From 1fd5003b61966454f39f0744bcf38dd66135384a Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Sun, 25 Feb 2018 23:23:32 +0100
Subject: TLS hack

---
 src/flufigut.py | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/flufigut.py')

diff --git a/src/flufigut.py b/src/flufigut.py
index 94c393d..ada1813 100755
--- a/src/flufigut.py
+++ b/src/flufigut.py
@@ -638,6 +638,14 @@ class Planet:
         hostname = "%s-%s%d" % (hostname_prefix, self.workers[worker_name]['flags']['stream'], (self.workers[worker_name]['flags']['stream-index'] + 1))
 
         conf = {'listen': listen, 'protocol': 'http'}
+        if not for_onion:
+            conf['protocol'] = 'http+https'
+            conf['tls'] = {'min-protocol-version': 'TLSv1', 'prefer-server-ciphers': True}
+            conf['tls']['certificate'] = '/srv/acme/fullchain'
+            conf['tls']['certificate-key'] = '/srv/acme/privkey'
+            conf['tls']['ciphers'] = ['ECDHE_RSA_WITH_AES_256_GCM_SHA384',
+                                      'ECDHE_RSA_WITH_AES_256_CBC_SHA', 'RSA_WITH_AES_256_GCM_SHA384', 'RSA_WITH_AES_256_CBC_SHA']
+            conf['tls']['ecdh-curves'] = ['secp521r1', 'secp384r1', 'secp256r1']
         conf['connect'] = 'http://flumotion-worker-' + self.workers[worker_name]['name'] + ':8000'
         conf['request_header'] = [{'op': 'del', 'header': 'X-Forwarded-For'}]
         conf['response_header'] = [{'op': 'set', 'header': 'Cache-Control', 'value': 'no-cache'},
-- 
cgit v1.2.3