diff options
author | April King <april@mozilla.com> | 2020-01-29 11:17:17 +0300 |
---|---|---|
committer | April King <april@mozilla.com> | 2020-01-29 11:17:17 +0300 |
commit | fd14d6f2d9a577778ca04b8389cd411cbc15345f (patch) | |
tree | 5ab684a17716685c43813bd0b8ef2eb65c7f9490 | |
parent | db755cb5c8ce08af19673d8addbfef1d689954dc (diff) |
Add better comments to top of configs, shorten URL
-rwxr-xr-x | src/js/constants.js | 2 | ||||
-rwxr-xr-x | src/js/index.js | 18 | ||||
-rw-r--r-- | src/js/state.js | 23 | ||||
-rwxr-xr-x | src/templates/index.ejs | 4 | ||||
-rw-r--r-- | src/templates/partials/apache.hbs | 6 | ||||
-rw-r--r-- | src/templates/partials/caddy.hbs | 3 | ||||
-rw-r--r-- | src/templates/partials/dovecot.hbs | 3 | ||||
-rw-r--r-- | src/templates/partials/exim.hbs | 3 | ||||
-rw-r--r-- | src/templates/partials/golang.hbs | 3 | ||||
-rw-r--r-- | src/templates/partials/haproxy.hbs | 3 | ||||
-rw-r--r-- | src/templates/partials/lighttpd.hbs | 3 | ||||
-rw-r--r-- | src/templates/partials/mysql.hbs | 3 | ||||
-rw-r--r-- | src/templates/partials/nginx.hbs | 3 | ||||
-rw-r--r-- | src/templates/partials/oraclehttp.hbs | 5 | ||||
-rw-r--r-- | src/templates/partials/postfix.hbs | 3 | ||||
-rw-r--r-- | src/templates/partials/postgresql.hbs | 3 | ||||
-rw-r--r-- | src/templates/partials/proftpd.hbs | 3 | ||||
-rw-r--r-- | src/templates/partials/tomcat.hbs | 3 | ||||
-rw-r--r-- | src/templates/partials/traefik.hbs | 3 |
19 files changed, 65 insertions, 32 deletions
diff --git a/src/js/constants.js b/src/js/constants.js index 2371b0f..fe5bb29 100755 --- a/src/js/constants.js +++ b/src/js/constants.js @@ -7,5 +7,5 @@ module.exports = { mobileHeader: "SSL Config Generator", title: "Mozilla SSL Configuration Generator", url: "https://ssl-config.mozilla.org", - validHashKeys: ["server", "server-version", "openssl-version", "config", "hsts", "ocsp"], + validHashKeys: ["server", "version", "server-version", "openssl", "openssl-version", "config", "hsts", "ocsp"], }; diff --git a/src/js/index.js b/src/js/index.js index 23393b4..ae8e6d8 100755 --- a/src/js/index.js +++ b/src/js/index.js @@ -44,7 +44,7 @@ const render = async () => { const _state = await state(); // enable and disable the appropriate fields - $('#server-version').toggleClass('text-disabled', _state.output.hasVersions === false); + $('#version').toggleClass('text-disabled', _state.output.hasVersions === false); $('#openssl-version').toggleClass('text-disabled', _state.output.usesOpenssl === false); $('#hsts').prop('disabled', _state.output.supportsHsts === false); $('#ocsp').prop('disabled', _state.output.supportsOcspStapling === false); @@ -81,9 +81,17 @@ $().ready(() => { const params = new URLSearchParams(window.location.hash.substr(1)); - // set the default server version, if we're loading and have "server" but not "server-version" - if (params.get('server') !== null && params.get('server-version') === null) { - $('#server-version').val(configs[params.get('server')].latestVersion); + // some parameters have been renamed from the old SSL Configuration Generator + if (params.get('server-version') !== null) { + params.set('version', params.get('server-version')); + } + if (params.get('openssl-version') !== null) { + params.set('openssl', params.get('openssl-version')); + } + + // set the default server version, if we're loading and have "server" but not "version" + if (params.get('server') !== null && params.get('version') === null) { + $('#version').val(configs[params.get('server')].latestVersion); } for (let entry of params.entries()) { @@ -124,7 +132,7 @@ $().ready(() => { $('.form-server').on('change', async () => { gHaveSettingsChanged = true; const _state = await state(); - $('#server-version').val(_state.output.latestVersion); + $('#version').val(_state.output.latestVersion); render(); }); diff --git a/src/js/state.js b/src/js/state.js index 80868e0..ba7d74a 100644 --- a/src/js/state.js +++ b/src/js/state.js @@ -12,18 +12,26 @@ export default async function () { const url = new URL(document.location); // generate the fragment - let fragment = `server=${server}&server-version=${form['server-version'].value}`; + let fragment = `server=${server}&version=${form['version'].value}`; fragment += configs[server].supportsConfigs !== false ? `&config=${config}` : ''; - fragment += configs[server].usesOpenssl !== false && form['openssl-version'].value !== configs['openssl'].latestVersion ? `&openssl-version=${form['openssl-version'].value}` : ''; + fragment += configs[server].usesOpenssl !== false ? `&openssl=${form['openssl'].value}` : ''; fragment += configs[server].supportsHsts !== false && !form['hsts'].checked ? `&hsts=false` : ''; fragment += configs[server].supportsOcspStapling !== false && !form['ocsp'].checked ? `&ocsp=false` : ''; + fragment += `&guideline=${sstls.version}`; + + // generate the header + const date = new Date().toISOString().substr(0, 10); + let header = `generated ${date}, Mozilla Guideline v${sstls.version}, ${configs[server].name} ${form['version'].value}`; + header += configs[server].usesOpenssl !== false ? `, OpenSSL ${form['openssl'].value}` : ''; + header += `, ${form['config'].value} configuration`; + header += configs[server].supportsHsts !== false && !form['hsts'].checked ? `, no HSTS` : ''; + header += configs[server].supportsOcspStapling !== false && !form['ocsp'].checked ? `, no OCSP` : ''; - const date = new Date(); const link = `${url.origin}${url.pathname}#${fragment}`; // we need to remove TLS 1.3 from the supported protocols if the software is too old let protocols = ssc.tls_versions; - if (minver(configs[server].tls13, form['server-version'].value) === false || minver(configs['openssl'].tls13, form['openssl-version'].value) === false) { + if (minver(configs[server].tls13, form['version'].value) === false || minver(configs['openssl'].tls13, form['openssl'].value) === false) { protocols = protocols.filter(ciphers => ciphers !== 'TLSv1.3'); } @@ -39,19 +47,20 @@ export default async function () { config: form['config'].value, hsts: form['hsts'].checked && configs[server].supportsHsts !== false, ocsp: form['ocsp'].checked && configs[server].supportsOcspStapling !== false, - opensslVersion: form['openssl-version'].value, + opensslVersion: form['openssl'].value, server, serverName: document.querySelector(`label[for=server-${server}]`).innerText, - serverVersion: form['server-version'].value, + serverVersion: form['version'].value, }, output: { ciphers, cipherSuites: ssc.ciphersuites, - date: date.toISOString().substr(0, 10), + date, dhCommand: ssc.dh_param_size >= 2048 ? `curl ${url.origin}/ffdhe${ssc.dh_param_size}.txt` : `openssl dhparam ${ssc.dh_param_size}`, dhParamSize: ssc.dh_param_size, fragment, hasVersions: configs[server].hasVersions !== false, + header, hstsMaxAge: ssc.hsts_min_age, latestVersion: configs[server].latestVersion, link, diff --git a/src/templates/index.ejs b/src/templates/index.ejs index 256ed6a..765c26f 100755 --- a/src/templates/index.ejs +++ b/src/templates/index.ejs @@ -90,13 +90,13 @@ <div class="input-group-prepend"> <span class="input-group-text">Server Version</span> </div> - <input type="text" class="form-control" aria-label="Server Version" aria-described="server-version" id="server-version" value="<%= htmlWebpackPlugin.options.configs.nginx.latestVersion %>"> + <input type="text" class="form-control" aria-label="Server Version" aria-described="version" id="version" value="<%= htmlWebpackPlugin.options.configs.nginx.latestVersion %>"> </div> <div class="input-group mt-2"> <div class="input-group-prepend"> <span class="input-group-text">OpenSSL Version</span> </div> - <input type="text" class="form-control" aria-label="Server Version" aria-described="openssl-version" id="openssl-version" value="<%= htmlWebpackPlugin.options.configs.openssl.latestVersion %>"> + <input type="text" class="form-control" aria-label="OpenSSL Version" aria-described="openssl" id="openssl" value="<%= htmlWebpackPlugin.options.configs.openssl.latestVersion %>"> </div> <h5 class="mt-3">Miscellaneous</h5> diff --git a/src/templates/partials/apache.hbs b/src/templates/partials/apache.hbs index ba2faa5..df77256 100644 --- a/src/templates/partials/apache.hbs +++ b/src/templates/partials/apache.hbs @@ -1,5 +1,7 @@ -# generated {{output.date}}, {{{output.link}}} -# requires mod_ssl{{#if form.hsts}}{{#if form.ocsp}}, mod_socache_shmcb{{/if}}, mod_rewrite, and mod_headers{{else if form.ocsp}} and mod_socache_shmcb{{/if}} +# {{output.header}} +# {{{output.link}}} + +# this configuration requires mod_ssl{{#if form.hsts}}{{#if form.ocsp}}, mod_socache_shmcb{{/if}}, mod_rewrite, and mod_headers{{else if form.ocsp}} and mod_socache_shmcb{{/if}} {{#if form.hsts}} <VirtualHost *:80> RewriteEngine On diff --git a/src/templates/partials/caddy.hbs b/src/templates/partials/caddy.hbs index 05a6bf8..ed3c5d0 100644 --- a/src/templates/partials/caddy.hbs +++ b/src/templates/partials/caddy.hbs @@ -1,4 +1,5 @@ -# generated {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} {{#unless (includes "old" form.config)}} # note that Caddy automatically configures safe TLS settings {{/unless}} diff --git a/src/templates/partials/dovecot.hbs b/src/templates/partials/dovecot.hbs index 2c610ea..a0f4eb1 100644 --- a/src/templates/partials/dovecot.hbs +++ b/src/templates/partials/dovecot.hbs @@ -1,4 +1,5 @@ -# {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} ssl = required ssl_cert = </path/to/signed_cert_plus_intermediates diff --git a/src/templates/partials/exim.hbs b/src/templates/partials/exim.hbs index db7141a..a9e22c7 100644 --- a/src/templates/partials/exim.hbs +++ b/src/templates/partials/exim.hbs @@ -1,4 +1,5 @@ -# {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} tls_advertise_hosts = * tls_certificate = /path/to/signed_cert_plus_intermediates tls_privatekey = /path/to/private_key diff --git a/src/templates/partials/golang.hbs b/src/templates/partials/golang.hbs index 4afc275..6613206 100644 --- a/src/templates/partials/golang.hbs +++ b/src/templates/partials/golang.hbs @@ -1,4 +1,5 @@ -// generated {{output.date}}, {{{output.link}}} +// {{output.header}} +// {{{output.link}}} package main import ( diff --git a/src/templates/partials/haproxy.hbs b/src/templates/partials/haproxy.hbs index 74928cc..2a325ee 100644 --- a/src/templates/partials/haproxy.hbs +++ b/src/templates/partials/haproxy.hbs @@ -1,4 +1,5 @@ -# generated {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} {{!Only version 1.5.0 and newer support TLS}} {{#if (minver "1.5.0" form.serverVersion)}} global diff --git a/src/templates/partials/lighttpd.hbs b/src/templates/partials/lighttpd.hbs index fc16c6e..204696f 100644 --- a/src/templates/partials/lighttpd.hbs +++ b/src/templates/partials/lighttpd.hbs @@ -1,4 +1,5 @@ -# generated {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} {{#if form.hsts}} $SERVER["socket"] == ":80" { $HTTP["host"] =~ ".*" { diff --git a/src/templates/partials/mysql.hbs b/src/templates/partials/mysql.hbs index 9c66de3..0d43e66 100644 --- a/src/templates/partials/mysql.hbs +++ b/src/templates/partials/mysql.hbs @@ -1,4 +1,5 @@ -# {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} [mysqld] require_secure_transport = on ssl-cert = /path/to/signed_cert_plus_intermediates.pem diff --git a/src/templates/partials/nginx.hbs b/src/templates/partials/nginx.hbs index 8e9ccfd..c7f84f0 100644 --- a/src/templates/partials/nginx.hbs +++ b/src/templates/partials/nginx.hbs @@ -1,4 +1,5 @@ -# generated {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} {{#if form.hsts}} server { listen 80 default_server; diff --git a/src/templates/partials/oraclehttp.hbs b/src/templates/partials/oraclehttp.hbs index 87f72ee..e3420aa 100644 --- a/src/templates/partials/oraclehttp.hbs +++ b/src/templates/partials/oraclehttp.hbs @@ -1,4 +1,5 @@ -# {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} {{#if form.hsts}} <VirtualHost *:80> RewriteEngine On @@ -16,7 +17,7 @@ {{/if}} </VirtualHost> -# {{form.config}} configuration, tweak to your needs +# {{form.config}} configuration SSLProtocol All {{#unless (includes "TLSv1" output.protocols)}}-TLSv1{{/unless}}{{#unless (includes "TLSv1.1" output.protocols)}} -TLSv1.1{{/unless}} SSLCipherSuite {{{join output.ciphers ":"}}} SSLHonorCipherOrder on diff --git a/src/templates/partials/postfix.hbs b/src/templates/partials/postfix.hbs index ea79791..bbd1c86 100644 --- a/src/templates/partials/postfix.hbs +++ b/src/templates/partials/postfix.hbs @@ -1,4 +1,5 @@ -# {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} smtpd_use_tls = yes smtpd_tls_security_level = may diff --git a/src/templates/partials/postgresql.hbs b/src/templates/partials/postgresql.hbs index f22ab4c..aedb718 100644 --- a/src/templates/partials/postgresql.hbs +++ b/src/templates/partials/postgresql.hbs @@ -1,4 +1,5 @@ -# {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} ssl = on ssl_cert_file = '/path/to/signed_cert_plus_intermediates' diff --git a/src/templates/partials/proftpd.hbs b/src/templates/partials/proftpd.hbs index d71f32c..91d10e1 100644 --- a/src/templates/partials/proftpd.hbs +++ b/src/templates/partials/proftpd.hbs @@ -1,4 +1,5 @@ -# generated {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} TLSEngine on TLSRequired on diff --git a/src/templates/partials/tomcat.hbs b/src/templates/partials/tomcat.hbs index 4ce4558..18f65ce 100644 --- a/src/templates/partials/tomcat.hbs +++ b/src/templates/partials/tomcat.hbs @@ -1,4 +1,5 @@ -# generated {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} {{#if form.hsts}} <Connector port="80" diff --git a/src/templates/partials/traefik.hbs b/src/templates/partials/traefik.hbs index a3ea025..e993550 100644 --- a/src/templates/partials/traefik.hbs +++ b/src/templates/partials/traefik.hbs @@ -1,4 +1,5 @@ -# generated {{output.date}}, {{{output.link}}} +# {{output.header}} +# {{{output.link}}} {{#if (minver "2.0.0" form.serverVersion)}} {{! traefik 2.0 has a very different configuration style }} [http.routers] |