Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
Haproxy
Manage
Activity
Members
Labels
Plan
Issues
3
Issue boards
Milestones
Wiki
Code
Merge requests
0
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Releases
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
libre.sh
compose
Haproxy
Commits
ed06c43d
Commit
ed06c43d
authored
6 years ago
by
Pierre Ozoux
Browse files
Options
Downloads
Patches
Plain Diff
Revert "hardening SSL + HEADER (#10)"
This reverts commit
f418e811
. # Conflicts: # templates/haproxy.cfg.tmpl
parent
36b9e9e9
No related branches found
Branches containing commit
No related tags found
Tags containing commit
No related merge requests found
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
templates/haproxy.cfg.tmpl
+4
-13
4 additions, 13 deletions
templates/haproxy.cfg.tmpl
with
4 additions
and
13 deletions
templates/haproxy.cfg.tmpl
+
4
−
13
View file @
ed06c43d
...
@@ -3,8 +3,7 @@ global
...
@@ -3,8 +3,7 @@ global
log /dev/log local0 notice
log /dev/log local0 notice
maxconn 4096
maxconn 4096
tune.ssl.default-dh-param 2048
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets force-tlsv12
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
defaults
defaults
log global
log global
...
@@ -26,23 +25,15 @@ frontend http-in
...
@@ -26,23 +25,15 @@ frontend http-in
{{ range $host, $container := groupBy $ "Env.AUTOCONFIG_HOST" }}
{{ range $host, $container := groupBy $ "Env.AUTOCONFIG_HOST" }}
redirect location https://{{ $host }}/mail/config-v1.1.xml code 301 if { hdr_beg(host) -i autoconfig }
redirect location https://{{ $host }}/mail/config-v1.1.xml code 301 if { hdr_beg(host) -i autoconfig }
{{end}}
{{end}}
redirect scheme https code 301
if ! { ssl_fc }
redirect scheme https code 301
frontend https-in
frontend https-in
mode http
mode http
bind *:443 ssl crt /etc/haproxy/certs
alpn h2,http/1.1
bind *:443 ssl
no-sslv3
crt /etc/haproxy/certs
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Proto:\ https
rspadd Strict-Transport-Security:\ max-age=15768000
rspidel Server
rspidel Server
rspidel X-Powered-By
rspidel X-Powered-By
rspidel X-Frame-Options
rspidel X-XSS-Protection
rspidel X-Frame-Options
rspidel X-Content-Type-Options
rspadd X-Frame-Options:\ SAMEORIGIN # OR DENY
rspadd X-XSS-Protection:\ 1;\ mode=block
rspadd X-Content-Type-Options:\ nosniff
rspadd Strict-Transport-Security:\ max-age=15768000
rspadd Referrer-Policy:\ no-referrer-when-downgrade
use_backend letsencrypt-web if { path_beg /.well-known/acme }
use_backend letsencrypt-web if { path_beg /.well-known/acme }
{{ range $host, $containers := groupBy $ "Env.LIBRESH_WEBHOOK_HOST" }}
{{ range $host, $containers := groupBy $ "Env.LIBRESH_WEBHOOK_HOST" }}
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment