|
|
@@ -247,10 +247,18 @@ included because the following browsers will stop working when it is removed: Ch
|
|
|
IE < 11, Safari < 7, iOS < 5, Android Browser < 5.
|
|
|
|
|
|
If you don't require backward compatibility, you can use the [Mozilla modern profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility)
|
|
|
-profile instead by including the environment variable `MODERN_SSL=true` to your container.
|
|
|
+profile instead by including the environment variable `SSL_POLICY=Mozilla-Modern` to your container.
|
|
|
This profile is compatible with clients back to Firefox 27, Chrome 30, IE 11 on Windows 7,
|
|
|
Edge, Opera 17, Safari 9, Android 5.0, and Java 8.
|
|
|
|
|
|
+Other policies available through the `SSL_POLICY` environment variable are [`Mozilla-Old`](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility)
|
|
|
+and the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html)
|
|
|
+`AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`.
|
|
|
+
|
|
|
+Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container generates
|
|
|
+a 2048 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing
|
|
|
+this, either globally or per virtual-host.
|
|
|
+
|
|
|
The default behavior for the proxy when port 80 and 443 are exposed is as follows:
|
|
|
|
|
|
* If a container has a usable cert, port 80 will redirect to 443 for that container so that HTTPS
|
Nicolas Duchon