Merge "Genericize how we update SSL settings for Apache"

2015-04-10 18:13:26 +00:00 · 2015-04-10 18:13:26 +00:00 · dba3aaa0ed
commit dba3aaa0ed
parent 4c90857995 f2c5ffe7b1
5 changed files with 21 additions and 4 deletions
--- a/etc/openstack_deploy/user_variables.yml
+++ b/etc/openstack_deploy/user_variables.yml
@ -38,3 +38,16 @@ glance_swift_store_endpoint_type: internalURL
 ## Swift
 # This will allow all users to create containers and upload to swift if set to True
 swift_allow_all_users: False
+
+## Apache SSL Settings
+# These do not need to be configured unless you're creating certificates for
+# services running behind Apache (currently, Horizon and Keystone).
+ssl_protocol: "ALL -SSLv2 -SSLv3"
+# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+# To override for Keystone only:
+#   - keystone_ssl_protocol
+#   - keystone_ssl_cipher_suite
+# To override for Horizon only:
+#   - horizon_ssl_protocol
+#   - horizon_ssl_cipher_suite
--- a/playbooks/roles/os_horizon/defaults/main.yml
+++ b/playbooks/roles/os_horizon/defaults/main.yml
@ -60,6 +60,8 @@ horizon_enable_password_retrieve: False
 horizon_ssl_cert: /etc/ssl/certs/apache.cert
 horizon_ssl_key: /etc/ssl/private/apache.key
 horizon_ssl_cert_path: /etc/ssl/certs
+horizon_ssl_protocol: "{{ ssl_protocol }}"
+horizon_ssl_cipher_suite: "{{ ssl_cipher_suite }}"

 ## Launch instance
 horizon_launch_instance_legacy: True
--- a/playbooks/roles/os_horizon/templates/openstack_dashboard.conf.j2
+++ b/playbooks/roles/os_horizon/templates/openstack_dashboard.conf.j2
@ -22,9 +22,10 @@
    SSLCertificateKeyFile {{ horizon_ssl_key }}
    SSLCACertificatePath  {{ horizon_ssl_cert_path }}
    SSLCARevocationPath   {{ horizon_ssl_cert_path }}
+    SSLCompression Off
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
-    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
+    SSLCipherSuite {{ horizon_ssl_cipher_suite }}
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

    WSGIScriptAlias / {{ horizon_lib_dir }}/openstack_dashboard/wsgi/django.wsgi
--- a/playbooks/roles/os_keystone/defaults/main.yml
+++ b/playbooks/roles/os_keystone/defaults/main.yml
@ -114,9 +114,8 @@ keystone_ssl_enabled: false
 keystone_ssl_cert: /etc/ssl/certs/apache.cert
 keystone_ssl_key: /etc/ssl/private/apache.key
 keystone_ssl_cert_path: /etc/ssl/certs
-keystone_ssl_protocol: "ALL -SSLv2 -SSLv3"
-# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
-keystone_ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+keystone_ssl_protocol: "{{ ssl_protocol }}"
+keystone_ssl_cipher_suite: "{{ ssl_cipher_suite }}"

 ## Caching
 # If set this will enable dog pile cache for keystone.
--- a/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2
+++ b/playbooks/roles/os_keystone/templates/keystone-httpd.conf.j2
@ -18,6 +18,7 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr
    SSLCARevocationPath   {{ keystone_ssl_cert_path }}
    SSLVerifyClient optional
    SSLVerifyDepth 10
+    SSLCompression Off
    SSLProtocol {{ keystone_ssl_protocol }}
    SSLHonorCipherOrder On
    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
@ -42,6 +43,7 @@ WSGIDaemonProcess keystone user={{ keystone_system_user_name }} group=nogroup pr
    SSLCARevocationPath   {{ keystone_ssl_cert_path }}
    SSLVerifyClient optional
    SSLVerifyDepth 10
+    SSLCompression Off
    SSLProtocol {{ keystone_ssl_protocol }}
    SSLHonorCipherOrder On
    SSLCipherSuite {{ keystone_ssl_cipher_suite }}