You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@nigelgbanks@jefferya Would either of both of you be game to try something here or Nigel perhaps include this with the upcoming release?
Have been testing sites on ssllabs and finding while we can get an "A rating" for the most part, it would be "nice to have" the possible A+
One way that might be helpful is to use HSTS headers in traefik?
As an example, when using nginx, one would add a header to ngnix's config or domain conf / profile.
server {
listen 443 ssl;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
The challenge I believe with nginx is that ISLE doesn't listen on port 443 or use ssl in the backend (right?) so perhaps instead we could review the following for traefik ?
Here are a couple of sources, I've dug up so far but am not totally clear on how to implement.
This is very explicit and I think is what we want.
Saving everyone a possible trip to the traefik official docs which don't seem to have anything other than a sparse Security Headers section with no explicit label
My main concern is the impact to the backend nginx / drupal service.
The text was updated successfully, but these errors were encountered:
Agree with Nigel. Seems related to the TLS ticket in Isle-dc (Islandora-Devops/isle-dc#263). I've done some initial testing with min TLS 1.2 and HSTS enabled (Qualys SSL Labs A+ rating). Also, I'm using image tag: issue-215-update-alpine (the PHP 8.1 etc. unreleased images). The results are promising (though Fedora, code-server & Blazegraph are outside my current test scope). I'll be doing more testing over the next week.
@nigelgbanks @jefferya Would either of both of you be game to try something here or Nigel perhaps include this with the upcoming release?
Have been testing sites on ssllabs and finding while we can get an "A rating" for the most part, it would be "nice to have" the possible
A+
One way that might be helpful is to use HSTS headers in traefik?
As an example, when using
nginx
, one would add a header to ngnix's config or domain conf / profile.The challenge I believe with nginx is that ISLE doesn't listen on port 443 or use ssl in the backend (right?) so perhaps instead we could review the following for
traefik
?Here are a couple of sources, I've dug up so far but am not totally clear on how to implement.
This is very explicit and I think is what we want.
This is helpful for review but I'm not sure if covers everything in our setup. https://stackoverflow.com/questions/58266122/how-to-use-sts-headers-with-traefik-when-using-docker/58266123#58266123
Saving everyone a possible trip to the traefik official docs which don't seem to have anything other than a sparse Security Headers section with no explicit label
My main concern is the impact to the backend nginx / drupal service.
The text was updated successfully, but these errors were encountered: