy_certs { true: { ssl::cert { "$::domain": @@ -38,10 +47,10 @@ class nginx inherits nginx::base( } Service["nginx"] { - require => [ Package["nginx"], - File["/etc/nginx/sites-enabled/${::domain}"], - File["/etc/ssl/private/${::domain}.pem"], - File["/etc/ssl/certs/${::domain}.crt"] ], + require => [ Package["nginx"], + File["/etc/nginx/sites-enabled/${::domain}"], + File["/etc/ssl/private/${::domain}.pem"], + File["/etc/ssl/certs/${::domain}.crt"] ], } } } -- cgit v1.2.3