Closed RequestForCoffee closed 4 years ago
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ explains that the ciphersuites is apparently already "hardened".
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ explains that the ciphersuites is apparently already "hardened".
Yeah, but he focuses quite much on backwards compatibility. Additionally, despite the authors promise to update his blog regularly, the last one was over a year ago. The ciphers on the very bottom, in the section "I only care about web browsers released in the past five years." is more what I'd imagined:
global
ssl-default-bind-options force-tlsv12 prefer-client-ciphers
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM
ssl-default-server-options force-tlsv12
ssl-default-server-ciphers ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM
I merged this with the current master, but it gives me a PR_END_OF_FILE_ERROR
. @RequestForCoffee Have you experienced this before?
Okay, I think I made a mistake during merge. Somehow the CrlDistributionPoint
was renamed somewhere. @RequestForCoffee Please confirm, that the current branch is semantically as it should be. a40712d resolved my issue described before.
@keyctl Yes, a40712d is semantically correct - CrlDistributionPoint
is now constant (under imovies.ch
) and no longer a format string. Should be good to merge?
@Miro-H do you want to take a look or should I merge this?
Relates to #35.
Summary of changes:
imovies.ch
andwww.imovies.ch
to everyhosts
file, pointing to theldservers
(internal network machines use the internal net IP range (10.0.0.*
) while the clients use the public net (172.16.0.*
). This should take care of DNS-level redundancy by adding multiple entries if multipleldservers
are present.imovies.ch
andwww.imovies.ch
to the SAN fields of the TLS certificatesldservers
to perform TCP-layer load balancing acrosswebservers
with sticky sessions and health checkingRemaining work:
aslld01
andaslld02+
so that in the event of a load balancer going down, the associated sessions are not interrupted