RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DOC: Document the new tls-ticket-keys bind keyword 

Signed-off-by: Nenad Merdanovic <nmerdan@anine.io>
This commit is contained in:
Nenad Merdanovic 2015-02-27 19:56:50 +01:00 committed by Willy Tarreau
parent 05552d4b98
commit 188ad3e9a2
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/configuration.txt
View File

@ -8969,6 +8969,18 @@ tfo
need to build HAProxy with USE_TFO=1 if your libc doesn't define
TCP_FASTOPEN.
tls-ticket-keys <keyfile>
Sets the TLS ticket keys file to load the keys from. The keys need to be 48
bytes long, encoded with base64 (ex. openssl rand -base64 48). Number of keys
is specified by the TLS_TICKETS_NO build option (default 3) and at least as
many keys need to be present in the file. Last TLS_TICKETS_NO keys will be
used for decryption and the penultimate one for encryption. This enables easy
key rotation by just appending new key to the file and reloading the process.
Keys must be periodically rotated (ex. every 12h) or Perfect Forward Secrecy
is compromised. It is also a good idea to keep the keys off any permanent
storage such as hard drives (hint: use tmpfs and don't swap those files).
Lifetime hint can be changed using tune.ssl.timeout.
transparent
Is an optional keyword which is supported only on certain Linux kernels. It
indicates that the addresses will be bound even if they do not belong to the