From 5b8ef5329ec5a01b508cba647df3e5d9e0b3c70b Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Fri, 20 Sep 2024 22:51:30 +0300 Subject: [PATCH] angie: adjust SSL configuration --- angie/conf.dist/grpc/ssl-verify.conf | 1 - .../grpc/{ssl-cmd.conf.j2 => ssl.conf.j2} | 6 +++++- angie/conf.dist/grpc/tls-ca-file.conf.in | 1 - angie/conf.dist/proxy/ssl-verify.conf | 1 - .../proxy/{ssl-cmd.conf.j2 => ssl.conf.j2} | 6 +++++- .../uwsgi/{ssl-cmd.conf.j2 => ssl.conf.j2} | 6 +++++- angie/conf.dist/uwsgi/tls-ca-file.conf.in | 1 - angie/j2cfg.dist/00-defaults.yml.j2 | 16 ++++++++-------- angie/snip.dist/ssl-profile.j2m | 4 +--- 9 files changed, 24 insertions(+), 18 deletions(-) delete mode 100644 angie/conf.dist/grpc/ssl-verify.conf rename angie/conf.dist/grpc/{ssl-cmd.conf.j2 => ssl.conf.j2} (52%) delete mode 100644 angie/conf.dist/grpc/tls-ca-file.conf.in delete mode 100644 angie/conf.dist/proxy/ssl-verify.conf rename angie/conf.dist/proxy/{ssl-cmd.conf.j2 => ssl.conf.j2} (51%) rename angie/conf.dist/uwsgi/{ssl-cmd.conf.j2 => ssl.conf.j2} (51%) delete mode 100644 angie/conf.dist/uwsgi/tls-ca-file.conf.in diff --git a/angie/conf.dist/grpc/ssl-verify.conf b/angie/conf.dist/grpc/ssl-verify.conf deleted file mode 100644 index 7f5c82f..0000000 --- a/angie/conf.dist/grpc/ssl-verify.conf +++ /dev/null @@ -1 +0,0 @@ -grpc_ssl_verify on; \ No newline at end of file diff --git a/angie/conf.dist/grpc/ssl-cmd.conf.j2 b/angie/conf.dist/grpc/ssl.conf.j2 similarity index 52% rename from angie/conf.dist/grpc/ssl-cmd.conf.j2 rename to angie/conf.dist/grpc/ssl.conf.j2 index 298a4e1..b7ee94c 100644 --- a/angie/conf.dist/grpc/ssl-cmd.conf.j2 +++ b/angie/conf.dist/grpc/ssl.conf.j2 @@ -1,4 +1,8 @@ {%- for k, v in j2cfg.tls.conf_cmd.items() %} {#- TODO: precise quotation #} grpc_ssl_conf_command {{ k }} {{ v.__repr__() }}; -{%- endfor %} \ No newline at end of file +{%- endfor %} + +grpc_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }}; +grpc_ssl_verify on; +grpc_ssl_server_name on; diff --git a/angie/conf.dist/grpc/tls-ca-file.conf.in b/angie/conf.dist/grpc/tls-ca-file.conf.in deleted file mode 100644 index e0750ff..0000000 --- a/angie/conf.dist/grpc/tls-ca-file.conf.in +++ /dev/null @@ -1 +0,0 @@ -grpc_ssl_trusted_certificate ${NGX_SSL_CERT_FILE}; \ No newline at end of file diff --git a/angie/conf.dist/proxy/ssl-verify.conf b/angie/conf.dist/proxy/ssl-verify.conf deleted file mode 100644 index f5b5ebe..0000000 --- a/angie/conf.dist/proxy/ssl-verify.conf +++ /dev/null @@ -1 +0,0 @@ -proxy_ssl_verify on; \ No newline at end of file diff --git a/angie/conf.dist/proxy/ssl-cmd.conf.j2 b/angie/conf.dist/proxy/ssl.conf.j2 similarity index 51% rename from angie/conf.dist/proxy/ssl-cmd.conf.j2 rename to angie/conf.dist/proxy/ssl.conf.j2 index afd8378..0deaaef 100644 --- a/angie/conf.dist/proxy/ssl-cmd.conf.j2 +++ b/angie/conf.dist/proxy/ssl.conf.j2 @@ -1,4 +1,8 @@ {%- for k, v in j2cfg.tls.conf_cmd.items() %} {#- TODO: precise quotation #} proxy_ssl_conf_command {{ k }} {{ v.__repr__() }}; -{%- endfor %} \ No newline at end of file +{%- endfor %} + +proxy_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }}; +proxy_ssl_verify on; +proxy_ssl_server_name on; diff --git a/angie/conf.dist/uwsgi/ssl-cmd.conf.j2 b/angie/conf.dist/uwsgi/ssl.conf.j2 similarity index 51% rename from angie/conf.dist/uwsgi/ssl-cmd.conf.j2 rename to angie/conf.dist/uwsgi/ssl.conf.j2 index 9b0dda8..5aa4cc7 100644 --- a/angie/conf.dist/uwsgi/ssl-cmd.conf.j2 +++ b/angie/conf.dist/uwsgi/ssl.conf.j2 @@ -1,4 +1,8 @@ {%- for k, v in j2cfg.tls.conf_cmd.items() %} {#- TODO: precise quotation #} uwsgi_ssl_conf_command {{ k }} {{ v.__repr__() }}; -{%- endfor %} \ No newline at end of file +{%- endfor %} + +uwsgi_ssl_trusted_certificate {{ env.NGX_SSL_CERT_FILE }}; +uwsgi_ssl_verify on; +uwsgi_ssl_server_name on; diff --git a/angie/conf.dist/uwsgi/tls-ca-file.conf.in b/angie/conf.dist/uwsgi/tls-ca-file.conf.in deleted file mode 100644 index 8ebe0d0..0000000 --- a/angie/conf.dist/uwsgi/tls-ca-file.conf.in +++ /dev/null @@ -1 +0,0 @@ -uwsgi_ssl_trusted_certificate ${NGX_SSL_CERT_FILE}; \ No newline at end of file diff --git a/angie/j2cfg.dist/00-defaults.yml.j2 b/angie/j2cfg.dist/00-defaults.yml.j2 index f7dc496..8cd0e39 100644 --- a/angie/j2cfg.dist/00-defaults.yml.j2 +++ b/angie/j2cfg.dist/00-defaults.yml.j2 @@ -74,20 +74,20 @@ tls: profiles: modern: protocols: TLSv1.3 - #prefer_server_ciphers: false - session_tickets: false + #prefer_server_ciphers: off + session_tickets: off session_timeout: 1d intermediate: protocols: TLSv1.2 TLSv1.3 - #prefer_server_ciphers: false + #prefer_server_ciphers: off ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 - dhparam: /etc/angie/tls.d/ffdhe2048.pem - session_tickets: false + dhparam: tls.d/ffdhe2048.pem + session_tickets: off session_timeout: 1d old: protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 - prefer_server_ciphers: true + prefer_server_ciphers: on ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA - dhparam: /etc/angie/tls.d/dh1024.pem - session_tickets: false + dhparam: tls.d/dh1024.pem + session_tickets: off session_timeout: 1d diff --git a/angie/snip.dist/ssl-profile.j2m b/angie/snip.dist/ssl-profile.j2m index 22539a8..c96e98a 100644 --- a/angie/snip.dist/ssl-profile.j2m +++ b/angie/snip.dist/ssl-profile.j2m @@ -2,9 +2,7 @@ ssl_protocols {{ ssl_profile.protocols }}; {%- endif %} {%- if ssl_profile.prefer_server_ciphers %} -ssl_prefer_server_ciphers on; -{%- else %} -ssl_prefer_server_ciphers off; +ssl_prefer_server_ciphers {{ ssl_profile.prefer_server_ciphers }}; {%- endif %} {%- if ssl_profile.ciphers %} ssl_ciphers {{ ssl_profile.ciphers }};