Improve SSL Labs Rating by tweaking TLS configs #4

New Issue

3wordchant · 2020-09-29T22:59:01Z

3wordchant commented

2020-09-29 22:59:01 +00:00

From autonomic-cooperative/traefik.autonomic.zone#3:

Currently our SSL Labs certs are only getting a B:

https://www.ssllabs.com/ssltest/analyze.html?d=autonomic.zone&hideResults=on
https://www.ssllabs.com/ssltest/analyze.html?d=git.autonomic.zone&hideResults=on

The two main issues are:

This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO »
This server supports TLS 1.0 and TLS 1.1. Grade capped to B.

We should add config options for improved security. Here is the Traefik docs. I feel like that page is missing details though.

We may need to look at other documentation. There are numerous blogposts.

Mozilla has some good guides too.

This is probablly what we want to be going by:
https://ssl-config.mozilla.org/#server=traefik&version=2.1.2&config=modern&guideline=5.6

Or intermediate to ensure compat with older clients:
https://ssl-config.mozilla.org/#server=traefik&version=2.1.2&config=intermediate&guideline=5.6

From autonomic-cooperative/traefik.autonomic.zone#3: @kawaiipunk: > Currently our SSL Labs certs are only getting a B: > > https://www.ssllabs.com/ssltest/analyze.html?d=autonomic.zone&hideResults=on > https://www.ssllabs.com/ssltest/analyze.html?d=git.autonomic.zone&hideResults=on > > The two main issues are: > > This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO » > This server supports TLS 1.0 and TLS 1.1. Grade capped to B. > > We should add config options for improved security. Here is the Traefik docs. I feel like that page is missing details though. > > We may need to look at other documentation. There are numerous blogposts. > > Mozilla has some good guides too. > > This is probablly what we want to be going by: https://ssl-config.mozilla.org/#server=traefik&version=2.1.2&config=modern&guideline=5.6 > > Or intermediate to ensure compat with older clients: > https://ssl-config.mozilla.org/#server=traefik&version=2.1.2&config=intermediate&guideline=5.6

decentral1se self-assigned this 2020-10-23 14:06:05 +00:00

decentral1se referenced this issue

2020-10-27 11:58:29 +00:00

Improve SSL rating #8

decentral1se commented

2020-10-27 12:50:12 +00:00

OK, achieved via https://git.autonomic.zone/coop-cloud/traefik/pulls/8.

Each app that wants to get the A+ rating needs to add the following labels to their compose.yml configuration so as to hook into Traefiks magic SSL configuration:

- "traefik.http.routers.traefik.tls.options=default@file"
- "traefik.http.routers.traefik.middlewares=security@file"

I have enabled that for https://autonomic.zone now.

I'm gonna close this off and add some follow up tickets.

OK, achieved via https://git.autonomic.zone/coop-cloud/traefik/pulls/8. Each app that wants to get the A+ rating needs to add the following labels to their `compose.yml` configuration so as to hook into Traefiks magic SSL configuration: ``` - "traefik.http.routers.traefik.tls.options=default@file" - "traefik.http.routers.traefik.middlewares=security@file" ``` I have enabled that for https://autonomic.zone now. I'm gonna close this off and add some follow up tickets.

decentral1se closed this issue

2020-10-27 12:50:13 +00:00

decentral1se referenced this issue from coop-cloud/organising

2020-10-27 12:55:07 +00:00

Add SSL A+ rating labels to all apps #37

Sign in to join this conversation.