From 35b2a9f5f0f27e79f9005cd31076827bcd8c30cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miroslav=20Such=C3=BD?= Date: Wed, 22 Apr 2015 12:35:27 +0000 Subject: [PATCH] obey the ssl recomendations from https://mozilla.github.io/server-side-tls/ssl-config-generator/ This will requires: Oldest compatible clients : Firefox 27, Chrome 22, IE 11, Opera 14, Safari 7, Android 4.4, Java 8 --- files/fedora-cloud/haproxy.cfg | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/files/fedora-cloud/haproxy.cfg b/files/fedora-cloud/haproxy.cfg index 5489f08186..cecddd4c13 100644 --- a/files/fedora-cloud/haproxy.cfg +++ b/files/fedora-cloud/haproxy.cfg @@ -35,6 +35,10 @@ global # turn on stats unix socket stats socket /var/lib/haproxy/stats + tune.ssl.default-dh-param 1024 + ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK + + #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block @@ -62,32 +66,46 @@ defaults #frontend keystone_admin *:35357 # default_backend keystone_admin frontend neutron - bind 0.0.0.0:9696 ssl crt /etc/haproxy/fed-cloud09.combined + bind 0.0.0.0:9696 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined default_backend neutron + # HSTS (15768000 seconds = 6 months) + rspadd Strict-Transport-Security:\ max-age=15768000 frontend cinder - bind 0.0.0.0:8776 ssl crt /etc/haproxy/fed-cloud09.combined + bind 0.0.0.0:8776 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined default_backend cinder + # HSTS (15768000 seconds = 6 months) + rspadd Strict-Transport-Security:\ max-age=15768000 frontend swift - bind 0.0.0.0:8080 ssl crt /etc/haproxy/fed-cloud09.combined + bind 0.0.0.0:8080 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined default_backend swift + # HSTS (15768000 seconds = 6 months) + rspadd Strict-Transport-Security:\ max-age=15768000 frontend nova - bind 0.0.0.0:8774 ssl crt /etc/haproxy/fed-cloud09.combined + bind 0.0.0.0:8774 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined default_backend nova + # HSTS (15768000 seconds = 6 months) + rspadd Strict-Transport-Security:\ max-age=15768000 frontend ceilometer - bind 0.0.0.0:8777 ssl crt /etc/haproxy/fed-cloud09.combined + bind 0.0.0.0:8777 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined default_backend ceilometer + # HSTS (15768000 seconds = 6 months) + rspadd Strict-Transport-Security:\ max-age=15768000 frontend ec2 - bind 0.0.0.0:8773 ssl crt /etc/haproxy/fed-cloud09.combined + bind 0.0.0.0:8773 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined default_backend ec2 + # HSTS (15768000 seconds = 6 months) + rspadd Strict-Transport-Security:\ max-age=15768000 frontend glance - bind 0.0.0.0:9292 ssl crt /etc/haproxy/fed-cloud09.combined + bind 0.0.0.0:9292 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/fed-cloud09.combined default_backend glance + # HSTS (15768000 seconds = 6 months) + rspadd Strict-Transport-Security:\ max-age=15768000 backend neutron server neutron 127.0.0.1:8696 check