TLS hack

author: Christian Pointner <equinox@spreadspace.org> 2018-02-25 23:23:32 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2018-02-25 23:23:32 +0100
commit: 1fd5003b61966454f39f0744bcf38dd66135384a (patch)
tree: 427896b335c17122ecf7dbada23318d4c4144c14 /src
parent: added hack for acmetool handling (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/flufigut.py b/src/flufigut.py
index 94c393d..ada1813 100755
--- a/src/flufigut.py
+++ b/src/flufigut.py
@@ -638,6 +638,14 @@ class Planet:
         hostname = "%s-%s%d" % (hostname_prefix, self.workers[worker_name]['flags']['stream'], (self.workers[worker_name]['flags']['stream-index'] + 1))
 
         conf = {'listen': listen, 'protocol': 'http'}
+        if not for_onion:
+            conf['protocol'] = 'http+https'
+            conf['tls'] = {'min-protocol-version': 'TLSv1', 'prefer-server-ciphers': True}
+            conf['tls']['certificate'] = '/srv/acme/fullchain'
+            conf['tls']['certificate-key'] = '/srv/acme/privkey'
+            conf['tls']['ciphers'] = ['ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+                                      'ECDHE_RSA_WITH_AES_256_CBC_SHA', 'RSA_WITH_AES_256_GCM_SHA384', 'RSA_WITH_AES_256_CBC_SHA']
+            conf['tls']['ecdh-curves'] = ['secp521r1', 'secp384r1', 'secp256r1']
         conf['connect'] = 'http://flumotion-worker-' + self.workers[worker_name]['name'] + ':8000'
         conf['request_header'] = [{'op': 'del', 'header': 'X-Forwarded-For'}]
         conf['response_header'] = [{'op': 'set', 'header': 'Cache-Control', 'value': 'no-cache'},
author	Christian Pointner <equinox@spreadspace.org>	2018-02-25 23:23:32 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2018-02-25 23:23:32 +0100
commit	1fd5003b61966454f39f0744bcf38dd66135384a (patch)
tree	427896b335c17122ecf7dbada23318d4c4144c14 /src
parent	added hack for acmetool handling (diff)