baserock_frontend: Improve SSL configuration

Change-Id: I7456188e00ede88056c9bfd74a8cbdd8f0980bac
author: Pedro Alvarez <palvarez89@gmail.com> 2015-12-20 04:38:22 +0100
committer: Baserock Gerrit <gerrit@baserock.org> 2016-01-13 10:58:21 +0000
commit: 4b358e2a50e9a6942344ce21328ac74765356e2b (patch)
tree: 6078998f06292ed2010e48342e91cd720601bb06 /baserock_frontend
parent: 9575e78e0fd265cfeccde57ba3498032ea41fdc3 (diff)
download: infrastructure-4b358e2a50e9a6942344ce21328ac74765356e2b.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/baserock_frontend/haproxy.cfg b/baserock_frontend/haproxy.cfg
index e434c029..0ab58574 100644
--- a/baserock_frontend/haproxy.cfg
+++ b/baserock_frontend/haproxy.cfg
@@ -18,6 +18,8 @@ global
     # the default.
     tune.ssl.default-dh-param 2048
 
+    ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+
 defaults
     mode http
     timeout connect 5000ms
@@ -38,7 +40,7 @@ frontend https-in
     # This means we only need to have the certificate in one place, and the
     # configuration of the other instances is simpler. It does mean that we
     # need to avoid having any insecure machines in the cloud.
-    bind *:443 ssl crt /etc/pki/tls/private/baserock.pem
+    bind *:443 ssl no-sslv3 crt /etc/pki/tls/private/baserock.pem
     reqadd X-Forwarded-Proto:\ https
 
     # Rules below here implement the URL-based forwarding to the
author	Pedro Alvarez <palvarez89@gmail.com>	2015-12-20 04:38:22 +0100
committer	Baserock Gerrit <gerrit@baserock.org>	2016-01-13 10:58:21 +0000
commit	4b358e2a50e9a6942344ce21328ac74765356e2b (patch)
tree	6078998f06292ed2010e48342e91cd720601bb06 /baserock_frontend
parent	9575e78e0fd265cfeccde57ba3498032ea41fdc3 (diff)
download	infrastructure-4b358e2a50e9a6942344ce21328ac74765356e2b.tar.gz