[Qa-jenkins-scm] [jenkins.debian.net] 01/02: apache: more random bits (should also improve the SSL rating)

Fri Apr 6 17:29:20 UTC 2018

This is an automated email from the git hooks/post-receive script.

mattia pushed a commit to branch master
in repository jenkins.debian.net.

commit 1c7093787f7302d192ba9356307c5852cdd4890c
Author: Mattia Rizzolo <mattia at debian.org>
Date:   Fri Apr 6 18:57:34 2018 +0200

    apache: more random bits (should also improve the SSL rating)
    
    Signed-off-by: Mattia Rizzolo <mattia at debian.org>
---
 .../sites-available/jenkins.debian.net.conf        | 34 ++++++++--------------
 hosts/jenkins/etc/cron.daily/jenkins               |  8 -----
 2 files changed, 12 insertions(+), 30 deletions(-)

diff --git a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net.conf b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net.conf
index 4f62c9c..629738e 100644
--- a/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net.conf
+++ b/hosts/jenkins/etc/apache2/sites-available/jenkins.debian.net.conf
@@ -10,6 +10,9 @@
 	SSLEngine on
 	SSLCertificateKeyFile /etc/apache2/ssl/$name.key
 	SSLCertificateFile /etc/apache2/ssl/$name.pem
+	SSLCipherSuite HIGH:!aNULL:!eNULL:!EXP:!LOW:!MD5
+	SSLHonorCipherOrder on
+	Header always add Strict-Transport-Security "max-age=15552000"
 </Macro>
 
 <Macro common-directives $name>
@@ -44,9 +47,6 @@
 	RewriteEngine on
 	ProxyRequests Off
 
-	# HSTS
-	Header always add Strict-Transport-Security "max-age=15552000"
-
 	ErrorLog ${APACHE_LOG_DIR}/error.log
 	# Possible values include: debug, info, notice, warn, error, crit,
 	# alert, emerg.
@@ -70,15 +70,6 @@ Use https-redirect www.reproducible-builds.org
 	Alias /userContent /var/lib/jenkins/userContent
 	Alias /robots.txt /var/lib/jenkins/userContent/robots.txt
 
-	# allow certain params only from alioth (token is used to trigger builds)
-	# this is git.d.o which is really moszumanska.d.o
-	# etc/cron.daily/jenkins checks for changes in this IP address, so root will be notified and can adopt this...
-	RewriteCond %{REMOTE_ADDR} !5\.153\.231\.21
-	# This is a path used, for example, by the credential plugin
-	Rewritecond %{REQUEST_URI} !^/descriptorByName/
-	RewriteCond %{QUERY_STRING} token
-	RewriteRule ^ - [F]
-
 	# a bunch of redirects to point people to https://reproducible.debian.net
 	RewriteCond %{REQUEST_URI} ^/userContent/reproducible.html$ [or]
 	RewriteCond %{REQUEST_URI} ^/userContent/reproducible.json$ [or]
@@ -128,26 +119,18 @@ Use https-redirect www.reproducible-builds.org
 
 
 <VirtualHost *:443>
-	Use common-directives reproducible.debian.net
-	Use common-directives-ssl reproducible.debian.net
-
-	# just redirect everything to the new hostname
-	Redirect permanent / https://tests.reproducible-builds.org/
-</VirtualHost>
-
-<VirtualHost *:443>
 	Use common-directives tests.reproducible-builds.org
 	Use common-directives-ssl reproducible.debian.net
 
 	DocumentRoot /var/lib/jenkins/userContent/reproducible
 	AddDefaultCharset utf-8
 
+	Include reproduciblemap.conf
+
 	<Directory /var/lib/jenkins/userContent/reproducible/debian/artifacts>
 		HeaderName .HEADER.html
 	</Directory>
 
-	Include reproduciblemap.conf
-
 	# for watching service logfiles
 	ScriptAlias /cgi-bin /srv/jenkins/bin/cgi-bin
 	<Directory "/srv/jenkins/bin/cgi-bin">
@@ -187,6 +170,7 @@ Use https-redirect www.reproducible-builds.org
 	</Directory>
 </VirtualHost>
 
+
 <VirtualHost *:443>
 	Use common-directives www.reproducible-builds.org
 	Use common-directives-ssl reproducible-builds.org
@@ -194,4 +178,10 @@ Use https-redirect www.reproducible-builds.org
 	# just redirect everything to non-www
 	Redirect permanent / https://reproducible-builds.org/
 </VirtualHost>
+<VirtualHost *:443>
+	Use common-directives reproducible.debian.net
+	Use common-directives-ssl reproducible.debian.net
 
+	# just redirect everything to the new hostname
+	Redirect permanent / https://tests.reproducible-builds.org/
+</VirtualHost>
diff --git a/hosts/jenkins/etc/cron.daily/jenkins b/hosts/jenkins/etc/cron.daily/jenkins
deleted file mode 100755
index 47e52f9..0000000
--- a/hosts/jenkins/etc/cron.daily/jenkins
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-# this is needed as this IP address has to be hardcoded in /etc/apache2/sites-available/jenkins.debian.net
-
-if [ "$(host git.debian.org|head -1)" != "git.debian.org has address 5.153.231.21" ] ; then
-	echo "IP address of git.debian.org has changed, please update etc/apache2/sites-available/jenkins.debian.net and etc/cron.daily/jenkins in jenkins.debian.net.git"
-	host git.debian.org
-fi

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/qa/jenkins.debian.net.git

