RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-04-11 03:31:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

DOC: add missing SSL options for servers and listeners

Browse Source
This commit is contained in:
Willy Tarreau 2012-09-10 09:01:23 +02:00
parent 69845dfcf3
commit a0ee1d05f3
1 changed files with 81 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
doc/configuration.txt
View File

@ -1488,6 +1488,12 @@ bind [<address>]:<port_range> [, ...] transparent
bind [<address>]:<port_range> [, ...] id <id> bind [<address>]:<port_range> [, ...] id <id>
bind [<address>]:<port_range> [, ...] name <name> bind [<address>]:<port_range> [, ...] name <name>
bind [<address>]:<port_range> [, ...] defer-accept bind [<address>]:<port_range> [, ...] defer-accept
bind [<address>]:<port_range> [, ...] ssl
bind [<address>]:<port_range> [, ...] crt <cert>
bind [<address>]:<port_range> [, ...] ciphers <ciphers>
bind [<address>]:<port_range> [, ...] nosslv3
bind [<address>]:<port_range> [, ...] notlsv1
bind [<address>]:<port_range> [, ...] prefer-server-ciphers
bind /<path> [, ...] bind /<path> [, ...]
bind /<path> [, ...] mode <mode> bind /<path> [, ...] mode <mode>
bind /<path> [, ...] [ user <user> | uid <uid> ] bind /<path> [, ...] [ user <user> | uid <uid> ]
@ -1611,6 +1617,31 @@ bind /<path> [, ...] [ group <user> | gid <gid> ]
"unix-bind" statement. Note that some platforms simply ignore "unix-bind" statement. Note that some platforms simply ignore
this. this.
<cert> designates a PEM file from which to load both a certificate
and the assocaited private key. This file can be build by
concatenating both PEM files into one. If a directory name is
used instead of a PEM file, then all files found in that
directory will be loaded. This directive may be specified
multiple times in order to load certificates from multiple
files or directories. The certificates will be presented to
clients who provide a valid TLS Server Name Indication field
matching one of their CN or alt subjects. Wildcards are
supported, where a wildcard character '*' is used instead of
the first hostname component (eg: *.example.org matches
www.example.org but not www.sub.example.org). If no SNI is
provided by the client or if the SSL library does not support
TLS extensions, or if the client provides and SNI which does
not match any certificate, then the first loaded certificate
will be presented. This means that when loading certificates
from a directory, it is highly recommended to load the
default one first as a file. Note that the same cert may be
loaded multiple times without side effects.
<ciphers> is the string describing the list of cipher algorithms that
is negociated during the SSL/TLS handshake. The format of the
string is defined in "man 1 ciphers", and can be for instance
"AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH".
transparent is an optional keyword which is supported only on certain transparent is an optional keyword which is supported only on certain
Linux kernels. It indicates that the addresses will be bound Linux kernels. It indicates that the addresses will be bound
even if they do not belong to the local machine. Any packet even if they do not belong to the local machine. Any packet
@ -1649,6 +1680,24 @@ bind /<path> [, ...] [ group <user> | gid <gid> ]
X-Forwarded-For mechanism which is not always reliable and X-Forwarded-For mechanism which is not always reliable and
not even always usable. not even always usable.
ssl enables SSL deciphering on connections instanciated from this
listener. A certificate is necessary (see "crt" above). All
contents in the buffers will be in clear text, so that ACLs
and HTTP processing will only have access to deciphered
contents.
nosslv3 disables support for SSLv3 when SSL is supported. Note that
SSLv2 is disabled in the code and cannot be enabled using any
configuration option.
notlsv1 disables support for TLSv1 when SSL is supported. Note that
SSLv2 is disabled in the code and cannot be enabled using any
configuration option.
prefer-server-ciphers
tells the SSL/TLS layer that our set of cipher algorithms is
preferred over the client's ones.
It is possible to specify a list of address:port combinations delimited by It is possible to specify a list of address:port combinations delimited by
commas. The frontend will then listen on all of these addresses. There is no commas. The frontend will then listen on all of these addresses. There is no
fixed limit to the number of addresses and ports which can be listened on in fixed limit to the number of addresses and ports which can be listened on in
@ -1661,6 +1710,10 @@ bind /<path> [, ...] [ group <user> | gid <gid> ]
bind 10.0.0.1:10080,10.0.0.1:10443 bind 10.0.0.1:10080,10.0.0.1:10443
bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy bind /var/run/ssl-frontend.sock user root mode 600 accept-proxy
listen http_https_proxy
bind :80
bind :443 ssl crt /etc/haproxy/site.pem prefer-server-ciphers
See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol See also : "source", "option forwardfor", "unix-bind" and the PROXY protocol
documentation. documentation.
@ -6867,6 +6920,16 @@ check
Supported in default-server: No Supported in default-server: No
ciphers <ciphers>
This option sets the string describing the list of cipher algorithms that is
is negociated during the SSL/TLS handshake with the server. The format of the
string is defined in "man 1 ciphers". When SSL is used to communicate with
servers on the local network, it is common to see a weaker set of algorithms
than what is used over the internet. Doing so reduces CPU usage on both the
server and haproxy while still keeping it compatible with deployed software.
Some algorithms such as RC4-SHA1 are reasonably cheap. If no security at all
is needed and just connectivity, using DES can be appropriate.
cookie <value> cookie <value>
The "cookie" parameter sets the cookie value assigned to the server to The "cookie" parameter sets the cookie value assigned to the server to
<value>. This value will be checked in incoming requests, and the first <value>. This value will be checked in incoming requests, and the first
@ -6976,6 +7039,17 @@ minconn <minconn>
Supported in default-server: Yes Supported in default-server: Yes
nosslv3
This option disables support for SSLv3 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option.
notlsv1
This option disables support for TLSv1 when SSL is used to communicate with
the server. Note that SSLv2 is disabled in the code and cannot be enabled
using any configuration option. TLSv1 is more expensive than SSLv3 so it
often makes sense to disable it when communicating with local servers.
non-stick non-stick
Never add connections allocated to this sever to a stick-table. Never add connections allocated to this sever to a stick-table.
This may be used in conjunction with backup to ensure that This may be used in conjunction with backup to ensure that
@ -7131,6 +7205,13 @@ source <addr>[:<pl>[-<ph>]] [interface <name>] ...
Supported in default-server: No Supported in default-server: No
ssl
This option enables SSL ciphering on outgoing connections to the server. At
the moment, server certificates are not checked, so this is prone to man in
the middle attacks. The real intended use is to permit SSL communication
with software which cannot work in other modes over networks that would
otherwise be considered safe enough for clear text communications.
track [<proxy>/]<server> track [<proxy>/]<server>
This option enables ability to set the current state of the server by This option enables ability to set the current state of the server by
tracking another one. Only a server with checks enabled can be tracked tracking another one. Only a server with checks enabled can be tracked