search

haproxytech / kubernetes-ingress

HAProxy Kubernetes Ingress Controller
https://www.haproxy.com/documentation/kubernetes/
Apache License 2.0
691 stars 196 forks source link

how enable only high secure ssl ciphers in haproxy ingress? #659

Open agonzalezm opened 3 weeks ago

agonzalezm commented 3 weeks ago

default haproxy ingress install has many yellow insecure ciphers enabled, how can i enable only secure ciphers (green ones)

image

i tried this in ingress yaml but didnt work:

ingress.kubernetes.io/ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384"

agonzalezm commented 2 weeks ago

anyone can explain details how to remove these ciphers with haproxy ingress helm charts installed?

fabianonunes commented 2 weeks ago

You can use the global-config-snippet option in ConfigMap to set the ciphers:

apiVersion: v1
kind: ConfigMap
metadata:
  name: haproxy-kubernetes-ingress
  namespace: default
data:
  global-config-snippet: |
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

If you are using Helm, you can pass these options in controller.config from values.yaml:

# (...)
controller:
  config:
    global-config-snippet: |
      ssl-default-bind-ciphersuites ...
      ssl-default-bind-options ...