capistrano-unicorn-nginx 3.4.0 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b5914ce5a8fa29d660ca4ed8002d0bd1ca7ab7f6
-  data.tar.gz: 85dd5c4b635c5f9ce402a6649e20a79832b0688e
+  metadata.gz: a37970a3480eb781d0d40b6792d9627e50b24714
+  data.tar.gz: 0f5787d26ca17a85ac5c79b46b89d6520e8982a5
 SHA512:
-  metadata.gz: f22e4b399e997f4fa8b813a23e1ebade0ea889fcfd74602022c1c4c8bf963b6a0c767d26dfb1983be9c6fbdbec4caa176ad3d4e22dd7cb87ff982f809585424e
-  data.tar.gz: 9ece26bc3dce9f5ab4dc19f6845eba4532c1302c7871224278046a8e1026ab98db0339065987bc6efd13fdfea30cc973607a983346937a4b09afb7b6e18842f2
+  metadata.gz: 4652fe755d073511d294dadf8afd41c6064cbe96a1d5beb338a122c7dee89f61654e442b48cbb5663c20d7a6253369177096659b8dc83e42c7ce0685796577fc
+  data.tar.gz: 6400973df6b4490ad2968455106bf71a3cce73c9b28c68df5966c03f574f1ea87bb196410d0d3a1f16846354ec3196800abd296439bb6b66687228b2805619b9

data/CHANGELOG.md

@@ -2,12 +2,15 @@
 
 ### master
 
+### v4.0.0, 2016-03-29
+- Improves SSL security and performance. Breaking changes with 3.4.0. Please
+  read README.md
+
 ### v3.4.0, 2015-09-17
 - Allow customizing paths for SSL certificate and key
 - Use sudo to restart services
 - Remove whitespace in template ERB files
 
-
 ### v3.3.3, 2015-05-05
 - add `unicorn_env` option for passing environmental variables to unicorn (@rhomeister)
 

data/README.md

@@ -1,5 +1,13 @@
 # Capistrano::UnicornNginx
 
+> IMPORTANT NOTE. When upgrading to 4.0.0, please ensure you have
+> generated a new 2048 bits Diffie-Hellman group. Run the following command 
+> on your server before installing this gem:
+>
+> `openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048` 
+>
+> See <https://weakdh.org/sysadmin.html> for more details.
+
 Capistrano tasks for automatic and sensible unicorn + nginx configuraion.
 
 Goals of this plugin:

data/lib/capistrano/tasks/nginx.rake

@@ -24,6 +24,7 @@ namespace :load do
     set :nginx_ssl_cert_local_path, -> { ask(:nginx_ssl_cert_local_path, 'Local path to ssl certificate: ') }
     set :nginx_ssl_cert_key_local_path, -> { ask(:nginx_ssl_cert_key_local_path, 'Local path to ssl certificate key: ') }
     set :nginx_fail_timeout, 0 # see http://nginx.org/en/docs/http/ngx_http_upstream_module.html#fail_timeout
+    set :nginx_read_timeout, nil
 
     set :linked_dirs, fetch(:linked_dirs, []).push('log')
   end
@@ -34,6 +35,7 @@ namespace :nginx do
   task :defaults do
     on roles :web do
       set :nginx_server_name, fetch(:nginx_server_name, host.to_s)
+      set :nginx_server_port, fetch(:nginx_server_port, 80)
     end
   end
 

data/lib/capistrano/unicorn_nginx/version.rb

@@ -1,5 +1,5 @@
 module Capistrano
   module UnicornNginx
-    VERSION = "3.4.0"
+    VERSION = "4.0.0"
   end
 end

data/lib/generators/capistrano/unicorn_nginx/templates/_default_server_directive.erb

@@ -9,16 +9,30 @@ server {
 <% if fetch(:nginx_use_ssl) -%>
     <% if fetch(:nginx_use_spdy) -%>
     listen <%= ssl_port %> spdy;
-    <% else %>
+    <% else -%>
     listen <%= ssl_port %>;
-    <% end %>
+    <% end -%>
     ssl on;
     ssl_certificate <%= nginx_ssl_cert_file %>;
     ssl_certificate_key <%= nginx_ssl_cert_key_file %>;
+
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
 <% else -%>
-    listen 80;
+    listen <%= fetch(:nginx_server_port) %>;
 <% end -%>
 
+  server_tokens off;
+
+  add_header X-Content-Type-Options nosniff;
+
 <% if fetch(:nginx_use_ssl) && nginx_pass_ssl_client_cert -%>
     ssl_verify_client optional_no_ca;
 <% end -%>
@@ -37,6 +51,9 @@ server {
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header Host $http_host;
         proxy_redirect off;
+        <% if fetch(:nginx_read_timeout) -%>
+        proxy_read_timeout <%= fetch(:nginx_read_timeout) %>;
+        <% end -%>
         <% if fetch(:nginx_use_ssl) -%>
         proxy_set_header X-Forwarded-Proto https;
         <% end -%>

data/lib/generators/capistrano/unicorn_nginx/templates/nginx_conf.erb

@@ -10,7 +10,7 @@ upstream unicorn_<%= fetch(:nginx_config_name) %> {
 
 <% if fetch(:nginx_use_ssl) -%>
 server {
-  listen 80;
+  listen <%= fetch(:nginx_server_port) %>;
   server_name <%= fetch(:nginx_server_name) %>;
   rewrite ^(.*) https://$host$1 permanent;
 }

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: capistrano-unicorn-nginx
 version: !ruby/object:Gem::Version
-  version: 3.4.0
+  version: 4.0.0
 platform: ruby
 authors:
 - Ruben Stranders
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-09-17 00:00:00.000000000 Z
+date: 2016-03-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: capistrano
@@ -107,7 +107,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.5
+rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: Capistrano tasks for automatic and sensible unicorn + nginx configuraion.