Hello,
we merged all neccessary SSL-related parameters leads to A+ without HSTS errors:
1) Use secure ciphers
bind .... no-sslv3 ciphers
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:+RC4:RC4
2) Mark all cookies as secure if sent over SSL
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if { ssl_fc }
3) Add the HSTS header with a 1 year max-age
spadd Strict-Transport-Security:\ max-age=31536000 if { ssl_fc }
some non-SSL security related:
4) Add HTTPS headers to backends
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
reqadd X-Proto:\ SSL if { ssl_fc }
5) Methods
acl methods_strict method HEAD GET PUT POST UPGRADE
acl methods_avoid method TRACE CONNECT
acl hosts_methods-ext.edss hdr(host) SOME_SITED_WITH_EXTENDED_METHODS
http-request allow if !hosts_methods-ext.edss methods_strict
http-request allow if hosts_methods-ext.edss !methods_avoid
---
Best regards,
Eugene Istomin
On Wednesday, September 10, 2014 09:00:48 AM Thomas Heil wrote:
Hi,
On 09.09.2014 15:08, pablo platt wrote:
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains if
ssl-proxy
Do I need to add it to the frontend or backend?
so its response, so better do it in the backend but it will work in the
frontend too.
Will it break raw TLS (not HTTPS)?
Iam not sure what you are asking. Try it and check it via ssllabs?
Thanks
cheers
thomas
On Tue, Sep 9, 2014 at 1:25 PM, Thomas Heil <h...@terminal-consulting.de> wrote:
Hi,
On 09.09.2014 11:43, pablo platt wrote:
I've tried both options and I'm still not getting A+.
Unfortunately, I can't ask the user what the error is.
If I'll run into this again, I'll try to get this info.
To reach A+ you need
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
if ssl-proxy
ssl-proxy means here the connection is ssl.
and a cipher list like
--
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:
EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
--
Together it should work.
As you can see we have no longer RC4 ciphers,
cheers
thomas
Thanks
On Mon, Sep 8, 2014 at 9:46 AM, Jarno Huuskonen <jarno.huusko...@uef.fi> wrote:
Hi,
On Sun, Sep 07, pablo platt wrote:
> Hi,
>
> I'm using haproxy to terminate SSL and it works for most of my users.
> I have alphassl wildcard certificate.
> I'm using SSL to improve WebSockets and RTMP connections of port 443.
> I don't have sensitive data or e-commerce.
>
> I have one user that see a warning in Chrome and can't use my website.
Do you know what warning chrome gives to that user ?
> Is it possible that this the warning is because an antivirus is not happy
> with the default ciphers or other ssl settings?
>
> When running a test https://sslcheck.globalsign.com/en_US I'm getting:
> Sessions may be vulnerable to BEAST attack
> Server has not enabled HTTP Strict-Transport-Security
> Server has SSL v3 enabled
> Server is using RC4-based ciphersuites which have known vulnerabilities
> Server configuration does not meet FIPS guidelines
> Server does not have OCSP stapling configured
> Server has not yet upgraded to a Extended Validation certificate
> Server does not have SPDY enabled
>
> I found one suggestion:
> bind 10.0.0.9:443 name https ssl crt /path/to/domain.pem ciphers
> RC4:HIGH:!aNULL:!MD5
> http://blog.haproxy.com/2013/01/21/mitigating-the-ssl-beast-attack-using-the-aloha-load-balancer-haproxy/
>
> And another:
> bind 0.0.0.0:443 ssl crt /etc/cert.pem nosslv3 prefer-server-ciphers
> ciphers RC4-SHA:AES128-SHA:AES256-SHA
>
> Both gives me other warnings.
What other warnings ? (Does haproxy give you warnings/errors or client
browsers) ?
Perhaps you could try ciphersuite from:
https://wiki.mozilla.org/Security/Server_Side_TLS
for example in global:
ssl-default-bind-ciphers ...
or on bind:
bind 0.0.0.0:443 ssl crt /path/to/crt ciphers ...
To enable ocsp stapling see haproxy config:
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-crt
http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#9.2-set%20ssl%20ocsp-response
-Jarno
--
Jarno Huuskonen
