Vault--;Update TLS ciphers

ingress/Traefik2.x/helmchartconfig-traefik.yaml

@@ -77,14 +77,15 @@ spec:
                     - secp521r1
                     - secp384r1
                   cipherSuites:
-                    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-                    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
-                    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-                    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-                    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
                     - TLS_AES_128_GCM_SHA256
                     - TLS_AES_256_GCM_SHA384
                     - TLS_CHACHA20_POLY1305_SHA256
+                    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+                    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+                    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+                    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+                    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+                    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
                     - TLS_FALLBACK_SCSV
       - apiVersion: bitnami.com/v1alpha1
         kind: SealedSecret
@@ -109,9 +110,9 @@ spec:
           - websecure
         matchRule: Host(`ingress.spamasaurus.com`)
         middlewares:
-          # - name: 2fa-authentication@file
+          - name: 2fa-authentication@file
           - name: security-headers@file
-          - name: compression@file
+          # - name: compression@file
     logs:
       general:
         level: DEBUG
@@ -125,6 +126,8 @@ spec:
         redirectTo:
           port: websecure
       websecure:
+        forwardedHeaders:
+          insecure: true
         tls:
           options: defaults@file
           certResolver: default