You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
VMware
Red Hat Enterprise Linux release 8.8 (Ootpa) d103da8
Issue details
After meza deploy monolith, the haproxy configuration does not meet NASA specs.
Edit /etc/haproxy/haproxy.cfg and update settings based on NASA-SPEC-2650 for TLS.
Set ciphers:
ssl-default-bind-ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-SEED-SHA:!DHE-RSA-CAMELLIA128-SHA
Set protocols:
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
Commented out port 80:
#frontend www-http
bind *:80
reqadd X-Forwarded-Proto:\ http
default_backend www-backend
Set HSTS max-age to one year:
http-response set-header Strict-Transport-Security max-age=31557600;\ includeSubDomains;\ preload;
Each administrator should copy their server's certificate, unencrypted certificate key, and CA chain into /etc/haproxy/certs/meza.pem
Ex. cat server.crt server.key ca-bundle.crt > meza.pem
Also, update template so that future deployments retain the settings:
/opt/meza/src/roles/haproxy/templates/haproxy.cfg.j2
the cipher's will be added to the haproxy template directly and the port 80 will be conditional based on a public.yml setting that we will update the deploy script to solicit from the user if it doesn't already exist in public.yml
Environment
VMware
Red Hat Enterprise Linux release 8.8 (Ootpa)
d103da8
Issue details
After meza deploy monolith, the haproxy configuration does not meet NASA specs.
Edit /etc/haproxy/haproxy.cfg and update settings based on NASA-SPEC-2650 for TLS.
Set ciphers:
ssl-default-bind-ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-SEED-SHA:!DHE-RSA-CAMELLIA128-SHA
Set protocols:
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
Commented out port 80:
#frontend www-http
bind *:80
reqadd X-Forwarded-Proto:\ http
default_backend www-backend
Set HSTS max-age to one year:
http-response set-header Strict-Transport-Security max-age=31557600;\ includeSubDomains;\ preload;
Each administrator should copy their server's certificate, unencrypted certificate key, and CA chain into /etc/haproxy/certs/meza.pem
Ex. cat server.crt server.key ca-bundle.crt > meza.pem
Also, update template so that future deployments retain the settings:
/opt/meza/src/roles/haproxy/templates/haproxy.cfg.j2
NASA-SPEC-2650_v4.0_TLS.pdf
The text was updated successfully, but these errors were encountered: