mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-11 22:15:14 +00:00
655e26af24
This new keyword matches an dotted version mapped into an integer. It permits to match an SSL message protocol version just as if it was an integer, so that it is easy to map ranges, like this : acl obsolete_ssl req_ssl_ver lt 3 acl correct_ssl req_ssl_ver 3.0-3.1 acl invalid_ssl req_ssl_ver gt 3.1 Both SSLv2 hello messages and SSLv3 messages are supported. The test tries to be strict enough to avoid being easily fooled. In particular, it waits for as many bytes as announced in the message header if this header looks valid (bound to the buffer size). The same decoder will be usable with minor changes to check the response messages.
38 lines
1.2 KiB
INI
38 lines
1.2 KiB
INI
# This is a test configuration. It listens on port 8443, waits for an incoming
|
|
# connection, and applies the following rules :
|
|
# - if the address is in the white list, then accept it and forward the
|
|
# connection to the server (local port 443)
|
|
# - if the address is in the black list, then immediately drop it
|
|
# - otherwise, wait up to 3 seconds for valid SSL data to come in. If those
|
|
# data are identified as SSL, the connection is immediately accepted, and
|
|
# if they are definitely identified as non-SSL, the connection is rejected,
|
|
# which will happen upon timeout if they still don't match SSL.
|
|
|
|
listen block-non-ssl
|
|
log 127.0.0.1:514 local0
|
|
option tcplog
|
|
|
|
mode tcp
|
|
bind :8443
|
|
timeout client 6s
|
|
timeout server 6s
|
|
timeout connect 6s
|
|
|
|
tcp-request inspect-delay 4s
|
|
|
|
acl white_list src 127.0.0.2
|
|
acl black_list src 127.0.0.3
|
|
|
|
# note: SSLv2 is not used anymore, SSLv3.1 is TLSv1.
|
|
acl obsolete_ssl req_ssl_ver lt 3
|
|
acl correct_ssl req_ssl_ver 3.0-3.1
|
|
acl invalid_ssl req_ssl_ver gt 3.1
|
|
|
|
tcp-request content accept if white_list
|
|
tcp-request content reject if black_list
|
|
tcp-request content reject if !correct_ssl
|
|
|
|
balance roundrobin
|
|
server srv1 127.0.0.1:443
|
|
|