From 3bb2cf9e931728f137bf756f8adfa556a476691c Mon Sep 17 00:00:00 2001
From: Quentin <quentin@deuxfleurs.fr>
Date: Fri, 7 May 2021 20:01:31 +0200
Subject: [PATCH] Allow only cipher suites recommended by Mozilla

Check https://ssl-config.mozilla.org/#server=traefik&version=1.7&config=intermediate&guideline=5.6
---
 app/traefik/config/traefik.toml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/app/traefik/config/traefik.toml b/app/traefik/config/traefik.toml
index 4a48fde..e274be8 100644
--- a/app/traefik/config/traefik.toml
+++ b/app/traefik/config/traefik.toml
@@ -14,6 +14,15 @@ defaultEntryPoints = ["http", "https"]
   address = ":443"
   compress = true
     [entryPoints.https.tls]
+    minVersion = "VersionTLS12"
+    cipherSuites = [
+      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+    ]
 
 [ping]
 entrypoint = "admin"