use TLS1.2 and HSTS

2025-02-05 20:38:00 +02:00 · 2025-02-05 20:38:00 +02:00 · 3f22da7844
commit 3f22da7844
parent 6fa02ebc78
1 changed files with 16 additions and 17 deletions
--- a/config/haproxy/haproxy.cfg
+++ b/config/haproxy/haproxy.cfg
@ -5,24 +5,18 @@ global
    daemon

    tune.ssl.default-dh-param       2048
-    ssl-default-bind-options no-sslv3 no-tls-tickets
-    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+
+    ssl-default-bind-options ssl-min-ver TLSv1.2
+    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

 defaults
-    #log stdout format raw local0 debug
-    log stdout format raw local0 notice
+    log stdout format raw local0 debug
+    #log stdout format raw local0 notice
    mode http
    balance roundrobin
    maxconn 1024

-    #This breaks HTTP2
-    #option abortonclose
-    option httpclose
-    option forwardfor
-
-    retries 3
-    option redispatch
-
    timeout client  30s
    timeout connect 30s
    timeout server  30s
@ -37,6 +31,7 @@ defaults

 # PUBLIC
 frontend web
+    option tcplog
    bind :80
    bind :443 ssl crt /certificates strict-sni

@ -55,12 +50,17 @@ frontend web
    http-response set-header Access-Control-Max-Age 3628800
    http-response set-header Access-Control-Allow-Methods "GET"

-    # Router
-    # ACL to match the sni hosts
+    # max-age is mandatory. 16000000 seconds is approximately 6 months. Use a low value during testing.
+    http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
+
+    tcp-request inspect-delay 5s
+    tcp-request content accept if { req_ssl_hello_type 1 }
+
+    # ACLS
    acl is_base ssl_fc_sni -i "${BASE_URL}"
    acl is_stream ssl_fc_sni -i "stream.${BASE_URL}"

-    # Define the ACL conditions and corresponding actions
+    # Router
    use_backend backend_api if is_base
    use_backend backend_restreamer if is_stream

@ -70,5 +70,4 @@ backend backend_api

 backend backend_restreamer
    balance leastconn
-    server restreamer1 restreamer:8080 check inter 5s rise 4 fall 2
-
+    server restreamer1 restreamer:8080 check inter 5s rise 4 fall 2