Skip to content
This repository has been archived by the owner on Dec 16, 2024. It is now read-only.

Improve TLS config #913

Closed
wants to merge 3 commits into from
Closed

Improve TLS config #913

wants to merge 3 commits into from

Conversation

Darkspirit
Copy link

@Darkspirit Darkspirit commented Nov 7, 2018
edited
Loading

#906 (comment)

Problem:
https://www.hardenize.com/report/build.servo.org#www_tls
https://www.ssllabs.com/ssltest/analyze.html?d=build.servo.org&hideResults=on

An nginx restart is needed: service nginx restart
You can test with nginx -t before restarting.

This change is Reviewable

@Darkspirit
Copy link
Author

r? @jdm

@jdm
Copy link
Member

jdm commented Nov 8, 2018

One thing to be aware of - I changed a webhook target for servo/servo from http://build.servo.org:9010 to https://build.servo.org:9010 and it broke everything.

@jdm
Copy link
Member

jdm commented Nov 8, 2018

That's for

saltfs/buildbot/master/files/buildbot-github-listener.conf

Line 1 in 9003650

exec /usr/local/bin/github_buildbot.py -p 9010 -m localhost:9001 --auth=change:{{ pillar['buildbot']['credentials']['change-pass'] }} --secret={{ pillar['buildbot']['credentials']['gh-hook-secret'] }} -l {{ common.servo_home }}/buildbot/master/github-listener.log
.

@Darkspirit
Copy link
Author

One thing to be aware of - I changed a webhook target for servo/servo from http://build.servo.org:9010 to https://build.servo.org:9010 and it broke everything.

Oh dear. Of course, there is no starttls on an http port.
I created another commit to introduce https://build.servo.org/github-buildbot/.
Is this folder name okay or should we change it?

In the future, when all those plaintext services are behind nginx, they can be changed to only listen on 127.0.0.1. For github_buildbot.py it would be

@Darkspirit
Copy link
Author

@jdm Should further changes be made, e.g. would you like to have a different name for the github_buildbot.py webhook, or is this ready to be merged? Thanks

@bors-servo
Copy link
Contributor

☔ The latest upstream changes (presumably #935) made this pull request unmergeable. Please resolve the merge conflicts.

@Darkspirit Darkspirit closed this Feb 6, 2019
@Darkspirit Darkspirit deleted the https_buildbot branch February 6, 2019 22:07
This was referenced Jul 31, 2019
Open
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@jdm jdm

Labels
S-awaiting-review S-needs-rebase
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Darkspirit @jdm @bors-servo @highfive