From: Jason Stephenson Date: Mon, 22 Feb 2021 17:50:23 +0000 (-0500) Subject: Update example proxy configuration TLS settings X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=54d9bed7177e3bfbf8fd64397993b7897ef6fe8e;p=working%2FOpenSRF.git Update example proxy configuration TLS settings Modernize the TLS settings in the example haproxy and nginx proxy configuraiton files based on recommendations from https://ssl-config.mozilla.org/. NB: These configurations will prevent the XUL staff client from working. They may also block some users with obsolete browsers on obsolete operating systems. Signed-off-by: Jason Stephenson Signed-off-by: blake --- diff --git a/examples/haproxy/osrf-ws-http-proxy b/examples/haproxy/osrf-ws-http-proxy index 1db4cd6..7ffcbc0 100644 --- a/examples/haproxy/osrf-ws-http-proxy +++ b/examples/haproxy/osrf-ws-http-proxy @@ -1,3 +1,16 @@ +# TLS settings updated 2021-02-22 +# https://ssl-config.mozilla.org/#server=haproxy&version=1.8.8&config=intermediate&openssl=1.1.1d&guideline=5.6 +global + # intermediate configuration + ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + + # openssl dhparam -out /etc/apache2/ssl/dhparam.pem 2048 + ssl-dh-param-file /etc/apache2/ssl/dhparam.pem + listen web bind 0.0.0.0:80 mode http diff --git a/examples/nginx/osrf-ws-http-proxy b/examples/nginx/osrf-ws-http-proxy index e539013..b5eadfd 100644 --- a/examples/nginx/osrf-ws-http-proxy +++ b/examples/nginx/osrf-ws-http-proxy @@ -40,10 +40,11 @@ server { ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - # Intermediate ciphers config / updated 2018-07-11 - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; - ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2 TLSv1.3; + # Intermediate ciphers config / updated 2021-02-22 + # See https://ssl-config.mozilla.org/#server=nginx&version=1.14.0&config=intermediate&openssl=1.1.1d&guideline=5.6 + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; # OCSP Stapling ---