Commit d2e5c4ad authored by Adam Lewenberg's avatar Adam Lewenberg
Browse files

update debian.pp with better interface

parent 41286e78
# Apache configuration for Debian.
# Only works for Debian stretch and later.
#######################################################################
# An SSL cipher specification in cipher-spec is composed of 4 major
# attributes plus a few extra minor ones:
#
# This manifest cleans up some of the default Apache configuration for Debian
# that we don't want and installs some standard configuration we want to
# always have available for all web servers.
# Key Exchange Algorithm:
# RSA, Diffie-Hellman, Elliptic Curve Diffie-Hellman,
# Secure Remote Password
#
# Jessie is a significant change to the way that apache servers are
# configured. Create a completely new class to support it to make the
# transition clearer.
# Authentication Algorithm:
# RSA, Diffie-Hellman, DSS, ECDSA, or none.
#
# $disable_TLS10RC4 disables TLSv1.0 protocol AND the RC4-based cipher suites.
# Cipher/Encryption Algorithm:
# AES, DES, Triple-DES, RC4, RC2, IDEA, etc.
#
# $disable_3DES: if set to true will disable all DES- and 3DES-based
# ciphers. See also https://www.openssl.org/blog/blog/2016/08/24/sweet32/
# MAC Digest Algorithm:
# MD5, SHA or SHA1, SHA256, SHA384.
#######################################################################
class su_apache::debian (
$disable_TLS10RC4 = false,
$disable_3DES = false,
# $tls_protocols: an array of SSL/TLS protocols that will be used with the
# Apache SSLProtocol directive. Use this ONLY if you want to override the
# normal SSL/TLS protocols chosen based on the major version of Debian.
# $enable_RC4: normally RC4-based ciphers are not enabled. Set this parameter
# to "true" if you _really_ need to enable RC4.
#
# $enable_3DES: normally 3DES-based ciphers are not enabled. Set this parameter
# to "true" if you need to enable RC4.
# $enable_RSA: enable all ciphers using RSA key exchange.
class apache::debian (
Array[String] $tls_protocols = [],
#
Boolean $enable_RC4 = false,
Boolean $enable_3DES = false,
#
Boolean $enable_RSA = true,
){
# Almost every Apache server uses SSL and even if a server does not use it, it
# does no harm to enable it, so we enable mod_ssl for everyone.
su_apache::module { "ssl": ensure => present }
if ($lsbdistcodename == 'wheezy') {
class { 'su_apache::debian::old':
disable_TLS10RC4 => $disable_TLS10RC4,
disable_3DES => $disable_3DES,
}
} else {
class { 'su_apache::debian::new':
disable_TLS10RC4 => $disable_TLS10RC4,
disable_3DES => $disable_3DES,
}
# Note: the readlink executable comes from the coreutils package.
exec { 'a2dissite 000-default.conf':
command => 'a2dissite 000-default.conf',
onlyif => 'readlink /etc/apache2/sites-enabled/000-default.conf',
path => '/bin:/usr/bin:/usr/sbin',
require => Package['apache'],
}
$debian_major_version = $facts['os']['distro']['release']['major']
if (Integer($debian_major_version) < 9) {
fail("This class only works with Debian stretch and later")
}
# Set the SSL/TLS protocols and ciphers.
apache::conf { 'ssl-strength.conf':
ensure => present,
content => template('apache/etc/apache2/conf.d/ssl-strength.erb'),
}
# Replace the default Apache security configuration file with one that
# suppresses most information disclosure about the server.
apache::conf { 'security.conf':
ensure => present,
source => 'puppet:///modules/apache/etc/apache2/conf.d/security',
require => Package['apache'],
notify => Service['apache'],
}
# Support /server-status for all virtual hosts, but only from localhost.
apache::module { 'status':
ensure => present,
require => File['/etc/apache2/mods-available/status.conf'],
}
file { '/etc/apache2/mods-available/status.conf':
source => 'puppet:///modules/apache/etc/apache2/mods-available/status.conf',
require => Package['apache'],
notify => Service['apache'],
}
}
# /etc/apache2/conf.d/ssl-strength -- Disable weak SSL ciphers.
#
# Disable SSLv2 and weak SSL ciphers. Nessus scans warn if these are
# enabled and we don't want users to negotiate DES encryption or other
# weak encryption protocols.
<%
if (@disable_TLS10RC4) then
TLS10 = ' -TLSv1'
RC4 = '!RC4:'
-%>
#
# Disabling TLS1.0 and RC4 due to issues with RC4 and the BEAST attack.
<%
# STEP 1. Set the SSL/TLS protocols
# If @tls_protocols is set we use those strings. Otherwise, we set the
# SSL/TLS protocols based on the Debian OS version.
if (@tls_protocols.length() > 0) then
ssl_protocols = @tls_protocols.dup
else
TLS10 = ''
RC4 = ''
# We do not include TLS 1.0 or TLS 1.1. TLS 1.2 is always
# included. TLS 1.3 is included only for buster and later.
ssl_protocols = []
ssl_protocols.push('+TLSv1.2')
if ((@debian_major_version.to_i() >= 10) or @force_TLS1_3) then
ssl_protocols.push('+TLSv1.3')
end
end
-%>
<%
if (@disable_3DES) then
DES3 = '!3DES:'
-%>
#
# Disabling DES and 3DES (aka Triple DES).
# See also https://www.openssl.org/blog/blog/2016/08/24/sweet32/
<%
else
DES3 = ''
if (ssl_protocols.length() == 0) then
raise "no protocols!!"
end
# STEP 2. Now we do cipher suites. We start with the ones we feel good about.
ssl_cipher_suites = [
'HIGH',
'MEDIUM',
'!ADH',
]
if (not @enable_RC4) then
ssl_cipher_suites.push('!RC4')
end
if (not @enable_3DES) then
ssl_cipher_suites.push('!3DES')
end
if (not @enable_RSA) then
ssl_cipher_suites.push('!RSA')
end
-%>
SSLProtocol all -SSLv2 -SSLv3<%= TLS10 %>
SSLCipherSuite !eNULL:!aNULL:HIGH:MEDIUM:!ADH:!SSLv2:<%= RC4 %><%= DES3 %>@STRENGTH
SSLProtocol <%= ssl_protocols.join(' ') %>
SSLCipherSuite <%= ssl_cipher_suites.join(':') %>@STRENGTH
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment