rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains if ssl-proxy
Do I need to add it to the frontend or backend? Will it break raw TLS (not HTTPS)? Thanks On Tue, Sep 9, 2014 at 1:25 PM, Thomas Heil <[email protected]> wrote: > Hi, > > > On 09.09.2014 11:43, pablo platt wrote: > > I've tried both options and I'm still not getting A+. > > Unfortunately, I can't ask the user what the error is. > If I'll run into this again, I'll try to get this info. > > To reach A+ you need > > rspadd Strict-Transport-Security:\ max-age=31536000;\ > includeSubDomains if ssl-proxy > ssl-proxy means here the connection is ssl. > > and a cipher list like > -- > EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384: > EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 > -- > > Together it should work. > > As you can see we have no longer RC4 ciphers, > > cheers > thomas > > > Thanks > > On Mon, Sep 8, 2014 at 9:46 AM, Jarno Huuskonen <[email protected]> > wrote: > >> Hi, >> >> On Sun, Sep 07, pablo platt wrote: >> > Hi, >> > >> > I'm using haproxy to terminate SSL and it works for most of my users. >> > I have alphassl wildcard certificate. >> > I'm using SSL to improve WebSockets and RTMP connections of port 443. >> > I don't have sensitive data or e-commerce. >> > >> > I have one user that see a warning in Chrome and can't use my website. >> >> Do you know what warning chrome gives to that user ? >> >> > Is it possible that this the warning is because an antivirus is not >> happy >> > with the default ciphers or other ssl settings? >> > >> > When running a test https://sslcheck.globalsign.com/en_US I'm getting: >> > Sessions may be vulnerable to BEAST attack >> > Server has not enabled HTTP Strict-Transport-Security >> > Server has SSL v3 enabled >> > Server is using RC4-based ciphersuites which have known vulnerabilities >> > Server configuration does not meet FIPS guidelines >> > Server does not have OCSP stapling configured >> > Server has not yet upgraded to a Extended Validation certificate >> > Server does not have SPDY enabled >> > >> > I found one suggestion: >> > bind 10.0.0.9:443 name https ssl crt /path/to/domain.pem ciphers >> > RC4:HIGH:!aNULL:!MD5 >> > >> http://blog.haproxy.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/ >> > >> > And another: >> > bind 0.0.0.0:443 ssl crt /etc/cert.pem nosslv3 prefer-server-ciphers >> > ciphers RC4-SHA:AES128-SHA:AES256-SHA >> > >> > Both gives me other warnings. >> >> What other warnings ? (Does haproxy give you warnings/errors or client >> browsers) ? >> >> Perhaps you could try ciphersuite from: >> https://wiki.mozilla.org/Security/Server_Side_TLS >> >> for example in global: >> ssl-default-bind-ciphers ... >> >> or on bind: >> bind 0.0.0.0:443 ssl crt /path/to/crt ciphers ... >> >> To enable ocsp stapling see haproxy config: >> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt >> >> http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-set%20ssl%20ocsp-response >> >> -Jarno >> >> -- >> Jarno Huuskonen >> > > > > -- > Thomas Heil > - > Email: [email protected] > Tel: 0176 / 44555622 > -- > > >
