Add SSL options in www subdomain redirect vhost

The *:443 vhost for www needs ssl options set even though it only hosts a redirect. Change-Id: Ib9be4d3901a6abd4f55589e41bab363f066d747b
2020-03-27 21:56:21 +00:00 · 2020-03-27 21:56:21 +00:00 · 5fd8ea4c50
parent 24890661b8
commit 5fd8ea4c50
1 changed files with 14 additions and 0 deletions
--- a/templates/vhost.erb
+++ b/templates/vhost.erb
@ -27,6 +27,20 @@

  ErrorLog ${APACHE_LOG_DIR}/openstackid-error.log
  LogLevel warn
+
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  # Once the machine is using something to terminate TLS that supports ECDHE
+  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+  # only is guarenteed.
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+  SSLCertificateFile      <%= scope.lookupvar("openstackid::ssl_cert_file") %>
+  SSLCertificateKeyFile   <%= scope.lookupvar("openstackid::ssl_key_file") %>
+<% if scope.lookupvar("openstackid::ssl_chain_file") != "" %>
+  SSLCertificateChainFile <%= scope.lookupvar("openstackid::ssl_chain_file") %>
+<% end %>
+
  Redirect / https://<%= scope.lookupvar("openstackid::vhost_name") %>/
 </VirtualHost>