Class: Ironfan::Dsl::Ec2::ElasticLoadBalancer

Inherits:
Ironfan::Dsl show all
Defined in:
lib/ironfan/dsl/ec2.rb,
lib/ironfan/headers.rb

Defined Under Namespace

Classes: HealthCheck

Constant Summary collapse

DISALLOWED_SSL_CIPHERS =

Remove ciphers which are vulnerable to the BEAST attack. en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack

%w[
  Protocol-SSLv2
  ADH-AES128-SHA
  ADH-AES256-SHA
  ADH-CAMELLIA128-SHA
  ADH-CAMELLIA256-SHA
  ADH-DES-CBC-SHA
  ADH-DES-CBC3-SHA
  ADH-RC4-MD5
  ADH-SEED-SHA
  DES-CBC-MD5
  DES-CBC-SHA
  DES-CBC3-MD5
  DHE-DSS-AES128-SHA
  DHE-DSS-AES256-SHA
  DHE-RSA-AES128-SHA
  DHE-RSA-AES256-SHA
  EDH-DSS-DES-CBC-SHA
  EDH-DSS-DES-CBC3-SHA
  EDH-RSA-DES-CBC-SHA
  EDH-RSA-DES-CBC3-SHA
  EXP-ADH-DES-CBC-SHA
  EXP-ADH-RC4-MD5
  EXP-DES-CBC-SHA
  EXP-EDH-DSS-DES-CBC-SHA
  EXP-EDH-RSA-DES-CBC-SHA
  EXP-KRB5-DES-CBC-MD5
  EXP-KRB5-DES-CBC-SHA
  EXP-KRB5-RC2-CBC-MD5
  EXP-KRB5-RC2-CBC-SHA
  EXP-RC2-CBC-MD5
  IDEA-CBC-SHA
  KRB5-DES-CBC-MD5
  KRB5-DES-CBC-SHA
  KRB5-DES-CBC3-MD5
  KRB5-DES-CBC3-SHA
  PSK-3DES-EDE-CBC-SHA
  PSK-AES128-CBC-SHA
  PSK-AES256-CBC-SHA
  RC2-CBC-MD5
] +
# Remove all RC4 ciphers
# http://en.wikipedia.org/wiki/Transport_Layer_Security#RC4_attacks
%w[
  ADH-RC4-MD5
  EXP-ADH-RC4-MD5
  EXP-KRB5-RC4-MD5
  EXP-KRB5-RC4-SHA
  EXP-RC4-MD5
  KRB5-RC4-MD5
  KRB5-RC4-SHA
  PSK-RC4-SHA
  RC4-MD5
  RC4-SHA
]
ALLOWED_SSL_CIPHERS =

TODO: Move over to Elliptic Curve Cipher Suites (ECDHE ciphers) as soon as ELB supports them.

%w[
  Protocol-SSLv3
  Protocol-TLSv1
  AES128-SHA
  AES256-SHA
  CAMELLIA128-SHA
  CAMELLIA256-SHA
  DES-CBC3-SHA
  DHE-DSS-CAMELLIA128-SHA
  DHE-DSS-CAMELLIA256-SHA
  DHE-DSS-SEED-SHA
  DHE-RSA-CAMELLIA128-SHA
  DHE-RSA-CAMELLIA256-SHA
  DHE-RSA-SEED-SHA
  SEED-SHA
]

Instance Attribute Summary

Attributes included from Gorillib::Resolution

#underlay

Instance Method Summary collapse

Methods inherited from Ironfan::Dsl

#_skip_fields, #skip_fields, #to_manifest

Methods included from Gorillib::Resolution

#deep_resolve, #merge_resolve, #merge_values, #read_resolved_attribute, #read_set_attribute, #read_set_or_underlay_attribute, #read_underlay_attribute, #resolve, #resolve!, #resolve_value

Methods included from CookbookRequirements

#_cookbook_reqs, #children, #cookbook_req, #cookbook_reqs, #join_req

Methods inherited from Builder

ui, #ui

Instance Method Details

#listeners_to_fog(cert_lookup) ⇒ Object



264
265
266
267
268
269
270
271
272
273
274
275
# File 'lib/ironfan/dsl/ec2.rb', line 264

def listeners_to_fog(cert_lookup)
  port_mappings.map do |pm|
    result = {
      'Protocol'         => pm[0], # load_balancer_protocl
      'LoadBalancerPort' => pm[1], # load_balancer_port
      'InstanceProtocol' => pm[2], # internal_protocol
      'InstancePort'     => pm[3], # internal_port
    }
    result['SSLCertificateId'] = cert_lookup[pm[4]] if pm[4]
    result
  end
end

#map_port(load_balancer_protocol = 'HTTP', load_balancer_port = 80, internal_protocol = 'HTTP', internal_port = 80, iam_server_certificate = nil) ⇒ Object



250
251
252
253
254
# File 'lib/ironfan/dsl/ec2.rb', line 250

def map_port(load_balancer_protocol = 'HTTP', load_balancer_port = 80, internal_protocol = 'HTTP', internal_port = 80, iam_server_certificate = nil)
  port_mappings << [ load_balancer_protocol, load_balancer_port, internal_protocol, internal_port, iam_server_certificate ]
  port_mappings.compact!
  port_mappings.uniq!
end

#ssl_policy_to_fogObject



256
257
258
259
260
261
262
# File 'lib/ironfan/dsl/ec2.rb', line 256

def ssl_policy_to_fog
  result = { }
  allowed_ciphers.each { |a| result[a] = true }
  disallowed_ciphers.each { |d| result[d] = false }
  uuid = Digest::MD5.hexdigest("ALLOWED:#{allowed_ciphers.sort.join('')};DISALLOWED:#{disallowed_ciphers.sort.join('')}")
  return { :name => uuid, :attributes => result }
end