Hello, we merged all neccessary SSL-related parameters leads to A+ without HSTS errors:
1) Use secure ciphers bind .... no-sslv3 ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:+RC4:RC4 2) Mark all cookies as secure if sent over SSL rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if { ssl_fc } 3) Add the HSTS header with a 1 year max-age spadd Strict-Transport-Security:\ max-age=31536000 if { ssl_fc } some non-SSL security related: 4) Add HTTPS headers to backends reqadd X-Forwarded-Proto:\ https if { ssl_fc } reqadd X-Proto:\ SSL if { ssl_fc } 5) Methods acl methods_strict method HEAD GET PUT POST UPGRADE acl methods_avoid method TRACE CONNECT acl hosts_methods-ext.edss hdr(host) SOME_SITED_WITH_EXTENDED_METHODS http-request allow if !hosts_methods-ext.edss methods_strict http-request allow if hosts_methods-ext.edss !methods_avoid --- Best regards, Eugene Istomin On Wednesday, September 10, 2014 09:00:48 AM Thomas Heil wrote: Hi, On 09.09.2014 15:08, pablo platt wrote: rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains if ssl-proxy Do I need to add it to the frontend or backend? so its response, so better do it in the backend but it will work in the frontend too. Will it break raw TLS (not HTTPS)? Iam not sure what you are asking. Try it and check it via ssllabs? Thanks cheers thomas On Tue, Sep 9, 2014 at 1:25 PM, Thomas Heil <h...@terminal-consulting.de> wrote: Hi, On 09.09.2014 11:43, pablo platt wrote: I've tried both options and I'm still not getting A+. Unfortunately, I can't ask the user what the error is. If I'll run into this again, I'll try to get this info. To reach A+ you need rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains if ssl-proxy ssl-proxy means here the connection is ssl. and a cipher list like -- EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384: EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 -- Together it should work. As you can see we have no longer RC4 ciphers, cheers thomas Thanks On Mon, Sep 8, 2014 at 9:46 AM, Jarno Huuskonen <jarno.huusko...@uef.fi> wrote: Hi, On Sun, Sep 07, pablo platt wrote: > Hi, > > I'm using haproxy to terminate SSL and it works for most of my users. > I have alphassl wildcard certificate. > I'm using SSL to improve WebSockets and RTMP connections of port 443. > I don't have sensitive data or e-commerce. > > I have one user that see a warning in Chrome and can't use my website. Do you know what warning chrome gives to that user ? > Is it possible that this the warning is because an antivirus is not happy > with the default ciphers or other ssl settings? > > When running a test https://sslcheck.globalsign.com/en_US I'm getting: > Sessions may be vulnerable to BEAST attack > Server has not enabled HTTP Strict-Transport-Security > Server has SSL v3 enabled > Server is using RC4-based ciphersuites which have known vulnerabilities > Server configuration does not meet FIPS guidelines > Server does not have OCSP stapling configured > Server has not yet upgraded to a Extended Validation certificate > Server does not have SPDY enabled > > I found one suggestion: > bind 10.0.0.9:443 name https ssl crt /path/to/domain.pem ciphers > RC4:HIGH:!aNULL:!MD5 > http://blog.haproxy.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/ > > And another: > bind 0.0.0.0:443 ssl crt /etc/cert.pem nosslv3 prefer-server-ciphers > ciphers RC4-SHA:AES128-SHA:AES256-SHA > > Both gives me other warnings. What other warnings ? (Does haproxy give you warnings/errors or client browsers) ? Perhaps you could try ciphersuite from: https://wiki.mozilla.org/Security/Server_Side_TLS for example in global: ssl-default-bind-ciphers ... or on bind: bind 0.0.0.0:443 ssl crt /path/to/crt ciphers ... To enable ocsp stapling see haproxy config: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-set%20ssl%20ocsp-response -Jarno -- Jarno Huuskonen