The beast attack on SSL isn’t new, but we have not yet published an article to explain how to mitigate it with ALOHA or HAProxy.
First of all, to mitigate this attack, you must use the Load-Balancer as the SSL endpoint, then just append the following parameter on your HAProxy SSL frontend:

  • For the ALOHA Load-Balancer:

bind 10.0.0.9:443 name https ssl crt domain ciphers RC4:HIGH:!aNULL:!MD5
  • For HAProxy OpenSource:

bind 10.0.0.9:443 name https ssl crt /path/to/domain.pem ciphers RC4:HIGH:!aNULL:!MD5

As you may have understood, the most important part is the ciphers RC4:HIGH:!aNULL:!MD5 directive, which can be used to force the cipher used during the connection and to force it to be strong enough to resist to the attack.

Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.