Skip to content
/ cookbook-ssl-config Public

Chef cookbook to generate recommended SSL/TLS config file for nginx/apache

License

View license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jeremyolliver/cookbook-ssl-config

BranchesTags

Repository files navigation

ssl-config-cookbook

This cookbook is aimed at making it easy to provide secure SSL/TLS settings in your webserver of choice. The recommendations are taken from Mozilla's TLS Guidelines

Disclaimer

This repository provides a centralised easy way to encapsulate recommended SSL settings, across multiple sites. It may not always be up to date with the latest best practices as new protocols are published, and vulnerabilities in existing ones are discovered. Use of this cookbook does not constitute a magical security bullet, and the author(s) expressly makes no guarantee that use of this cookbook will necessarily result in correct security settings for your server. You should use this as a starting point, and check the generated results for yourself.

It is recommended that you read Mozilla's TLS Guidelines as a more definitive guide, and more frequently updated source of information. It is also recommended that you test the strength of your server's configuration together with the generated key and certificate via a tool such as SSL Labs server test to get a better picture of the security of your specific site.

Usage

Nginx

{
  "run_list": [
    "recipe[nginx]"
    "recipe[ssl-config::nginx]"
  ]
}

And in your nginx config template:

server {
  listen 443 ssl;
  servername example.com;

  include /etc/nginx/secure-ssl.conf;

  ssl_certificate /path/to/signed_cert_plus_intermediates;
  ssl_certificate_key /path/to/private_key;

  #...
}

Apache

{
  "run_list": [
    "recipe[apache2]"
    "recipe[ssl-config::apache]"
  ]
}
<VirtualHost *:443>
  ServerName example.com
  SSLEngine on
  SSLCertificateFile      /path/to/signed_certificate
  SSLCertificateChainFile /path/to/intermediate_certificate
  SSLCertificateKeyFile   /path/to/private/key
  SSLCACertificateFile    /path/to/all_ca_certs

  include /etc/apache2/secure-ssl.conf

  #...
</VirtualHost>

Attributes

Key Type Description Default
['ssl-config']['compatibility_mode'] String Can be changed to "intermediate_compatibility" to support some older browsers "high_security"
['ssl-config']['hsts'] Boolean Ensure you know what you are doing before turning this on. Forces browsers to always use https on the given domain false
['ssl-config']['tuning']['ssl_session_timeout'] String Tunable session timeout "5m"
['ssl-config']['tuning']['ssl_session_cache'] String Tunable session cache "shared:SSL:5m"

License and Authors

Author:: Jeremy Olliver (jeremy.olliver@gmail.com) License:: Apache 2.0

About

Chef cookbook to generate recommended SSL/TLS config file for nginx/apache

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

1 tags

Packages

No packages published

Languages