Added template prototype for endusers using TLS 1.2 & 1.3, multiple domains or Let's Encrypt. #263
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,19 @@ | ||
| tls: | ||
| # For TLS 1.2+ and multiple domains and ssls | ||
| # options: | ||
| # default: | ||
| # minVersion: VersionTLS12 | ||
| # maxVersion: VersionTLS13 | ||
| # cipherSuites: | ||
| # # TLS 1.0 - 1.2 cipher suites | ||
| # - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | ||
| # - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ||
| # - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | ||
| # - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ||
| # - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 | ||
| # - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 | ||
| # # only used for multiple domains and ssls | ||
| # #sniStrict: true | ||
| stores: | ||
| default: | ||
| defaultCertificate: | ||
|
|
@@ -7,3 +22,15 @@ tls: | |
| certificates: | ||
| - certFile: /etc/ssl/traefik/cert.pem | ||
| keyFile: /etc/ssl/traefik/privkey.pem | ||
| # Uncomment and edit accordingly for remote certs - commercial prod & staging example. | ||
|
There was a problem hiding this comment. I think these are good, so people know this is all they need to change, but probably should put a note that they need to be put into the There was a problem hiding this comment. Though, I wonder if this could be set via an environmental variable in There was a problem hiding this comment. Good call @misilot I updated the comment to direct folks to put files there. |
||
| #- certFile: /etc/ssl/traefik/commercial_wildcard.crt | ||
| # keyFile: /etc/ssl/traefik/commercial_wildcard.key | ||
| # Uncomment and update docker-compose traefik labels accordingly with the resolver name e.g. myresolver | ||
|
There was a problem hiding this comment. So, we already have https://github.com/Islandora-Devops/isle-dc/blob/development/docker-compose.acme.yml that can be turned on and off via the This is in reference to the There was a problem hiding this comment. I can remove if that is the call. |
||
| # certificatesResolvers: | ||
| # myresolver: | ||
| # acme: | ||
| # email: your_email.com | ||
| # storage: acme.json | ||
| # httpChallenge: | ||
| # # used during the challenge | ||
| # entryPoint: http | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@DonRichards I would think we would want to use these as the default options for isle-dc, to encourage best practices.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I believe so.... assuming that this won't break existing sites... Also, this would validate any local security audits for TLS. TLS 1.0 was being phased out as early as 2018 and as of last year, no one really supports 1.0 or 1.1 anymore. I think we should drop any reference to 1.0 and imply that 1.2+ is all that should be referenced. Microsoft stopped supporting both across all platforms from I can see.