Move security.openstack.org to HTTPS
As we migrate things like security contact information off www.openstack.org and onto security.openstack.org, people are going to want some extra assurances they're not looking at a copy that's been monkeyed with in transit. Serve it via HTTPS and redirect prior HTTP URLs. Change-Id: Ifdd8eaa7d92c3103637360ec125e6a6096fed598
This commit is contained in:
parent
6ff4ec14b8
commit
08dc5c2006
@ -459,6 +459,9 @@ node 'static.openstack.org' {
|
||||
swift_tenant_name => hiera('infra_files_tenant_name', 'tenantname'),
|
||||
swift_region_name => 'DFW',
|
||||
swift_default_container => 'infra-files',
|
||||
security_ssl_cert_file_contents => hiera('security_ssl_cert_file_contents', 'XXX'),
|
||||
security_ssl_key_file_contents => hiera('security_ssl_key_file_contents', 'XXX'),
|
||||
security_ssl_chain_file_contents => hiera('security_ssl_chain_file_contents', 'XXX'),
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -9,6 +9,9 @@ class openstack_project::static (
|
||||
$swift_region_name = '',
|
||||
$swift_default_container = '',
|
||||
$project_config_repo = '',
|
||||
$security_ssl_cert_file_contents = '',
|
||||
$security_ssl_key_file_contents = '',
|
||||
$security_ssl_chain_file_contents = '',
|
||||
$jenkins_gitfullname = 'OpenStack Jenkins',
|
||||
$jenkins_gitemail = 'jenkins@openstack.org',
|
||||
) {
|
||||
@ -229,9 +232,12 @@ class openstack_project::static (
|
||||
# Security
|
||||
|
||||
apache::vhost { 'security.openstack.org':
|
||||
port => 80,
|
||||
priority => '50',
|
||||
port => 443, # Is required despite not being used.
|
||||
docroot => '/srv/static/security',
|
||||
priority => '50',
|
||||
ssl => true,
|
||||
template => 'openstack_project/security.vhost.erb',
|
||||
vhost_name => 'security.openstack.org',
|
||||
require => File['/srv/static/security'],
|
||||
}
|
||||
|
||||
@ -242,6 +248,50 @@ class openstack_project::static (
|
||||
require => User['jenkins'],
|
||||
}
|
||||
|
||||
file { '/etc/ssl/certs':
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
file { '/etc/ssl/private':
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0700',
|
||||
}
|
||||
|
||||
file { '/etc/ssl/certs/security.openstack.org.pem':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => $security_ssl_cert_file_contents,
|
||||
require => File['/etc/ssl/certs'],
|
||||
before => Apache::Vhost['security.openstack.org'],
|
||||
}
|
||||
|
||||
file { '/etc/ssl/private/security.openstack.org.key':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0600',
|
||||
content => $security_ssl_key_file_contents,
|
||||
require => File['/etc/ssl/private'],
|
||||
before => Apache::Vhost['security.openstack.org'],
|
||||
}
|
||||
|
||||
file { '/etc/ssl/certs/security.openstack.org_intermediate.pem':
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
content => $security_ssl_chain_file_contents,
|
||||
require => File['/etc/ssl/certs'],
|
||||
before => Apache::Vhost['security.openstack.org'],
|
||||
}
|
||||
|
||||
###########################################################
|
||||
# Governance
|
||||
|
||||
|
38
modules/openstack_project/templates/security.vhost.erb
Normal file
38
modules/openstack_project/templates/security.vhost.erb
Normal file
@ -0,0 +1,38 @@
|
||||
# ************************************
|
||||
# Managed by Puppet
|
||||
# ************************************
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerName <%= @vhost_name %>
|
||||
RewriteEngine On
|
||||
RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent]
|
||||
LogLevel warn
|
||||
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
|
||||
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
<VirtualHost *:443>
|
||||
ServerName <%= @vhost_name %>
|
||||
DocumentRoot <%= @docroot %>
|
||||
SSLEngine on
|
||||
SSLProtocol All -SSLv2 -SSLv3
|
||||
# Once the machine is using something to terminate TLS that supports ECDHE
|
||||
# then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
|
||||
# only is guarenteed.
|
||||
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
|
||||
SSLHonorCipherOrder on
|
||||
SSLCertificateFile /etc/ssl/certs/<%= @vhost_name %>.pem
|
||||
SSLCertificateKeyFile /etc/ssl/private/<%= @vhost_name %>.key
|
||||
SSLCertificateChainFile /etc/ssl/certs/<%= @vhost_name %>_intermediate.pem
|
||||
<Directory <%= @docroot %>>
|
||||
Allow from all
|
||||
Satisfy Any
|
||||
</Directory>
|
||||
LogLevel warn
|
||||
ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
|
||||
CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
|
||||
ServerSignature Off
|
||||
</VirtualHost>
|
||||
</IfModule>
|
Loading…
Reference in New Issue
Block a user