created traefik tls file for prod and block tls 1.0 and 1.1

Islandora-Devops / isle-site-template

Template for building and customising your institution's Islandora installation.

MIT License

6 stars 5 forks source link

created traefik tls file for prod and block tls 1.0 and 1.1 #40

Closed joshdentremont closed 1 month ago

joshdentremont commented 1 month ago

Adds a second tls.yml file for production sites so that prod and dev can have separate options.

Also sets the minimum TLS version for production to 1.2 in order to block TLS 1.0 and 1.1 on production sites.

To test this, there should be no change to dev sites, but spinning up a production site with this PR should cause TLS 1.0 and 1.1 to be disabled. You can test it using something like https://www.ssllabs.com/ssltest/index.html

joshdentremont commented 1 month ago

Looks like Traefik automatically blocks TLS 1.0 and 1.1 in newer versions, but this might still be worth merging for anyone who wants to be able to edit other traefik options in production.

We could also use this to specify the cipher suites for increased security, which may be worth setting as a default.

joshdentremont commented 1 month ago

Also specifying the cipher suites used. I based this on a scan using SSL Labs.

The last two ciphers show as weak, but were needed for supporting older versions of Safari and IE