Commit Graph

101 Commits (a6f7418f19315a1298097d0ba9542f73644ab119)

Author SHA1 Message Date
Raymond Yee 34b9df63ff Merge branch 'master' into dj16 2016-05-09 17:45:41 -07:00
Raymond Yee c0afa2cc95 fix output log for prod.conf: switch from logrotate to cronolog 2016-05-09 14:52:46 -07:00
Raymond Yee 1699c8af7d add dump_db_prod.sh 2016-05-09 14:32:58 -07:00
Raymond Yee 8211e5d3af first pass at getting vagrant/ansible working for prod 2016-05-09 14:11:49 -07:00
Raymond Yee a1c1b3a80e Merge branch 'master' into dj16 2016-05-07 16:06:31 -07:00
Raymond Yee 93ae8bca12 move from logrotate to cronolog 2016-05-02 15:58:20 -07:00
Raymond Yee b35e09a263 upgrades in celery related modules to deal with upgrade to Python 2.7.11, etc
ALLOWED_HOSTS settign needed now
upgrade wsgi file (just in case)
2016-04-11 15:38:49 -07:00
eric 60bc236ab4 init mimetypes 2016-03-25 14:13:39 -04:00
Raymond Yee eb0f51f1b7 make apache config 2.2 and 2.4 compatible 2015-07-03 11:06:54 -07:00
Raymond Yee e04ad9e915 changes to make things work for trusty64 on localvm 2015-07-03 11:06:54 -07:00
Raymond Yee cb55b83090 using xip.io to map a test server URL.
specifically 192.168.33.10.xip.io
2015-07-03 11:06:54 -07:00
Raymond Yee 56a5c17f1c trying localvm.test as a test domain 2015-07-03 11:06:54 -07:00
Raymond Yee 55ec76d283 forgot localvm.wsgi
fix apache config file to hopefully do redirect correctly -- hardcoding localvm as a name for the address for localvm vm.
2015-07-03 11:06:54 -07:00
Raymond Yee 7d76df7007 first pass at localvm 2015-07-03 11:06:54 -07:00
Raymond Yee db3c790bcb next iteration on getting just running 2015-05-16 13:30:09 -07:00
Raymond Yee 8f3051ffd3 get rid of public keys for Andromeda, Ed, and Jason 2015-05-16 13:30:09 -07:00
Raymond Yee 764da41d36 fix problem in crontab for please 2015-05-08 15:13:24 -07:00
Raymond Yee ee156ba061 add an entry in the crontab to create necessary celerybeat stuff on reboot 2015-05-08 15:01:38 -07:00
Raymond Yee cb0c647d1a * making progress on building please.unglue.it
* updating requirements_versioned.pip to handle Pyzotero
2015-05-04 10:51:12 -07:00
Raymond Yee 486e474fc3 Set the SSL configuration to that generated by
https://mozilla.github.io/server-side-tls/ssl-config-generator/
intermediate mode
2015.03.04   (with Apache v 2.2.22 and OpenSSL 1.0.1 and HSTS enabled)
2015-03-11 10:10:48 -07:00
Raymond Yee 949f22415b a modern configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/ 2015-03-10 16:07:15 -07:00
Raymond Yee cdb84dfffa Working conclusion: use the configuration:
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
2015-03-10 15:48:02 -07:00
Raymond Yee 2e274b4e2b config without RC4
://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
2015-03-05 12:30:47 -08:00
Raymond Yee 8506df2480 need "" around ciphers 2015-03-05 12:26:40 -08:00
Raymond Yee 2685940069 ooops typo 2015-03-05 12:25:34 -08:00
Raymond Yee c9a0fc8ee7 tweak from the article
SSLCipherSuite EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4
2015-03-05 12:24:20 -08:00
Raymond Yee bcc1abed00 Now let's try https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy 2015-03-05 12:15:12 -08:00
Raymond Yee 25b8749206 Let's see what using the old configuration to be more compatible with old browsers does for the ssl test 2015-03-05 12:07:30 -08:00
Raymond Yee 9477ae66f2 first config try didn't up our score....now trying config generated by mozilla 2015-03-04 11:35:25 -08:00
Raymond Yee 5c64cfac38 testing SSL configuration to try to disallow RC4 and enable forward secrecy 2015-03-04 10:53:54 -08:00
Raymond Yee c911a0f945 redirect all for prod 2015-01-08 14:08:18 -08:00
Raymond Yee a77bae1cd6 restore prod to current state 2015-01-08 11:14:12 -08:00
eric b6e17b6fcf Merge branch 'master' into ssl_redirect 2015-01-08 13:11:18 -05:00
Raymond Yee 8a5c86d718 I had a bug in the crontab for just all this time.... 2014-12-20 18:22:20 -05:00
Raymond Yee c04a858905 configure production for redirecting everything to tls too. 2014-12-12 13:52:56 -08:00
Raymond Yee 22c917eb65 let's try redirecting everything 2014-12-12 13:47:25 -08:00
Raymond Yee 2764d337ae need to include --upgrade flag to pip install (doh) 2014-10-16 15:18:06 -07:00
Raymond Yee 685e827e44 Turning off SSL v2 and SSL v3 from Apache to patch against POODLE vulnerability: http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566 2014-10-15 14:56:59 -07:00
Raymond Yee 629527e3e0 the commands to link the celery config files belong in the startup 2014-10-10 17:28:59 -07:00
Raymond Yee 9be8d2b3a7 just was not configured properly for celery 2014-10-10 17:00:28 -07:00
Raymond Yee 957d3f2c88 Fix SSL conf on production too 2014-05-23 18:15:54 -07:00
Raymond Yee 91250d937b it seems key issue is lack of
ServerName just.unglue.it:443
2014-05-23 17:57:40 -07:00
Raymond Yee af016cc0fb adding to apache conf:
SSLProtocol all -SSLv2 +TLSv1
2014-05-23 17:25:40 -07:00
Raymond Yee 1867964938 need a LF at end for crontab 2014-05-05 17:46:15 -07:00
Raymond Yee 918d295509 set the SHELL, PATH in crontab for just/please 2014-05-05 17:04:27 -07:00
eric 2892a22824 change terminology from "donation" to "gift" 2013-12-13 15:15:35 -05:00
Raymond Yee 7f35d0b74d /opt/regluit/ENV/bin/django-admin.py emit_notices --settings=regluit.settings.please ->
/opt/regluit/ENV/bin/django-admin.py emit_notices --settings=regluit.settings.just
2013-11-11 17:58:19 -08:00
Raymond Yee c253fd3909 update-just should also do a pip install 2013-02-11 10:54:37 -08:00
Raymond Yee fe45fdc2ab update which SSLCertificateChainFile being used by unglue.it 2013-01-07 21:11:39 -05:00
Raymond Yee 4fa7ea75ba update just.conf to move from just.unglueit.com -> just.unglue.it and for using a different CA 2013-01-07 20:53:43 -05:00