Security improvements for Kibana/Nginx #169
Conversation
|
CI failure looks like a configuration problem... This passed |
|
@jimmycuadra Thanks for the contribution! CircleCI won't build branches owned by a non-project/non-approved owner, as it could potentially expose secrets. This is expected behavior. I've pushed a branch with your changes into the main git repo, so that they will be tested appropriately. |
|
Looks like this ended up choking on a current rubocop gem issue: rubocop/rubocop#2218 I've added ff15484 and it did pass in CircleCI after that, so I'm going to manually merge, and it will include your commits. Thank you for the contribution @jimmycuadra! |
|
Thanks for merging! If you think of it, please leave a comment here when a new version is uploaded to the Supermarket so I can update my wrapper cookbook. :} |
|
@jimmycuadra No problem! I pushed 6.0.4 with your changes, so you should be all set to use Supermarket again. |
This branch includes one change and one addition related to security and Kibana's web server:
Disallow the SSLv3 protocol which is vulnerable to POODLE. Update the allowed TLS cipher suite according to current best practices.
Reference: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html.
Add a new attribute,
['elkstack']['config']['kibana']['prepare_ssl']which allows users to disable thekibana_sslrecipe if they wish to configure this themselves (including providing their own certificate and private key). The default istrue, meaning the behaivor stays as it is by default.