pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Config for NGINX SSL/TLS.

Browse Source 
This adds additional SSL/TLS config to specify the acceptable TLS
version, cipher suites, session cache, etc. Values are currently based
on the Mozilla Foundation's recommendations for intermediate
compatibility:

https://wiki.mozilla.org/Security/Server_Side_TLS

We will manage NGINX configuration snippets as a K8s ConfigMap so that
they can be included in server blocks as-needed.
This commit is contained in:
dandds
2019-11-14 14:20:17 -05:00
committed by tomdds
parent 26c5b5ea7f
commit a3aa3e6935
4 changed files with 106 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
deploy/azure/atst-nginx-configmap.yml
View File

@@ -41,6 +41,9 @@ data:
listen [::]:${PORT_PREFIX}442 ssl ipv6only=on; listen [::]:${PORT_PREFIX}442 ssl ipv6only=on;
ssl_certificate /etc/ssl/private/atat.crt; ssl_certificate /etc/ssl/private/atat.crt;
ssl_certificate_key /etc/ssl/private/atat.key; ssl_certificate_key /etc/ssl/private/atat.key;
# additional SSL/TLS settings
include /etc/nginx/snippets/ssl.conf
location /login-redirect { location /login-redirect {
return 301 https://auth-azure.atat.code.mil$request_uri; return 301 https://auth-azure.atat.code.mil$request_uri;
} }
@@ -75,8 +78,9 @@ data:
ssl_verify_client on; ssl_verify_client on;
ssl_verify_depth 10; ssl_verify_depth 10;
ssl_client_certificate /etc/ssl/client-ca-bundle.pem; ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# Guard against HTTPS -> HTTP downgrade # additional SSL/TLS settings
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always"; include /etc/nginx/snippets/ssl.conf
location / { location / {
return 301 https://azure.atat.code.mil$request_uri; return 301 https://azure.atat.code.mil$request_uri;
} }

143
deploy/azure/azure.yml
View File

@@ -30,8 +30,8 @@ spec:
- name: atst - name: atst
image: $CONTAINER_IMAGE image: $CONTAINER_IMAGE
envFrom: envFrom:
- configMapRef: - configMapRef:
name: atst-envvars name: atst-envvars
volumeMounts: volumeMounts:
- name: atst-config - name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini" mountPath: "/opt/atat/atst/atst-overrides.ini"
@@ -74,14 +74,16 @@ spec:
mountPath: "/etc/ssl/" mountPath: "/etc/ssl/"
- name: acme - name: acme
mountPath: "/usr/share/nginx/html/.well-known/acme-challenge/" mountPath: "/usr/share/nginx/html/.well-known/acme-challenge/"
- name: snippets
mountPath: "/etc/nginx/snippets/"
volumes: volumes:
- name: atst-config - name: atst-config
secret: secret:
secretName: atst-config-ini secretName: atst-config-ini
items: items:
- key: override.ini - key: override.ini
path: atst-overrides.ini path: atst-overrides.ini
mode: 0644 mode: 0644
- name: nginx-client-ca-bundle - name: nginx-client-ca-bundle
configMap: configMap:
name: nginx-client-ca-bundle name: nginx-client-ca-bundle
@@ -96,19 +98,19 @@ spec:
secret: secret:
secretName: atst-nginx-htpasswd secretName: atst-nginx-htpasswd
items: items:
- key: htpasswd - key: htpasswd
path: .htpasswd path: .htpasswd
mode: 0640 mode: 0640
- name: tls - name: tls
secret: secret:
secretName: azure-atat-code-mil-tls secretName: azure-atat-code-mil-tls
items: items:
- key: tls.crt - key: tls.crt
path: atat.crt path: atat.crt
mode: 0644 mode: 0644
- key: tls.key - key: tls.key
path: atat.key path: atat.key
mode: 0640 mode: 0640
- name: crls-vol - name: crls-vol
persistentVolumeClaim: persistentVolumeClaim:
claimName: crls-vol-claim claimName: crls-vol-claim
@@ -116,9 +118,9 @@ spec:
configMap: configMap:
name: pgsslrootcert name: pgsslrootcert
items: items:
- key: cert - key: cert
path: pgsslrootcert.crt path: pgsslrootcert.crt
mode: 0666 mode: 0666
- name: acme - name: acme
configMap: configMap:
name: acme-challenges name: acme-challenges
@@ -128,9 +130,12 @@ spec:
name: uwsgi-config name: uwsgi-config
defaultMode: 0666 defaultMode: 0666
items: items:
- key: uwsgi.ini - key: uwsgi.ini
path: uwsgi.ini path: uwsgi.ini
mode: 0644 mode: 0644
- name: snippets
configMap:
name: nginx-snippets
--- ---
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
@@ -157,19 +162,20 @@ spec:
containers: containers:
- name: atst-worker - name: atst-worker
image: $CONTAINER_IMAGE image: $CONTAINER_IMAGE
args: [ args:
"/opt/atat/atst/.venv/bin/python", [
"/opt/atat/atst/.venv/bin/celery", "/opt/atat/atst/.venv/bin/python",
"-A", "/opt/atat/atst/.venv/bin/celery",
"celery_worker.celery", "-A",
"worker", "celery_worker.celery",
"--loglevel=info" "worker",
] "--loglevel=info",
]
envFrom: envFrom:
- configMapRef: - configMapRef:
name: atst-envvars name: atst-envvars
- configMapRef: - configMapRef:
name: atst-worker-envvars name: atst-worker-envvars
volumeMounts: volumeMounts:
- name: atst-config - name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini" mountPath: "/opt/atat/atst/atst-overrides.ini"
@@ -182,16 +188,16 @@ spec:
secret: secret:
secretName: atst-config-ini secretName: atst-config-ini
items: items:
- key: override.ini - key: override.ini
path: atst-overrides.ini path: atst-overrides.ini
mode: 0644 mode: 0644
- name: pgsslrootcert - name: pgsslrootcert
configMap: configMap:
name: pgsslrootcert name: pgsslrootcert
items: items:
- key: cert - key: cert
path: pgsslrootcert.crt path: pgsslrootcert.crt
mode: 0666 mode: 0666
--- ---
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
@@ -218,19 +224,20 @@ spec:
containers: containers:
- name: atst-beat - name: atst-beat
image: $CONTAINER_IMAGE image: $CONTAINER_IMAGE
args: [ args:
"/opt/atat/atst/.venv/bin/python", [
"/opt/atat/atst/.venv/bin/celery", "/opt/atat/atst/.venv/bin/python",
"-A", "/opt/atat/atst/.venv/bin/celery",
"celery_worker.celery", "-A",
"beat", "celery_worker.celery",
"--loglevel=info" "beat",
] "--loglevel=info",
]
envFrom: envFrom:
- configMapRef: - configMapRef:
name: atst-envvars name: atst-envvars
- configMapRef: - configMapRef:
name: atst-worker-envvars name: atst-worker-envvars
volumeMounts: volumeMounts:
- name: atst-config - name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini" mountPath: "/opt/atat/atst/atst-overrides.ini"
@@ -243,16 +250,16 @@ spec:
secret: secret:
secretName: atst-config-ini secretName: atst-config-ini
items: items:
- key: override.ini - key: override.ini
path: atst-overrides.ini path: atst-overrides.ini
mode: 0644 mode: 0644
- name: pgsslrootcert - name: pgsslrootcert
configMap: configMap:
name: pgsslrootcert name: pgsslrootcert
items: items:
- key: cert - key: cert
path: pgsslrootcert.crt path: pgsslrootcert.crt
mode: 0666 mode: 0666
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -264,12 +271,12 @@ metadata:
spec: spec:
loadBalancerIP: 13.92.235.6 loadBalancerIP: 13.92.235.6
ports: ports:
- port: 80 - port: 80
targetPort: 8342 targetPort: 8342
name: http name: http
- port: 443 - port: 443
targetPort: 8442 targetPort: 8442
name: https name: https
selector: selector:
role: web role: web
type: LoadBalancer type: LoadBalancer
@@ -284,12 +291,12 @@ metadata:
spec: spec:
loadBalancerIP: 23.100.24.41 loadBalancerIP: 23.100.24.41
ports: ports:
- port: 80 - port: 80
targetPort: 8343 targetPort: 8343
name: http name: http
- port: 443 - port: 443
targetPort: 8443 targetPort: 8443
name: https name: https
selector: selector:
role: web role: web
type: LoadBalancer type: LoadBalancer

1
deploy/azure/kustomization.yaml
View File

@@ -11,3 +11,4 @@ resources:
- nginx-client-ca-bundle.yml - nginx-client-ca-bundle.yml
- acme-challenges.yml - acme-challenges.yml
- aadpodidentity.yml - aadpodidentity.yml
- nginx-snippets.yml

24
deploy/azure/nginx-snippets.yml Normal file
View File

@@ -0,0 +1,24 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-snippets
namespace: atat
data:
ssl.conf: |-
# Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
# Set SSL protocols, ciphers, and related options
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
ssl_prefer_server_ciphers on;
ssl_ecdh_curve X25519:prime256v1:secp384r1;
ssl_dhparam /etc/ssl/dhparam.pem;
# SSL session options
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;