deflax/television
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

use TLS1.2 and HSTS

Browse source
This commit is contained in:
Daniel Krastev 2025-02-05 20:38:00 +02:00
parent 6fa02ebc78
commit 3f22da7844
1 changed files with 16 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
config/haproxy/haproxy.cfg
View file

@ -5,24 +5,18 @@ global
daemon daemon
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl-default-bind-options ssl-min-ver TLSv1.2
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
defaults defaults
#log stdout format raw local0 debug log stdout format raw local0 debug
log stdout format raw local0 notice #log stdout format raw local0 notice
mode http mode http
balance roundrobin balance roundrobin
maxconn 1024 maxconn 1024
#This breaks HTTP2
#option abortonclose
option httpclose
option forwardfor
retries 3
option redispatch
timeout client 30s timeout client 30s
timeout connect 30s timeout connect 30s
timeout server 30s timeout server 30s
@ -37,6 +31,7 @@ defaults
# PUBLIC # PUBLIC
frontend web frontend web
option tcplog
bind :80 bind :80
bind :443 ssl crt /certificates strict-sni bind :443 ssl crt /certificates strict-sni
@ -55,12 +50,17 @@ frontend web
http-response set-header Access-Control-Max-Age 3628800 http-response set-header Access-Control-Max-Age 3628800
http-response set-header Access-Control-Allow-Methods "GET" http-response set-header Access-Control-Allow-Methods "GET"
# Router # max-age is mandatory. 16000000 seconds is approximately 6 months. Use a low value during testing.
# ACL to match the sni hosts http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
# ACLS
acl is_base ssl_fc_sni -i "${BASE_URL}" acl is_base ssl_fc_sni -i "${BASE_URL}"
acl is_stream ssl_fc_sni -i "stream.${BASE_URL}" acl is_stream ssl_fc_sni -i "stream.${BASE_URL}"
# Define the ACL conditions and corresponding actions # Router
use_backend backend_api if is_base use_backend backend_api if is_base
use_backend backend_restreamer if is_stream use_backend backend_restreamer if is_stream
@ -71,4 +71,3 @@ backend backend_api
backend backend_restreamer backend backend_restreamer
balance leastconn balance leastconn
server restreamer1 restreamer:8080 check inter 5s rise 4 fall 2 server restreamer1 restreamer:8080 check inter 5s rise 4 fall 2