ssl config

omaralsoudanii · Sep 12, 2021 · 6d3500b · 6d3500b
1 parent 6f0419e
commit 6d3500b
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 5 deletions.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -50,8 +50,12 @@ services:
       - mk-docker
     container_name: mk-haproxy
     restart: unless-stopped
+    volumes:
+      - /etc/ssl/jenkins/ecc.pem:/etc/haproxy/ssl/ecc.pem:ro
+      - /etc/ssl/jenkins/dhparam-2048.pem:/etc/haproxy/ssl/dhparam-2048.pem:ro
     ports:
       - 80:80
+      - 443:443
     networks:
       - mk_ci_proxy
 

diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg
@@ -13,6 +13,24 @@ maxconn 5000
 # Distribute the health checks with a bit of randomness
 spread-checks 5
 
+# SSL
+# Mozilla intermediate configuration
+ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
+
+# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
+ssl-dh-param-file /etc/haproxy/ssl/dhparam-2048.pem
+
+# cache SSL performance https://www.haproxy.com/documentation/aloha/12-0/traffic-management/lb-layer7/tls/
+tune.ssl.cachesize 100000
+tune.ssl.lifetime 1800
+tune.ssl.maxrecord 1460
+
 # Global default values
 defaults
 
@@ -44,10 +62,11 @@ option tcp-smart-accept
 option clitcpka
 bind :80 name httpv4 tfo
 bind :::80 name httpv6 v6only tfo
-
+bind :443 name httpsv4 tfo ssl crt /etc/haproxy/ssl/ecc.pem alpn h2,http/1.1  
+bind :::443 name httpsv6 tfo v6only ssl crt /etc/haproxy/ssl/ecc.pem alpn h2,http/1.1 
 # ACL
 acl failed_request status 400 401 403 404 405 408 429 500 503
-acl acl_jenkins_fqdn hdr(host) -i localhost
+acl acl_jenkins_fqdn hdr(host) -i ci.jawabstg.com
 
 # log err
 http-response set-log-level err if failed_request
@@ -57,8 +76,8 @@ http-request capture req.hdr(User-Agent) len 70
 capture response header Content-length len 9
 
 # Redirects
-
-http-request redirect code 301 location http://%[req.hdr(Host)]%[capture.req.uri] if !acl_jenkins_fqdn 
+http-request redirect scheme https code 301 unless { ssl_fc }
+http-request redirect code 301 location https://%[req.hdr(Host)]%[capture.req.uri] if !acl_jenkins_fqdn 
 
 #Headers 
 http-request set-header X-Forwarded-Host %[req.hdr(Host)]
@@ -79,5 +98,5 @@ backend jenkins_ci
 option tcp-smart-connect
 option srvtcpka
 http-send-name-header Host
-option httpchk GET /login HTTP/1.1\r\nHost:\ localhost
+option httpchk GET /login HTTP/1.1\r\nHost:\ ci.jawabstg.com
 server srv mk-jenkins:8080 check inter 5s rise 2 fall 10