gpt4 book ai didi

haproxy - 如何在 haproxy 配置上启用 TLSv1.0

转载 作者:行者123 更新时间:2023-12-03 08:49:11 26 4
gpt4 key购买 nike

我们有一个 haproxy 实例,我们的一个应用程序仅支持 TLSv1.0。当它尝试通过此 haproxy 连接时,它会因握手失败而失败。

如何在此 haproxy 实例上启用 TLSv1.0 支持。下面是我的 haproxy.cfg

global
daemon

log /var/log local0 debug
maxconn 4000

ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048

stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3

timeout http-request 10m
timeout connect 10s
timeout client 10s
timeout server 10s

#---------------------------------------------------------------------
frontend api_passthrough

bind *:443 ssl crt /usr/local/etc/certs/ ciphers CECPQ1-RSA-AES256-GCM-SHA384:CECPQ1-RSA-CHACHA20-POLY1305-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES256-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES256-CCM8:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:CECPQ1-ECDSA-AES256-GCM-SHA384:CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA256-SHA256
log /dev/log local0 debug
use_backend hapstats if { path_beg /stats }
default_backend api-gateway

#---------------------------------------------------------------------
backend api-gateway
http-request add-header x-amz-apigw-id xxxxxx

server vpce-1 10.xx.xx.xxx:443 check ssl verify none
server vpce-2 10.xx.xxx.xxx:443 check ssl verify none
server vpce-3 10.xx.xx.xx:443 check ssl verify none

backend hapstats
server haproxy 127.0.0.1:8888 check

listen stats
bind 127.0.0.1:8888
mode http
log global
maxconn 10
timeout client 100s
timeout server 100s
timeout connect 100s
timeout queue 100s

stats enable
stats admin if TRUE
stats hide-version
stats refresh 30s
stats show-node
stats uri /stats
stats auth admin:admin

我浏览了一些建议添加的帖子

 ssl-default-bind-options TLSv1.0 ssl-min-ver

我已经尝试过,但在重新加载配置时出现错误

unknown option 'TLSv1.0' on global statement 'ssl-default-bind-options'

最佳答案

ssl-default-bind-options TLSv1.0 ssl-min-ver

语法不正确。
阅读documentation您可以看到正确的语法是 ssl-default-bind-options ssl-min-ver TLSv1.0

关于haproxy - 如何在 haproxy 配置上启用 TLSv1.0,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/59991542/

26 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com