diff options
author | Pedro Alvarez <palvarez89@gmail.com> | 2015-12-20 04:38:22 +0100 |
---|---|---|
committer | Baserock Gerrit <gerrit@baserock.org> | 2016-01-13 10:58:21 +0000 |
commit | 4b358e2a50e9a6942344ce21328ac74765356e2b (patch) | |
tree | 6078998f06292ed2010e48342e91cd720601bb06 /baserock_frontend | |
parent | 9575e78e0fd265cfeccde57ba3498032ea41fdc3 (diff) | |
download | infrastructure-4b358e2a50e9a6942344ce21328ac74765356e2b.tar.gz |
baserock_frontend: Improve SSL configuration
Change-Id: I7456188e00ede88056c9bfd74a8cbdd8f0980bac
Diffstat (limited to 'baserock_frontend')
-rw-r--r-- | baserock_frontend/haproxy.cfg | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/baserock_frontend/haproxy.cfg b/baserock_frontend/haproxy.cfg index e434c029..0ab58574 100644 --- a/baserock_frontend/haproxy.cfg +++ b/baserock_frontend/haproxy.cfg @@ -18,6 +18,8 @@ global # the default. tune.ssl.default-dh-param 2048 + ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH + defaults mode http timeout connect 5000ms @@ -38,7 +40,7 @@ frontend https-in # This means we only need to have the certificate in one place, and the # configuration of the other instances is simpler. It does mean that we # need to avoid having any insecure machines in the cloud. - bind *:443 ssl crt /etc/pki/tls/private/baserock.pem + bind *:443 ssl no-sslv3 crt /etc/pki/tls/private/baserock.pem reqadd X-Forwarded-Proto:\ https # Rules below here implement the URL-based forwarding to the |