search

intercity / chef-repo

Set up your server to host Ruby on Rails apps. - Follow us on Twitter: @intercityup
MIT License
417 stars 84 forks source link

How does one set Nginx attributes within the node file, example.com.json ? #189

Open conradwt opened 9 years ago

conradwt commented 9 years ago

I have read through the available documentation but how does one set the following Nginx attributes within the example.com.json:

ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate    /u/apps/example_production/shared/config/certificate.crt;
ssl_certificate_key /u/apps/sec_production/shared/config/certificate.key;
ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 10m;

Can this process be automated with the current software or is this a manual process?

jvanbaarsen commented 9 years ago

@berkes Is it possible to set these information with the NGINX config hooks you created a little while back?

berkes commented 9 years ago

@conradwt there are some placeholders for custom config. But I am not sure if they suite your case exactly. 

server {
  listen 443 ssl;

  ssl_certificate /u/apps/example_com/shared/config/certificate.crt;
  ssl_certificate_key /u/apps/example_com/shared/config/certificate.key;

  server_name example.com;

  root /u/apps/example_com/current/public;

  location / {
    try_files $uri @app;
  }

  location @app {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto https;
    proxy_redirect off;

    proxy_pass http://explained;
    <%= @custom_configuration["ssl_app"] %>
  }
  <%= @custom_configuration["ssl_main"] %>
}

The last may be or help to you. But I am not sure if that is too late in the config to define the settings. Could you try to set the following in your my_node_name.json:

  "nginx_custom": {
    "ssl_main": "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\nssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;\nssl_session_cache shared:SSL:10m;\nssl_session_timeout 10m;",
    ...

That will insert the extra ssl-config at the bottom of your server { }-block for the SSL server. It might work, provided the exact order and place of these settings does not matter to nginx.

OTOH, it sounds like these settings might actually be sane and secure defaults. Would it make sense to include these settings by default in the recipes?

jvanbaarsen commented 9 years ago

@berkes Yeah I think adding these:

ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;

as default would be good! Will you make a PR for that? Or do you want me to do it?

berkes commented 9 years ago

@jvanbaarsen I don't have time coming days, so please don't wait for me :)

jvanbaarsen commented 9 years ago

@berkes Ok! I'll put it on the internal todo list :)

conradwt commented 9 years ago

@berkes I received these settings from the following resource:

http://nginx.org/en/docs/http/ngx_http_ssl_module.html