From 5e151851667c976f84d4658130bc56b0bde47422 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sybren=20A=2E=20St=C3=BCvel?= <sybren@stuvel.eu>
Date: Wed, 13 Dec 2017 14:00:51 +0100
Subject: [PATCH] HaProxy: Explicitly configure allowed TLS ciphers

---
 docker/docker-compose.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 132aa33..47b39b9 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -139,6 +139,9 @@ haproxy:
   environment:
    - CERT_FOLDER=/certs/
    - TIMEOUT=connect 5s, client 5m, server 10m
+   - SSL_BIND_CIPHERS=ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
+   - SSL_BIND_OPTIONS=no-sslv3
+   - EXTRA_GLOBAL_SETTINGS=tune.ssl.default-dh-param 2048
   links:
    - blender_cloud
    # - notifserv