search

fabiolb / fabio

Consul Load-Balancing made simple
https://fabiolb.net
MIT License
7.25k stars 620 forks source link

Restricting TLS versions #859

Closed onuryurdupak closed 2 years ago

onuryurdupak commented 2 years ago

Binary Version: 1.5.8

I am running Fabio with: fabio -cfg fabio.properties

Contents of the fabio.properties are:

tlsmin=tls11
tlsmax=tls11
proxy.cs=cs=int;type=path;cert=/etc/fabio/ssl
proxy.addr=172.16.15.10:443;cs=int
proxy.maxconn=-1
registry.consul.addr=127.0.0.1:8500
registry.consul.tagprefix=urlprefix-

I was expecting that this would restrict TLS to version 1.1 only. But curl'ing the address in verbose mode shows that SSL handshake can be done in version 1.3 too. Am I making an error in tlsmin, tlsmax definitions or missing something else?

onuryurdupak commented 2 years ago

Seems like we had another LB in front of Fabio which handled SSL termination.