[OpenSRF-GIT] OpenSRF branch rel_2_5 updated. osrf_rel_2_5_2-4-gb021738
Evergreen Git
git at git.evergreen-ils.org
Mon Nov 5 11:14:17 EST 2018
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "OpenSRF".
The branch, rel_2_5 has been updated
via b021738d770b85e2117a719820e7fbb7e6749a28 (commit)
from ec9f1a709c6f9a083dd25d01edb6eedc84dea556 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b021738d770b85e2117a719820e7fbb7e6749a28
Author: Bill Erickson <berickxx at gmail.com>
Date: Wed Jul 11 12:27:05 2018 -0400
LP#1711145 NGINX sample config security improvements
* Adds security recommendations from
https://mozilla.github.io/server-side-tls/ssl-config-generator/
* Enables http2
* Apply a 5-minute proxy read timeout to avoid too-short timeouts on
long API calls.
* Adds a (commented) section on sending nginx logs to syslog
Includes INSTALL notes on generating the dhparam file.
Signed-off-by: Bill Erickson <berickxx at gmail.com>
Signed-off-by: Galen Charlton <gmc at equinoxinitiative.org>
diff --git a/README b/README
index d10799b..5052b4d 100644
--- a/README
+++ b/README
@@ -556,14 +556,22 @@ rm /etc/nginx/sites-enabled/default
+
4. Edit `/etc/nginx/sites-available/osrf-ws-http-proxy` to set the location
of the SSL certificate and private key.
-5. Start NGINX
+5. Generate a dhparam file in the directory specified in the nginx config.
++
+[source, bash]
+---------------------------------------------------------------------------
+# Default config stores dhparam.pem in the Apache2 ssl directory.
+openssl dhparam -out /etc/apache2/ssl/dhparam.pem 2048
+---------------------------------------------------------------------------
++
+6. Start NGINX
+
[source, bash]
---------------------------------------------------------------------------
/etc/init.d/nginx start
---------------------------------------------------------------------------
+
-6. If you didn't run `configure` with the `--with-websockets-port=443` option,
+7. If you didn't run `configure` with the `--with-websockets-port=443` option,
edit `<PREFIX>/javascript/opensrf_ws.js` and `<PREFIX>/javascript/opensrf_ws_shared.js`
and change
+
diff --git a/examples/nginx/osrf-ws-http-proxy b/examples/nginx/osrf-ws-http-proxy
index d079230..622e8ea 100644
--- a/examples/nginx/osrf-ws-http-proxy
+++ b/examples/nginx/osrf-ws-http-proxy
@@ -6,32 +6,60 @@
#
# Assumes Apache is listening on HTTP=7080 and HTTPS=7443
+# Example sending nginx logs to syslog
+# error_log syslog:server=unix:/dev/log,nohostname;
+# access_log syslog:server=unix:/dev/log,severity=info,nohostname combined;
+
server {
listen 80;
+ # For SSL-everywhere:
+ # server_name domain.example.org
+ # return 301 https://domain.example.org$request_uri;
+
location / {
proxy_pass http://localhost:7080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_read_timeout 300s;
}
}
server {
- listen 443;
- ssl on;
+ listen 443 ssl http2;
# Use the same SSL certificate as Apache.
ssl_certificate /etc/apache2/ssl/server.crt;
ssl_certificate_key /etc/apache2/ssl/server.key;
+ # -----------------------------------------------------------------
+ # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+ # generate with openssl dhparam -out dhparams.pem 2048
+ ssl_dhparam /etc/apache2/ssl/dhparam.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_tickets off;
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ # Intermediate ciphers config / updated 2018-07-11
+ ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+ ssl_prefer_server_ciphers on;
+ # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+ add_header Strict-Transport-Security max-age=15768000;
+ # OCSP Stapling ---
+ # fetch OCSP records from URL in ssl_certificate and cache them
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ # -----------------------------------------------------------------
+
location / {
proxy_pass https://localhost:7443;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_read_timeout 300s;
}
location /osrf-websocket-translator {
-----------------------------------------------------------------------
Summary of changes:
README | 12 ++++++++++--
examples/nginx/osrf-ws-http-proxy | 32 ++++++++++++++++++++++++++++++--
2 files changed, 40 insertions(+), 4 deletions(-)
hooks/post-receive
--
OpenSRF
More information about the opensrf-commits
mailing list