Advanced TLS Options
Below we list other arguments that you can add to a bind line when configuring TLS offloading.
Set encryption ciphers for TLS 1.2 and older
Use the ciphers argument to set the list of TLS encryption ciphers to use, separated by colons, in order of preference. Fallback algorithms go at the end of the list. HAProxy ALOHA will choose the first cipher that the client also supports.
Use this argument only for SSL and TLS versions up to TLS version 1.2. For TLS version 1.3 and newer, use ciphersuites.
Sets the list of preferred ciphers.
frontend ft_myapp mode http bind :443 ssl crt default ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
Set encryption ciphers for TLS 1.3 and newer
Use the ciphersuites argument to set the list of TLS encryption ciphers to use, separated by colons, in order of preference. Fallback algorithms go at the end of the list. HAProxy ALOHA will choose the first cipher that the client also supports.
Use this argument for TLS version 1.3 and newer. For older versions of SSL and TLS, use ciphers instead.
Sets the list of preferred ciphers.
frontend ft_myapp mode http bind :443 ssl crt default ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Set the maximum allowed SSL or TLS version
Use the ssl-max-ver argument to set the maximum version of SSL or TLS to use. Clients will not be able to use versions newer than that.
Values:
SSLv3
TLSv1.0
TLSv1.1
TLSv1.2
TLSv1.3
Enforce TLS version 1.2 as the newest accepted version.
frontend ft_myapp
mode http
bind :443 ssl crt default ssl-max-ver TLSv1.2Set the minimum allowed SSL or TLS version
Use the ssl-min-ver argument to set the minimum version of SSL or TLS to use. Clients will not be able to use versions older than that.
Values:
SSLv3
TLSv1.0
TLSv1.1
TLSv1.2
TLSv1.3
Enforce TLS version 1.2 as the oldest accepted version.
frontend ft_myapp mode http bind :443 ssl crt default ssl-min-ver TLSv1.2
Next up
IP Access Control Lists