Searching ALOHA 12.5
Configuring Transport Layer Security (TLS)
Configuring Transport Layer Security (TLS)
You configure TLS settings in HAProxy Enterprise in the global section, the frontend, and the backend.
Define TLS settings in the Global Section
Directive | Description |
---|---|
| A string describing the list of cipher suite algorithms that HAProxy supports. It applies to all Note Mozilla offers a page of TLS recommended configurations for modern, intermediate, and old backward compatibility ciphers here: You can copy and paste the one to suit your needs. |
| SSL/TLS options to apply to all |
| A string describing the list of cipher suite algorithms. It applies to all servers where SSL is enabled Note Mozilla offers a page of TLS recommended configurations for modern, intermediate, and old backward compatibility ciphers here: You can copy and paste the one to suit your needs. |
| SSL/TLS options to apply to all |
| Default behavior for TLS connection verification on the server side:
|
| Sets the size of the global SSL/TLS session cache. Default number is |
| Sets the life time of a SSL/TLS session in the cache. |
| Sets the maximum The client cannot start deciphering the stream until it has received a full segment. Reducing this value may improve application response time on the client side. |
| Sets the maximum size of the Diffie-Hellman parameters used to generate the ephemeral/temporary Diffie-Hellman key when using DHE key exchange. Default |
Define bind directives on the frontend
The following directives are valid only if the bind
line also owns the statement ssl
:
Directive | Description |
---|---|
| Enables the TLS ALPN extension and advertises the |
| Designates the CA certificate to use in order to validate CA certificates provided by clients. |
| Sets a list of TLS error IDs to ignore when performing TLS handshakes at depth > 0. The TLS handshake is aborted when an error occurs. By default, no errors are ignored. When Note The SSL handshake is ignored when an error occurs. |
| A string describing the list of cipher suite algorithms Note Mozilla offers a page of TLS recommended configurations for modern, intermediate, and old backward compatibility ciphers here: You can copy and paste the ones that suit your needs. |
| Designates a PEM file (Privacy Enhanced Mail) from which HAProxy can load a certificate revocation list. The list is used to verify client certificates. |
| Designates the file containing the certificate and its associated private key. Possibly, intermediaries and root certificates may be included as well. The |
| Sets a list of TLS error IDs to ignore during verification at depth 0. Note The SSL handshake is ignored when an error occurs. |
| Designates a file containing a list of PEM file certificates and associated optional list of SNI filters. Each line in |
| Enforces the use of SSL protocol version SSLv3. Note Not recommended on Internet because of the poodle vulnerability: https://poodle.io/ |
| Enforces the use of TLS protocol version 1.0 |
| Enforces the use of TLS protocol version 1.1 |
| Enforces the use of TLS protocol version 1.2 |
| Disables support of SSLv3 protocol |
| Disables support of TLS tickets, used to resume TLS sessions with compatible clients |
| Disables support of TLS 1.0 protocol |
| Disables support of TLS 1.1 protocol |
| Disables support of TLS 1.2 protocol |
| Enables a TLS/SSL endpoint on this listener in order to cipher/decipher the traffic. |
| The SSL/TLS negotiation is allowed only if the client provides a SNI that matches a certificate loaded by HAProxy. The default certificate is ignored in this case. |
| Sets HAProxy's behavior regarding client side certificate:
|
Define server directive settings on the backend
Directive | Description |
---|---|
| Designates the CA certificate to use to validate certificates provided by servers |
| A string describing the list of cipher suite algorithms to use to get connected to the servers Note Mozilla offers a page of TLS recommended configurations for modern, intermediate, and old backward compatibility ciphers here: You can copy and paste the ones that suit your needs. |
| Designates a PEM file from which HAProxy can load a certificate revocation list. The list is used to verify certificates provided by servers. |
| Designates the file containing a client certificate and its associated private key. HAProxy will use it if the server asks for a client certificate. |
| Enforces the use of SSL protocol version SSLv3. Note Not recommended on Internet because of the poodle vulnerability: https://poodle.io/ |
| Enforces the use of TLS protocol version 1.0 |
| Enforces the use of TLS protocol version 1.1 |
| Enforces the use of TLS protocol version 1.2 |
| Disables support of SSLv3 protocol |
| Disables support of TLS tickets, used to resume TLS sessions with compatible clients |
| Disables support of TLS 1.0 protocol |
| Disables support of TLS 1.1 protocol |
| Disables support of TLS 1.2 protocol |
| Evaluates the sample fecth expression and uses the result as a string for the SNI TLS extension sent to the server. |
| Creates a TLS/SSL socket when connecting to this server to cipher/decipher the traffic |
| Sets HAProxy's behavior regarding the certificated presented by the server:
Note The certificate of the server is validated using the server's |
| Sets a Note This only applies when |
Example TLS Configurations
Define Global Settings
The following are examples of settings available in the global section.
Disable SSLv3 everywhere:
global
ssl-default-bind-options no-sslv3
Set a default cipher list to use:
global
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Disable validation of certificates presented by servers (because of self-signed certificates):
global
ssl-server-verify none
Force validation of certificates presented by servers:
global
ssl-server-verify required
Increase TLS session cache size and lifetime to avoid computing too many symmetric keys:
global
tune.ssl.cachesize 100000
tune.ssl.lifetime 600
Set up a TLS record to match a TCP segment size to improve client side rendering of content:
global
tune.ssl.maxrecord 1460
Define Listener (frontend) Settings
The following are examples of settings available for the listener:
Enable SSL processing on a bind line:
frontend f_myapp
bind 10.0.0.1:443 ssl crt mycrt
Anounce supported protocols using TLS NPN or ALPN extension:
frontend f_myapp
bind 10.0.0.1:443 ssl crt mycrt alpn http/1.1,http/1.0
or:
frontend f_myapp
bind 10.0.0.1:443 ssl crt mycrt npn http/1.1,http/1.0
Enable SSL processing on a bind line and make client certificate mandatory for the connection:
frontend f_myapp
bind 10.0.0.1:443 ssl crt mycrt ca-file ./ca.crt verify required
Load multiple certificates over a single IP:
frontend f_myapp
bind 10.0.0.1:443 ssl crt star.mydomain.com crt www.mydomain.net
Note
The first one is used by default when the client does not send any SNI, or the SNI sent does not match any loaded certificate.
Define Server Settings
The following are examples of settings available for the server:
Do not check the validity of a server certificate (can be dangerous):
backend b_myapp
# ...
server app1 10.0.0.1:443 ssl verify none
Use a company's internal CA to check a server certificate; also check the ssl-server-verify
global option to force validation over all servers by default.
backend b_myapp
# ...
server app1 10.0.0.1:443 ssl verify required ca-file /etc/haproxy/myca.pem
Use a client certificate to get connected on a server; also check the ssl-server-verify
global option to force validation over all servers by default.
backend b_myapp
# ...
server app1 10.0.0.1:443 ssl verify required ca-file /etc/haproxy/myca.pem crt /etc/haproxy/client.pem
Use the host header as SNI when opening a TLS connection on to a server:
backend b_myapp
mode http
# ...
server app1 10.0.0.1:443 ssl sni req.hdr(Host)