06/08: hydra: bayfront: Factorize common TLS options.

guix-commits

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

06/08: hydra: bayfront: Factorize common TLS options.

From:	Ludovic Courtès
Subject:	06/08: hydra: bayfront: Factorize common TLS options.
Date:	Mon, 6 Jun 2022 06:07:18 -0400 (EDT)

civodul pushed a commit to branch master
in repository maintenance.

commit 67aa0a50a1eaf45c2fd8cf1031ce0114c14f999f
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Mon Jun 6 11:37:04 2022 +0200

    hydra: bayfront: Factorize common TLS options.
    
    * hydra/bayfront.scm (%common-tls-options): New variable.
    (%hpc.guix.info-nginx-servers)
    (%guix-hpc.bordeaux.inria.fr-nginx-servers)
    (%logs.guix.gnu.org-nginx-servers)
    (%coordinator.bayfront.guix.gnu.org-nginx-servers)
    (%bayfront.guix.gnu.org-nginx-servers)
    (%bordeaux.guix.gnu.org-nginx-servers): Use it.
---
 hydra/bayfront.scm | 121 +++++++++++++++--------------------------------------
 1 file changed, 33 insertions(+), 88 deletions(-)

diff --git a/hydra/bayfront.scm b/hydra/bayfront.scm
index da6daf7..5811430 100644
--- a/hydra/bayfront.scm
+++ b/hydra/bayfront.scm
@@ -271,6 +271,27 @@ proxy_cache_path /var/cache/nginx/bordeaux/nar
                  max_size=2048g;       # total cache data size max
 "))
 
+(define %common-tls-options
+  ;; TLS options used by nginx HTTPS server blocks.
+  "\
+# Make sure SSL is disabled.
+ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
+
+# Disable weak cipher suites.
+ssl_ciphers         HIGH:!aNULL:!MD5;
+ssl_prefer_server_ciphers on;
+
+# Use our own DH parameters created with:
+#    openssl dhparam -out dhparams.pem 2048
+# as suggested at <https://weakdh.org/sysadmin.html>.
+ssl_dhparam         /etc/dhparams.pem;
+
+# Tell clients to keep using HTTPS.
+add_header Strict-Transport-Security max-age=15552000;
+
+# Limit embedding in HTML frames.
+add_header X-Frame-Options SAMEORIGIN;\n")
+
 (define %hpc.guix.info-nginx-servers
   (let ((common-locations
          (list
@@ -337,26 +358,8 @@ add_header X-Frame-Options SAMEORIGIN;"))
       (ssl-certificate-key "/etc/letsencrypt/live/hpc.guix.info/privkey.pem")
       (root "/srv/guix-hpc-web")
       (raw-content
-       '("
-# Make sure SSL is disabled.
-ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
-
-# Disable weak cipher suites.
-ssl_ciphers         HIGH:!aNULL:!MD5;
-ssl_prefer_server_ciphers on;
-
-# Use our own DH parameters created with:
-#    openssl dhparam -out dhparams.pem 2048
-# as suggested at <https://weakdh.org/sysadmin.html>.
-ssl_dhparam         /etc/dhparams.pem;
-
-# Tell clients to keep using HTTPS.
-add_header Strict-Transport-Security max-age=15552000;
-
-# Limit embedding in HTML frames.
-add_header X-Frame-Options SAMEORIGIN;
-
-access_log  /var/log/nginx/guix-hpc.access.log;"))
+       (list %common-tls-options
+             "access_log /var/log/nginx/guix-hpc.access.log;"))
       (locations common-locations)))))
 
 (define %guix-hpc.bordeaux.inria.fr-nginx-servers
@@ -402,20 +405,8 @@ access_log   /var/log/nginx/guix-hpc.access.log;"))
       (ssl-certificate-key
        "/etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/privkey.pem")
       (raw-content
-       '("
-# Make sure SSL is disabled.
-ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
-
-# Disable weak cipher suites.
-ssl_ciphers         HIGH:!aNULL:!MD5;
-ssl_prefer_server_ciphers on;
-
-# Use our own DH parameters created with:
-#    openssl dhparam -out dhparams.pem 2048
-# as suggested at <https://weakdh.org/sysadmin.html>.
-ssl_dhparam         /etc/dhparams.pem;
-
-access_log  /var/log/nginx/guix-hpc.access.log;"))
+       (list %common-tls-options
+             "access_log /var/log/nginx/guix-hpc.access.log;"))
       (locations common-locations)))))
 
 (define %logs.guix.gnu.org-nginx-servers
@@ -448,20 +439,8 @@ access_log   /var/log/nginx/logs.access.log;"))
       (ssl-certificate-key
        "/etc/letsencrypt/live/logs.guix.gnu.org/privkey.pem")
       (raw-content
-       '("
-# Make sure SSL is disabled.
-ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
-
-# Disable weak cipher suites.
-ssl_ciphers         HIGH:!aNULL:!MD5;
-ssl_prefer_server_ciphers on;
-
-# Use our own DH parameters created with:
-#    openssl dhparam -out dhparams.pem 2048
-# as suggested at <https://weakdh.org/sysadmin.html>.
-ssl_dhparam         /etc/dhparams.pem;
-
-access_log   /var/log/nginx/logs.access.log;"))
+       (list %common-tls-options
+             "access_log /var/log/nginx/logs.access.log;"))
       (locations common-locations)))))
 
 (define %coordinator.bayfront.guix.gnu.org-nginx-servers
@@ -483,19 +462,8 @@ access_log   /var/log/nginx/logs.access.log;"))
     (ssl-certificate-key
      "/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem")
     (raw-content
-     '("
-# Make sure SSL is disabled.
-ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
-
-# Disable weak cipher suites.
-ssl_ciphers         HIGH:!aNULL:!MD5;
-ssl_prefer_server_ciphers on;
-
-# Use our own DH parameters created with:
-#    openssl dhparam -out dhparams.pem 2048
-# as suggested at <https://weakdh.org/sysadmin.html>.
-ssl_dhparam         /etc/dhparams.pem;
-
+     (list %common-tls-options
+           "\
 client_max_body_size 0;
 client_body_buffer_size 128K;
 
@@ -555,19 +523,8 @@ proxy_set_header X-Forwarded-For  
$proxy_add_x_forwarded_for;"))
       (ssl-certificate-key
        "/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem")
       (raw-content
-       '("
-# Make sure SSL is disabled.
-ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
-
-# Disable weak cipher suites.
-ssl_ciphers         HIGH:!aNULL:!MD5;
-ssl_prefer_server_ciphers on;
-
-# Use our own DH parameters created with:
-#    openssl dhparam -out dhparams.pem 2048
-# as suggested at <https://weakdh.org/sysadmin.html>.
-ssl_dhparam         /etc/dhparams.pem;
-
+       (list %common-tls-options
+             "\
 access_log  /var/log/nginx/https.access.log;
 
 proxy_set_header X-Forwarded-Host $host;
@@ -677,20 +634,8 @@ access_log  /var/log/nginx/bordeaux.access.log;"))
       (ssl-certificate-key
        "/etc/letsencrypt/live/bayfront.guix.gnu.org/privkey.pem")
       (raw-content
-       '("
-# Make sure SSL is disabled.
-ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
-
-# Disable weak cipher suites.
-ssl_ciphers         HIGH:!aNULL:!MD5;
-ssl_prefer_server_ciphers on;
-
-# Use our own DH parameters created with:
-#    openssl dhparam -out dhparams.pem 2048
-# as suggested at <https://weakdh.org/sysadmin.html>.
-ssl_dhparam         /etc/dhparams.pem;
-
-access_log  /var/log/nginx/bordeaux.access.log;"))
+       (list %common-tls-options
+             "access_log /var/log/nginx/bordeaux.access.log;"))
       (locations common-locations)))))

[Prev in Thread]

Current Thread

[Next in Thread]

branch master updated (a020651 -> 437e42c), Ludovic Courtès, 2022/06/06
- 03/08: hydra: bayfront: Add 'Strict-Transport-Security' for hpc.guix.info., Ludovic Courtès, 2022/06/06
- 02/08: hydra: Drop TLSv1 and enable TLSv1.3., Ludovic Courtès, 2022/06/06
- 06/08: hydra: bayfront: Factorize common TLS options., Ludovic Courtès <=
- 05/08: hydra: bayfront: Update fallback URL for hpc.guix.info/browse., Ludovic Courtès, 2022/06/06
- 08/08: hydra: bayfront: Serve the 10years.guix.gnu.org web site., Ludovic Courtès, 2022/06/06
- 04/08: hydra: bayfront: Limit embedding of hpc.guix.info in frames., Ludovic Courtès, 2022/06/06
- 01/08: hydra: web: Make mcron job derivations deterministic., Ludovic Courtès, 2022/06/06
- 07/08: hydra: dns: Add entry for '10years'., Ludovic Courtès, 2022/06/06

Prev by Date: 02/08: hydra: Drop TLSv1 and enable TLSv1.3.
Next by Date: 05/08: hydra: bayfront: Update fallback URL for hpc.guix.info/browse.
Previous by thread: 02/08: hydra: Drop TLSv1 and enable TLSv1.3.
Next by thread: 05/08: hydra: bayfront: Update fallback URL for hpc.guix.info/browse.
Index(es):
- Date
- Thread