Subject: haproxy: `haproxy.cfg` contains an outdated URL Package: haproxy Version: 1.8.19-1 Severity: normal Tags: newcomer
The existing `haproxy.cfg`, from `debian/haproxy.cfg` contains this URL: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy <https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy> However, it should point to this URL: https://ssl-config.mozilla.org/#server=haproxy <https://ssl-config.mozilla.org/#server=haproxy> Additionally, I would taking the list of ciphers from: ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 And updating to the Mozilla Intermediate profile, as you can see here: https://ssl-config.mozilla.org/#server=haproxy&server-version=1.9.8&config=intermediate <https://ssl-config.mozilla.org/#server=haproxy&server-version=1.9.8&config=intermediate> I would also strongly suggest bundling the RFC 7919 2048-bit Diffie-Hellman parameters file in the haproxy debian package as well. Thanks! April King (Mozilla) -- System Information: Debian Release: 10.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages haproxy depends on: ii adduser 3.118 ii dpkg 1.19.7 ii libc6 2.28-10 ii liblua5.3-0 5.3.3-1.1 ii libpcre2-8-0 10.32-5 ii libssl1.1 1.1.1c-1 ii libsystemd0 241-5 ii lsb-base 10.2019051400 ii zlib1g 1:1.2.11.dfsg-1 haproxy recommends no packages. Versions of packages haproxy suggests: pn haproxy-doc <none> pn vim-haproxy <none> -- Configuration Files: /etc/haproxy/haproxy.cfg changed [not included] -- no debconf information