浏览代码

Update doc with SSL_POLICY values

Nicolas Duchon 7 年之前
父节点
当前提交
35f092ca30
共有 1 个文件被更改,包括 9 次插入1 次删除
  1. 9 1
      README.md

+ 9 - 1
README.md

@@ -247,10 +247,18 @@ included because the following browsers will stop working when it is removed: Ch
 IE < 11, Safari < 7, iOS < 5, Android Browser < 5.
 IE < 11, Safari < 7, iOS < 5, Android Browser < 5.
 
 
 If you don't require backward compatibility, you can use the [Mozilla modern profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility)
 If you don't require backward compatibility, you can use the [Mozilla modern profile](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility)
-profile instead by including the environment variable `MODERN_SSL=true` to your container.
+profile instead by including the environment variable `SSL_POLICY=Mozilla-Modern` to your container.
 This profile is compatible with clients back to Firefox 27, Chrome 30, IE 11 on Windows 7,
 This profile is compatible with clients back to Firefox 27, Chrome 30, IE 11 on Windows 7,
 Edge, Opera 17, Safari 9, Android 5.0, and Java 8.
 Edge, Opera 17, Safari 9, Android 5.0, and Java 8.
 
 
+Other policies available through the `SSL_POLICY` environment variable are [`Mozilla-Old`](https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility)
+and the [AWS ELB Security Policies](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html)
+`AWS-TLS-1-2-2017-01`, `AWS-TLS-1-1-2017-01`, `AWS-2016-08`, `AWS-2015-05`, `AWS-2015-03` and `AWS-2015-02`.
+
+Note that the `Mozilla-Old` policy should use a 1024 bits DH key for compatibility but this container generates
+a 2048 bits key. The [Diffie-Hellman Groups](#diffie-hellman-groups) section details different methods of bypassing
+this, either globally or per virtual-host.
+
 The default behavior for the proxy when port 80 and 443 are exposed is as follows:
 The default behavior for the proxy when port 80 and 443 are exposed is as follows:
 
 
 * If a container has a usable cert, port 80 will redirect to 443 for that container so that HTTPS
 * If a container has a usable cert, port 80 will redirect to 443 for that container so that HTTPS