From: Tom Hughes Date: Sun, 17 May 2015 21:32:17 +0000 (+0100) Subject: Configure 2048 bit DH parameters for nginx X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/44b08364795ed593865347b698eede36a504f613 Configure 2048 bit DH parameters for nginx --- diff --git a/cookbooks/ssl/files/default/dhparam.pem b/cookbooks/ssl/files/default/dhparam.pem new file mode 100644 index 000000000..c895dd70d --- /dev/null +++ b/cookbooks/ssl/files/default/dhparam.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEApDYHQhAm+Wje/kmAWAzCIOhzxJj6RjjKbOfsUp31PpBaeQKwdIZZ +jStXfkdo1/c4FfpKczO4WMQJBJjCts6nmEfaPTq/ybcVtG0GQDwO6NIjM8sSymUF +Qcnd9aH2jfUyciPqkAfTavvy+zZIU+3HxTvCA3I6JY5qLZ4YOpNheRu5Q9azBMLo +vfb+6oQGMnMvUVCSU8aw8BQ1qwhzJJQNAszQqA3DrxG17jsk0mBzsR3KSs4eNcjx ++65YhKArG76J1NolcP1rocehK5nrH2IO3cU2G/m2Y09DkXSP9thRSxUQ7rVKSgbC +KhA263146gEf+bbKdMf6zrsNpjisMZ62ewIBAg== +-----END DH PARAMETERS----- diff --git a/cookbooks/ssl/recipes/default.rb b/cookbooks/ssl/recipes/default.rb index f5239e67b..f737fe1a6 100644 --- a/cookbooks/ssl/recipes/default.rb +++ b/cookbooks/ssl/recipes/default.rb @@ -22,7 +22,7 @@ keys = data_bag_item("ssl", "keys") package "openssl" package "ssl-cert" -%w(rapidssl startcom).each do |certificate| +%w(rapidssl startcom dhparam).each do |certificate| cookbook_file "/etc/ssl/certs/#{certificate}.pem" do owner "root" group "root" diff --git a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb index 20f94dcd7..77e2c6fd0 100644 --- a/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb +++ b/cookbooks/tilecache/templates/default/nginx_tile_ssl.conf.erb @@ -13,6 +13,7 @@ server { ssl_session_cache shared:SSL:30m; ssl_session_timeout 15m; ssl_stapling on; + ssl_dhparam /etc/ssl/certs/dhparam.pem; resolver <%= @resolvers.join(" ") %>; location / { proxy_pass http://127.0.0.1; proxy_set_header X-Forwarded-For $remote_addr; }