autonomic-cooperative/traefik.autonomic.zone
Archived
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Improve SSL Labs Rating by tweaking TLS configs #3

New Issue
Closed
opened 2020-09-15 10:50:37 +00:00 by kawaiipunk · 1 comment
kawaiipunk commented 2020-09-15 10:50:37 +00:00
Owner
Copy Link

Currently our SSL Labs certs are only getting a B:

https://www.ssllabs.com/ssltest/analyze.html?d=autonomic.zone&hideResults=on
https://www.ssllabs.com/ssltest/analyze.html?d=git.autonomic.zone&hideResults=on

The two main issues are:

  • This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO »
  • This server supports TLS 1.0 and TLS 1.1. Grade capped to B.

We should add config options for improved security. Here is the Traefik docs. I feel like that page is missing details though.

We may need to look at other documentation. There are numerous blogposts.

Mozilla has some good guides too.

This is probablly what we want to be going by:
https://ssl-config.mozilla.org/#server=traefik&version=2.1.2&config=modern&guideline=5.6

Or intermediate to ensure compat with older clients:
https://ssl-config.mozilla.org/#server=traefik&version=2.1.2&config=intermediate&guideline=5.6

Currently our SSL Labs certs are only getting a B: https://www.ssllabs.com/ssltest/analyze.html?d=autonomic.zone&hideResults=on https://www.ssllabs.com/ssltest/analyze.html?d=git.autonomic.zone&hideResults=on The two main issues are: - This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO » - This server supports TLS 1.0 and TLS 1.1. Grade capped to B. We should add config options for improved security. Here is the [Traefik docs](https://docs.traefik.io/https/tls/). I feel like that page is missing details though. We may need to look at [other documentation](https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices). There are [numerous blogposts](https://tferdinand.net/en/traefik-2-tls-configuration/). Mozilla has some [good guides](https://wiki.mozilla.org/Security/Server_Side_TLS) too. This is probablly what we want to be going by: https://ssl-config.mozilla.org/#server=traefik&version=2.1.2&config=modern&guideline=5.6 Or intermediate to ensure compat with older clients: https://ssl-config.mozilla.org/#server=traefik&version=2.1.2&config=intermediate&guideline=5.6
❤️ 1 🎉 1
3wordchant commented 2020-09-29 22:59:22 +00:00
Owner
Copy Link

Migrated to compose-stacks/traefik#4

Migrated to compose-stacks/traefik#4
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: autonomic-cooperative/traefik.autonomic.zone#3
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?