Skip to content
Snippets Groups Projects
Commit ed06c43d authored by Pierre Ozoux's avatar Pierre Ozoux
Browse files

Revert "hardening SSL + HEADER (#10)" 

This reverts commit f418e811.

# Conflicts:
#	templates/haproxy.cfg.tmpl
parent 36b9e9e9
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
templates/haproxy.cfg.tmpl
+ 4
13
View file @ ed06c43d
...@@ -3,8 +3,7 @@ global ...@@ -3,8 +3,7 @@ global
log /dev/log local0 notice log /dev/log local0 notice
maxconn 4096 maxconn 4096
tune.ssl.default-dh-param 2048 tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12 ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
defaults defaults
log global log global
...@@ -26,23 +25,15 @@ frontend http-in ...@@ -26,23 +25,15 @@ frontend http-in
{{ range $host, $container := groupBy $ "Env.AUTOCONFIG_HOST" }} {{ range $host, $container := groupBy $ "Env.AUTOCONFIG_HOST" }}
redirect location https://{{ $host }}/mail/config-v1.1.xml code 301 if { hdr_beg(host) -i autoconfig } redirect location https://{{ $host }}/mail/config-v1.1.xml code 301 if { hdr_beg(host) -i autoconfig }
{{end}} {{end}}
redirect scheme https code 301 if ! { ssl_fc } redirect scheme https code 301
frontend https-in frontend https-in
mode http mode http
bind *:443 ssl crt /etc/haproxy/certs alpn h2,http/1.1 bind *:443 ssl no-sslv3 crt /etc/haproxy/certs
reqadd X-Forwarded-Proto:\ https reqadd X-Forwarded-Proto:\ https
rspadd Strict-Transport-Security:\ max-age=15768000
rspidel Server rspidel Server
rspidel X-Powered-By rspidel X-Powered-By
rspidel X-Frame-Options
rspidel X-XSS-Protection
rspidel X-Frame-Options
rspidel X-Content-Type-Options
rspadd X-Frame-Options:\ SAMEORIGIN # OR DENY
rspadd X-XSS-Protection:\ 1;\ mode=block
rspadd X-Content-Type-Options:\ nosniff
rspadd Strict-Transport-Security:\ max-age=15768000
rspadd Referrer-Policy:\ no-referrer-when-downgrade
use_backend letsencrypt-web if { path_beg /.well-known/acme } use_backend letsencrypt-web if { path_beg /.well-known/acme }
{{ range $host, $containers := groupBy $ "Env.LIBRESH_WEBHOOK_HOST" }} {{ range $host, $containers := groupBy $ "Env.LIBRESH_WEBHOOK_HOST" }}
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment