[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
06/08: hydra: bayfront: Factorize common TLS options.
From: |
Ludovic Courtès |
Subject: |
06/08: hydra: bayfront: Factorize common TLS options. |
Date: |
Mon, 6 Jun 2022 06:07:18 -0400 (EDT) |
civodul pushed a commit to branch master
in repository maintenance.
commit 67aa0a50a1eaf45c2fd8cf1031ce0114c14f999f
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Mon Jun 6 11:37:04 2022 +0200
hydra: bayfront: Factorize common TLS options.
* hydra/bayfront.scm (%common-tls-options): New variable.
(%hpc.guix.info-nginx-servers)
(%guix-hpc.bordeaux.inria.fr-nginx-servers)
(%logs.guix.gnu.org-nginx-servers)
(%coordinator.bayfront.guix.gnu.org-nginx-servers)
(%bayfront.guix.gnu.org-nginx-servers)
(%bordeaux.guix.gnu.org-nginx-servers): Use it.
---
hydra/bayfront.scm | 121 +++++++++++++++--------------------------------------
1 file changed, 33 insertions(+), 88 deletions(-)
diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm
index da6daf7..5811430 100644
--- a/hydra/bayfront.scm
+++ b/hydra/bayfront.scm
@@ -271,6 +271,27 @@ proxy_cache_path /var/cache/nginx/bordeaux/nar
max_size=2048g; # total cache data size max
"))
+(define %common-tls-options
+ ;; TLS options used by nginx HTTPS server blocks.
+ "\
+# Make sure SSL is disabled.
+ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+
+# Disable weak cipher suites.
+ssl_ciphers HIGH:!aNULL:!MD5;
+ssl_prefer_server_ciphers on;
+
+# Use our own DH parameters created with:
+# openssl dhparam -out dhparams.pem 2048
+# as suggested at <https://weakdh.org/sysadmin.html>.
+ssl_dhparam /etc/dhparams.pem;
+
+# Tell clients to keep using HTTPS.
+add_header Strict-Transport-Security max-age=15552000;
+
+# Limit embedding in HTML frames.
+add_header X-Frame-Options SAMEORIGIN;\n")
+
(define %hpc.guix.info-nginx-servers
(let ((common-locations
(list
@@ -337,26 +358,8 @@ add_header X-Frame-Options SAMEORIGIN;"))
(ssl-certificate-key "/etc/letsencrypt/live/hpc.guix.info/privkey.pem")
(root "/srv/guix-hpc-web")
(raw-content
- '("
-# Make sure SSL is disabled.
-ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
-
-# Disable weak cipher suites.
-ssl_ciphers HIGH:!aNULL:!MD5;
-ssl_prefer_server_ciphers on;
-
-# Use our own DH parameters created with:
-# openssl dhparam -out dhparams.pem 2048
-# as suggested at <https://weakdh.org/sysadmin.html>.
-ssl_dhparam /etc/dhparams.pem;
-
-# Tell clients to keep using HTTPS.
-add_header Strict-Transport-Security max-age=15552000;
-
-# Limit embedding in HTML frames.
-add_header X-Frame-Options SAMEORIGIN;
-
-access_log /var/log/nginx/guix-hpc.access.log;"))
+ (list %common-tls-options
+ "access_log /var/log/nginx/guix-hpc.access.log;"))
(locations common-locations)))))
(define %guix-hpc.bordeaux.inria.fr-nginx-servers
@@ -402,20 +405,8 @@ access_log /var/log/nginx/guix-hpc.access.log;"))
(ssl-certificate-key
"/etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/privkey.pem")
(raw-content
- '("
-# Make sure SSL is disabled.
-ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
-
-# Disable weak cipher suites.
-ssl_ciphers HIGH:!aNULL:!MD5;
-ssl_prefer_server_ciphers on;
-
-# Use our own DH parameters created with:
-# openssl dhparam -out dhparams.pem 2048
-# as suggested at <https://weakdh.org/sysadmin.html>.
-ssl_dhparam /etc/dhparams.pem;
-
-access_log /var/log/nginx/guix-hpc.access.log;"))
+ (list %common-tls-options
+ "access_log /var/log/nginx/guix-hpc.access.log;"))
(locations common-locations)))))
(define %logs.guix.gnu.org-nginx-servers
@@ -448,20 +439,8 @@ access_log /var/log/nginx/logs.access.log;"))
(ssl-certificate-key
"/etc/letsencrypt/live/logs.guix.gnu.org/privkey.pem")
(raw-content
- '("
-# Make sure SSL is disabled.
-ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
-
-# Disable weak cipher suites.
-ssl_ciphers HIGH:!aNULL:!MD5;
-ssl_prefer_server_ciphers on;
-
-# Use our own DH parameters created with:
-# openssl dhparam -out dhparams.pem 2048
-# as suggested at <https://weakdh.org/sysadmin.html>.
-ssl_dhparam /etc/dhparams.pem;
-
-access_log /var/log/nginx/logs.access.log;"))
+ (list %common-tls-options
+ "access_log /var/log/nginx/logs.access.log;"))
(locations common-locations)))))
(define %coordinator.bayfront.guix.gnu.org-nginx-servers
@@ -483,19 +462,8 @@ access_log /var/log/nginx/logs.access.log;"))
(ssl-certificate-key
"/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem")
(raw-content
- '("
-# Make sure SSL is disabled.
-ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
-
-# Disable weak cipher suites.
-ssl_ciphers HIGH:!aNULL:!MD5;
-ssl_prefer_server_ciphers on;
-
-# Use our own DH parameters created with:
-# openssl dhparam -out dhparams.pem 2048
-# as suggested at <https://weakdh.org/sysadmin.html>.
-ssl_dhparam /etc/dhparams.pem;
-
+ (list %common-tls-options
+ "\
client_max_body_size 0;
client_body_buffer_size 128K;
@@ -555,19 +523,8 @@ proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;"))
(ssl-certificate-key
"/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem")
(raw-content
- '("
-# Make sure SSL is disabled.
-ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
-
-# Disable weak cipher suites.
-ssl_ciphers HIGH:!aNULL:!MD5;
-ssl_prefer_server_ciphers on;
-
-# Use our own DH parameters created with:
-# openssl dhparam -out dhparams.pem 2048
-# as suggested at <https://weakdh.org/sysadmin.html>.
-ssl_dhparam /etc/dhparams.pem;
-
+ (list %common-tls-options
+ "\
access_log /var/log/nginx/https.access.log;
proxy_set_header X-Forwarded-Host $host;
@@ -677,20 +634,8 @@ access_log /var/log/nginx/bordeaux.access.log;"))
(ssl-certificate-key
"/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem")
(raw-content
- '("
-# Make sure SSL is disabled.
-ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
-
-# Disable weak cipher suites.
-ssl_ciphers HIGH:!aNULL:!MD5;
-ssl_prefer_server_ciphers on;
-
-# Use our own DH parameters created with:
-# openssl dhparam -out dhparams.pem 2048
-# as suggested at <https://weakdh.org/sysadmin.html>.
-ssl_dhparam /etc/dhparams.pem;
-
-access_log /var/log/nginx/bordeaux.access.log;"))
+ (list %common-tls-options
+ "access_log /var/log/nginx/bordeaux.access.log;"))
(locations common-locations)))))
- branch master updated (a020651 -> 437e42c), Ludovic Courtès, 2022/06/06
- 03/08: hydra: bayfront: Add 'Strict-Transport-Security' for hpc.guix.info., Ludovic Courtès, 2022/06/06
- 02/08: hydra: Drop TLSv1 and enable TLSv1.3., Ludovic Courtès, 2022/06/06
- 06/08: hydra: bayfront: Factorize common TLS options.,
Ludovic Courtès <=
- 05/08: hydra: bayfront: Update fallback URL for hpc.guix.info/browse., Ludovic Courtès, 2022/06/06
- 08/08: hydra: bayfront: Serve the 10years.guix.gnu.org web site., Ludovic Courtès, 2022/06/06
- 04/08: hydra: bayfront: Limit embedding of hpc.guix.info in frames., Ludovic Courtès, 2022/06/06
- 01/08: hydra: web: Make mcron job derivations deterministic., Ludovic Courtès, 2022/06/06
- 07/08: hydra: dns: Add entry for '10years'., Ludovic Courtès, 2022/06/06