capistrano-fiftyfive 0.19.0 → 0.20.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: af395799f454e43548f4178ab79587ad4276f2be
-  data.tar.gz: a297ed433f6b58783b1e8dcd28e2d65f024d6ba2
+  metadata.gz: d48d43572e397d2e9c282fb3f155340a9aca4c08
+  data.tar.gz: c53839c52e731da714afe54411aade3b146d2e1e
 SHA512:
-  metadata.gz: 27f2eea48feaacf5f573e4eae795a091827e5bd3fc4a25abfaca281ca46a7ef43e84b77d29cf2ceaf04be4c86c1c070492f93627afcd64d078c1554384430caf
-  data.tar.gz: 13a5935b343753306a143189bae548032b1857d17565b898a9495fa75903b5a477615cc61a3b5c05e9b4997e4dc0afafe50212c9c3ad90666f70fc5097161c61
+  metadata.gz: 52c834f13c387babac019f179d9e463c793f67930d14d77d9230359944edfdfadb268a2a6519749c8a4cea86bea6e7395813fbc0b994dc6c5b8e9bd9d3536e06
+  data.tar.gz: a337b7a7950df9a4415d9012426c3df16e6b86d4db7ebe663c20d8e0e8e037cacc2a1b9eab0c418a6f194078b971e431ced6b097bacf14c9e3d519db96194721

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 * Your contribution here!
 
+## 0.20.0 (2015-05-29)
+
+* Increase SSL/TLS security of the generated nginx configuration by following the suggestions of [weakdh.org](https://weakdh.org/sysadmin.html).
+
 ## 0.19.0 (2015-04-10)
 
 * Add `--retry=3` to bundle install options. This will help prevent deployment failures in case that a gem initially fails to download during the `bundle install` step.

data/README.md

@@ -43,7 +43,7 @@ Add these gems to the development group of your Rails application's Gemfile:
     group :development do
       gem 'capistrano-bundler', :require => false
       gem 'capistrano-rails', :require => false
-      gem 'capistrano', '~> 3.3.5', :require => false
+      gem 'capistrano', '~> 3.4.0', :require => false
       gem 'capistrano-fiftyfive' :require => false
     end
 

data/lib/capistrano/fiftyfive/templates/nginx_unicorn.erb

@@ -50,6 +50,7 @@ upstream unicorn_<%= application_basename %> {
         ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:RSA+3DES:!ADH:!AECDH:!MD5;
         ssl_prefer_server_ciphers on;
         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_dhparam /etc/ssl/dhparams.pem;
         ssl_certificate /etc/ssl/<%= application_basename %>.crt;
         ssl_certificate_key /etc/ssl/<%= application_basename %>.key;
 

data/lib/capistrano/fiftyfive/version.rb

@@ -1,5 +1,5 @@
 module Capistrano
   module Fiftyfive
-    VERSION = "0.19.0"
+    VERSION = "0.20.0"
   end
 end

data/lib/capistrano/tasks/ssl.rake

@@ -1,4 +1,5 @@
 fiftyfive_recipe :ssl do
+  during :provision, "generate_dh"
   during :provision, "generate_self_signed_crt"
 end
 
@@ -16,6 +17,16 @@ namespace :fiftyfive do
       _copy_to_all_web_servers(%w(.key .csr .crt))
     end
 
+    desc "Generate unique DH group"
+    task :generate_dh do
+      privileged_on roles(:web) do
+        unless test("sudo [ -f /etc/ssl/dhparams.pem ]")
+          execute :sudo, "openssl dhparam -out /etc/ssl/dhparams.pem 2048"
+          execute :sudo, "chmod 600 /etc/ssl/dhparams.pem"
+        end
+      end
+    end
+
     def _run_ssl_script(opt="")
       privileged_on primary(:web) do
         files_exist = %w(.key .csr .crt).any? do |ext|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: capistrano-fiftyfive
 version: !ruby/object:Gem::Version
-  version: 0.19.0
+  version: 0.20.0
 platform: ruby
 authors:
 - Matt Brictson
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-04-10 00:00:00.000000000 Z
+date: 2015-05-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: capistrano
@@ -141,7 +141,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.6
+rubygems_version: 2.4.7
 signing_key: 
 specification_version: 4
 summary: Additional Capistrano 3 recipes