Merge pull request #3872 from dialoghq/feature/dhparam

carmstrong · carmstrong · commit a4f0bbc4a27b · 2015-06-18T00:02:53.000-07:00
feat(router): add Diffie-Hellman parameter for DHE ciphersuites
diff --git a/deisctl/config/config.go b/deisctl/config/config.go
@@ -15,7 +15,8 @@ import (
 var fileKeys = []string{
 	"/deis/platform/sshPrivateKey",
 	"/deis/router/sslCert",
-	"/deis/router/sslKey"}
+	"/deis/router/sslKey",
+	"/deis/router/sslDhparam"}
 
 // b64Keys define config keys to be base64 encoded before stored
 var b64Keys = []string{"/deis/platform/sshPrivateKey"}
diff --git a/docs/customizing_deis/router_settings.rst b/docs/customizing_deis/router_settings.rst
@@ -65,6 +65,7 @@ setting                                      description
 /deis/router/sslCert                         cluster-wide SSL certificate
 /deis/router/sslCiphers                      cluster-wide enabled SSL ciphers
 /deis/router/sslKey                          cluster-wide SSL private key
+/deis/router/sslDhparam                      cluster-wide SSL dhparam
 /deis/router/workerProcesses                 nginx number of worker processes to start (default: auto i.e. available CPU cores)
 /deis/router/proxyProtocol                   nginx PROXY protocol enabled
 /deis/router/proxyRealIpCidr                 nginx IP with CIDR used by the load balancer in front of deis-router (default: 10.0.0.0/8)
diff --git a/router/image/conf.d/dhparam.pem.toml b/router/image/conf.d/dhparam.pem.toml
@@ -0,0 +1,10 @@
+[template]
+src   = "dhparam.pem"
+dest  = "/etc/ssl/dhparam.pem"
+uid = 0
+gid = 0
+mode  = "0644"
+keys = [
+  "/deis/router",
+]
+reload_cmd = "/opt/nginx/sbin/nginx -s reload"
diff --git a/router/image/templates/deis.conf b/router/image/templates/deis.conf
@@ -6,6 +6,9 @@ listen 80{{ if exists "/deis/router/proxyProtocol" }} proxy_protocol{{ end }};
 listen 443 ssl spdy{{ if exists "/deis/router/proxyProtocol" }} proxy_protocol{{ end }};
 ssl_certificate /etc/ssl/deis.cert;
 ssl_certificate_key /etc/ssl/deis.key;
+{{ if exists "/deis/router/sslDhparam" }}
+ssl_dhparam /etc/ssl/dhparam.pem;
+{{ end }}
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 {{ if exists "/deis/router/sslCiphers" }}
 ssl_ciphers '{{ getv "/deis/router/sslCiphers" }}';
diff --git a/router/image/templates/dhparam.pem b/router/image/templates/dhparam.pem
@@ -0,0 +1 @@
+{{ getv "/deis/router/sslDhparam" }}
