obey the ssl recomendations

from https://mozilla.github.io/server-side-tls/ssl-config-generator/ This will requires: Oldest compatible clients : Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7, Android 4.4, Java 8
2015-04-22 12:35:27 +00:00 · 2015-04-22 12:35:27 +00:00 · 35b2a9f5f0
commit 35b2a9f5f0
parent 5158a87570
1 changed files with 25 additions and 7 deletions
--- a/files/fedora-cloud/haproxy.cfg
+++ b/files/fedora-cloud/haproxy.cfg
@ -35,6 +35,10 @@ global
    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

+    tune.ssl.default-dh-param 1024
+    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
+
 #---------------------------------------------------------------------
 # common defaults that all the 'listen' and 'backend' sections will
 # use if not designated in their block
@ -62,32 +66,46 @@ defaults
 #frontend keystone_admin *:35357
 #  default_backend keystone_admin
 frontend neutron
-  bind 0.0.0.0:9696 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:9696 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
  default_backend neutron
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000

 frontend cinder
-  bind 0.0.0.0:8776 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8776 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
  default_backend cinder
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000

 frontend swift
-  bind 0.0.0.0:8080 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8080 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
  default_backend swift
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000

 frontend nova
-  bind 0.0.0.0:8774 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8774 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
  default_backend nova
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000

 frontend ceilometer
-  bind 0.0.0.0:8777 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8777 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
  default_backend ceilometer
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000

 frontend ec2
-  bind 0.0.0.0:8773 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:8773 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
  default_backend ec2
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000

 frontend glance
-  bind 0.0.0.0:9292 ssl crt /etc/haproxy/fed-cloud09.combined
+  bind 0.0.0.0:9292 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined
  default_backend glance
+  # HSTS (15768000 seconds = 6 months)
+  rspadd  Strict-Transport-Security:\ max-age=15768000

 backend neutron
  server neutron 127.0.0.1:8696 check