From: Martin Zobel-Helas <zobel@debian.org>
Date: Thu, 15 Mar 2012 19:23:14 +0000 (+0100)
Subject: start to push some common SSL options to the webservers. they can be included if... 
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=f77cf10d93d92cdca395ad2ce9ee80219fdc2439;p=mirror%2Fdsa-puppet.git

start to push some common SSL options to the webservers. they can be included if necessary.
Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
---

diff --git a/modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc b/modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc
new file mode 100644
index 000000000..2021ab4c2
--- /dev/null
+++ b/modules/apache2/files/common/etc/apache2/sites-available/common-ssl.inc
@@ -0,0 +1,30 @@
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   SSL Protocol support:
+#   List the protocol versions which clients are allowed to
+#   connect with. Disable SSLv2 by default (cf. RFC 6176).
+SSLProtocol all -SSLv2
+
+#
+#   Some MIME-types for downloading Certificates and CRLs
+#   
+AddType application/x-x509-ca-cert .crt
+AddType application/x-pkcs7-crl    .crl
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
+SSLHonorCipherOrder on
+
+#   Add STS
+Header add Strict-Transport-Security "max-age=604800"
+