From: Andy Witter <awitter@georgialibraries.org>
Date: Wed, 30 Aug 2017 17:51:54 +0000 (-0400)
Subject: Copy dhparams.pem for CA cert or generate it for self signed cert.
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=874a5bc9b700aaedafc1402dcbc9d6a39d681853;p=contrib%2Fpines%2Fgenasys.git

Copy dhparams.pem for CA cert or generate it for self signed cert.
---

diff --git a/GenaSYS.sh b/GenaSYS.sh
index dfe79cf..bd5cd39 100755
--- a/GenaSYS.sh
+++ b/GenaSYS.sh
@@ -25,8 +25,8 @@
     PURPOSE_="Generate config files needed for Evergreen-ILS Cluster"
    SYNOPSIS_="$NAME_"
    REQUIRES_="standard GNU commands, apt, dpkg"
-    VERSION_="1.79"
-       DATE_="2010-11-23; last update: 2017-06-20"
+    VERSION_="1.80"
+       DATE_="2010-11-23; last update: 2017-08-30"
      AUTHOR_="Andy Witter <awitter@georgialibraries.org>"
         URL_="http://evergreen-ils.org"
    CATEGORY_="devel"
@@ -431,6 +431,7 @@ Generate_SSL_Cert () { ### Generate SSL Certificate.
                 openssl req -new -x509 -days 365 -nodes -out server.crt -keyout server.key -subj "/CN=$CLUSTERDOMAINNAME"
 		echo;echo;echo "Certificate for $CLUSTERDOMAINNAME"
 		openssl x509 -in server.crt -text -noout
+		openssl dhparam -out dhparams.pem 2048
 		sleep 2
 		cd "${WD}"
 			else
@@ -439,6 +440,7 @@ Generate_SSL_Cert () { ### Generate SSL Certificate.
 			openssl req -new -x509 -days 365 -nodes -out server.crt -keyout server.key -subj "/CN=$CLUSTERDOMAINNAME"
 			echo;echo;echo "Certificate for $CLUSTERDOMAINNAME"
 			openssl x509 -in server.crt -text -noout
+			openssl dhparam -out dhparams.pem 2048
 			sleep 2
 			cd "${WD}"
 	fi	
@@ -1909,7 +1911,9 @@ for BRICK in $(seq $BRICKCOUNT)
 	fi
 	eval cp -f $TEMPLATEDIR/eg_fstab_head ${OUTDIR}/\$BRICKHOSTNAME${BRICK}/\$BRICKHOSTNAME${BRICK}-head/etc
 	eval cp -f ${CERT_DIR}/server.* ${OUTDIR}/\$BRICKHOSTNAME${BRICK}/\$BRICKHOSTNAME${BRICK}-head/etc/apache2/ssl
+	
 	[ -e "${CERT_DIR}/ca.crt" ] && eval cp -f "${CERT_DIR}/ca.crt" ${OUTDIR}/\$BRICKHOSTNAME${BRICK}/\$BRICKHOSTNAME${BRICK}-head/etc/apache2/ssl
+	[ -e "${CERT_DIR}/dhparams.pem" ] && eval cp -f "${CERT_DIR}/dhparams.pem" ${OUTDIR}/\$BRICKHOSTNAME${BRICK}/\$BRICKHOSTNAME${BRICK}-head/etc/apache2/ssl
 	[ -e "${CUSTOMDIR}/zips.txt" ] && eval cp -f "${CUSTOMDIR}/zips.txt"  ${OUTDIR}/\$BRICKHOSTNAME${BRICK}/\$BRICKHOSTNAME${BRICK}-head/openils/var/data/zips.txt
         eval cp -f $TEMPLATEDIR/opensrf_core.xml ${OUTDIR}/\$BRICKHOSTNAME${BRICK}/\$BRICKHOSTNAME${BRICK}-head/openils/conf
 	eval sed -i "s^UTILITY01_IP^$UTILITY01_IP^g" ${OUTDIR}/$(eval echo \$BRICKHOSTNAME${BRICK})/$(eval echo \$BRICKHOSTNAME${BRICK})-head/etc/eg_fstab_head
@@ -2069,6 +2073,7 @@ for BRICK in $(seq $BRICKCOUNT)
 	eval cp -f $TEMPLATEDIR/eg_fstab_head ${OUTDIR}/\$BRICKHOSTNAME${BRICK}/\$BRICKHOSTNAME${BRICK}-head/etc
 	eval cp -f ${CERT_DIR}/server.* ${OUTDIR}/\$BRICKHOSTNAME${BRICK}/\$BRICKHOSTNAME${BRICK}-head/etc/apache2/ssl
 	[ -e "${CERT_DIR}/ca.crt" ] && eval cp -f "${CERT_DIR}/ca.crt" ${OUTDIR}/\$BRICKHOSTNAME${BRICK}/\$BRICKHOSTNAME${BRICK}-head/etc/apache2/ssl
+	[ -e "${CERT_DIR}/dhparams.pem" ] && eval cp -f "${CERT_DIR}/dhparams.pem" ${OUTDIR}/\$BRICKHOSTNAME${BRICK}/\$BRICKHOSTNAME${BRICK}-head/etc/apache2/ssl
 	[ -e "${CUSTOMDIR}/zips.txt" ] && eval cp -f "${CUSTOMDIR}/zips.txt"  ${OUTDIR}/\$BRICKHOSTNAME${BRICK}/\$BRICKHOSTNAME${BRICK}-head/openils/var/data/zips.txt
 	eval sed -i "s^UTILITY01_IP^$UTILITY01_IP^g" ${OUTDIR}/$(eval echo \$BRICKHOSTNAME${BRICK})/$(eval echo \$BRICKHOSTNAME${BRICK})-head/etc/eg_fstab_head
 	eval sed -i "s^UTILITY02_IP^$UTILITY02_IP^g" ${OUTDIR}/$(eval echo \$BRICKHOSTNAME${BRICK})/$(eval echo \$BRICKHOSTNAME${BRICK})-head/etc/eg_fstab_head
diff --git a/templates/nginx/osrf-ws-http-proxy b/templates/nginx/osrf-ws-http-proxy
index d079230..4b43ab0 100644
--- a/templates/nginx/osrf-ws-http-proxy
+++ b/templates/nginx/osrf-ws-http-proxy
@@ -16,6 +16,7 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
     }
+
 }
 
 server {
@@ -25,6 +26,10 @@ server {
     # Use the same SSL certificate as Apache.
     ssl_certificate /etc/apache2/ssl/server.crt;
     ssl_certificate_key /etc/apache2/ssl/server.key;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # omit SSLv3 because of POODLE
+    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+    ssl_prefer_server_ciphers on;
+    ssl_dhparam /etc/apache2/ssl/dhparams.pem;
 
     location / {
         proxy_pass https://localhost:7443;