From: Rigel Kent Date: Sat, 2 Jun 2018 11:41:38 +0000 (+0200) Subject: (docker) making security settings of traefik on par with nginx X-Git-Tag: v1.0.0-beta.8~55 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=1dd59831f80ff4d49f3b60c8c3b2aabfb1512eeb;p=oweals%2Fpeertube.git (docker) making security settings of traefik on par with nginx --- diff --git a/support/docker/production/config/traefik.toml b/support/docker/production/config/traefik.toml index 775a26515..882c95548 100644 --- a/support/docker/production/config/traefik.toml +++ b/support/docker/production/config/traefik.toml @@ -7,6 +7,29 @@ defaultEntryPoints = ["http", "https"] [entryPoints.https] address = ":443" [entryPoints.https.tls] + MinVersion = "VersionTLS12" + CurvePreferences = [ + "CurveP521", + "CurveP384", + "CurveP256" + ] + PreferServerCipherSuites = true + CipherSuites = [ + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_256_CBC_SHA" + ] + FrameDeny = false # here we don't want to deny frames since we have an embed + STSIncludeSubdomains = true + STSSeconds = 315360000 + STSPreload = true + ContentTypeNosniff = true + BrowserXssFilter = true + # Enable ACME (Let's Encrypt): automatic SSL. [acme]