1

我们有一个 haproxy 实例,我们的一个应用程序仅支持 TLSv1.0。当它尝试通过此 haproxy 进行连接时,它会因握手失败而失败。

如何在此 haproxy 实例上启用 TLSv1.0 支持。下面是我的 haproxy.cfg

global
daemon

log         /var/log local0 debug
maxconn     4000

ssl-default-bind-options   no-sslv3
tune.ssl.default-dh-param  2048

stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
defaults
mode                    http
log                     global
option                  httplog
option                  dontlognull
option                  http-server-close
option                  forwardfor       except 127.0.0.0/8
option                  redispatch
retries                 3

timeout http-request    10m
timeout connect         10s
timeout client          10s
timeout server          10s

#---------------------------------------------------------------------
frontend api_passthrough

bind *:443 ssl crt /usr/local/etc/certs/ ciphers CECPQ1-RSA-AES256-GCM-SHA384:CECPQ1-RSA-CHACHA20-POLY1305-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES256-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES256-CCM8:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:CECPQ1-ECDSA-AES256-GCM-SHA384:CECPQ1-ECDSA-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA256-SHA256
log /dev/log local0 debug
use_backend hapstats if { path_beg /stats }
default_backend api-gateway

#---------------------------------------------------------------------
backend api-gateway
http-request add-header x-amz-apigw-id xxxxxx

server vpce-1 10.xx.xx.xxx:443 check ssl verify none
server vpce-2 10.xx.xxx.xxx:443 check ssl verify none
server vpce-3 10.xx.xx.xx:443 check ssl verify none

backend hapstats
server haproxy 127.0.0.1:8888 check

listen stats
bind 127.0.0.1:8888
mode http
log global
maxconn 10
timeout client 100s
timeout server 100s
timeout connect 100s
timeout queue 100s

stats enable
stats admin if TRUE
stats hide-version
stats refresh 30s
stats show-node
stats uri /stats
stats auth admin:admin

我浏览了一些建议添加的帖子

 ssl-default-bind-options TLSv1.0 ssl-min-ver

我已经尝试过了,在重新加载配置时出现错误

unknown option 'TLSv1.0' on global statement 'ssl-default-bind-options'
4

1 回答 1

3

ssl-default-bind-options TLSv1.0 ssl-min-ver

语法不正确。
阅读文档哟可以看到正确的语法是ssl-default-bind-options ssl-min-ver TLSv1.0

于 2020-02-16T15:24:04.147 回答