Open bren-doyle opened 3 years ago
Would this work?
backend https_be
default-server ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256
server 10.255.2.5 10.255.2.5:443 ssl
server 10.255.2.6 10.255.2.6:443 ssl
Could further simplify to:
backend https_be
default-server ssl ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256
server 10.255.2.5 10.255.2.5:443
server 10.255.2.6 10.255.2.6:443
On the frontend
, the bind
line takes a similar ciphers
directive.
For the backend, yes, as already suggested in: https://discourse.haproxy.org/t/per-backend-cipher-suites/6346/2
No solution for the frontend though, so this does make sense.
Yes that works for a hand edited file but when using the data plane API it does not work for ciphers (seems like a bug), so this is ignored: "default_server": {"ciphers": "ECDHE-RSA-AES128-GCM-SHA256"}
@bren-doyle this is a bug in the Data Plane API, we can track it here: https://github.com/haproxytech/dataplaneapi/issues/180
Buy the way 'ssl-max-ver' and 'ssl-min-ver' are also ignored
What should haproxy do differently? Which functionality do you think we should add?
I’d like to configure a list of ciphers on a per backend basis i.e to be able to use ssl-default-server-ciphers in each backend section rather than having to use ciphers on each server line. I don’t want to use ssl-default-server-ciphers in the global section as each backend can have a different set of ciphers. here is an edited example from one of my configs: backend https_be server 10.255.2.5 10.255.2.5:443 ssl ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256 server 10.255.2.6 10.255.2.6:443 ssl ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256
What I'd like to be able to do, and would be much cleaner is: backend https_be option ssl-default-server-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256 server 10.255.2.5 10.255.2.5:443 ssl
server 10.255.2.6 10.255.2.6:443 ssl But haproxy does not seem to support this, I don't know why, it would be a useful think to do AND make config files easier to read
What are you trying to do?
See above
Output of
haproxy -vv
anduname -a