HAProxy SSLv3 제외하기

Tech Note 정보: 제끼나 님이 작성하신 글입니다.; 카테고리: [ Miscellaneous ]; 게시됨: 11 December 2020; 작성됨: 02 December 2020; 최종 변경: 11 December 2020; 조회수: 25775

haproxy.cfg 환경 설정 파일에 다음 옵션을 추가하면 됩니다.

ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

아래는 https://ssl-config.mozilla.org/ 사이트에서 제너레이트한 HAProxy 1.5 의 설정 파일 샘플입니다. :)

# generated 2020-12-10, Mozilla Guideline v5.6, HAProxy 1.5, OpenSSL 1.0.1e, intermediate configuration
# https://ssl-config.mozilla.org/#server=haproxy&version=1.5&config=intermediate&openssl=1.0.1e&guideline=5.6
global
    # intermediate configuration
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    tune.ssl.default-dh-param 2048

frontend ft_test
    mode    http
    bind    :443 ssl crt /path/to/< cert+privkey+intermediate>
    bind    :80
    redirect scheme https code 301 if !{ ssl_fc }

    # HSTS (63072000 seconds)
    http-response set-header Strict-Transport-Security max-age=63072000

ID 생성

HAProxy SSLv3 제외하기

sarc.logo

Docker 가상 환경 구축 입문 (by snowball)

MySQL & MariaDB (by kimdubi)

Tech Note

Tech Note 인기 Tags

게시판

메시지함

Sponsor