Markus, thnks so much for your support. So I will upgrade my haproxy to the latest version as soon as I can, and I will apply what you told me.
Regards! El mar, 25 oct 2022 a las 7:49, Markus Rietzler (<[email protected]>) escribió: > > Am 24.10.22 um 15:50 schrieb Aleksandar Lazic: > > Hi Roberto. > > > > On 24.10.22 03:21, Roberto Carna wrote: > >> Dear, I have this scenario: > >> > >> Internet --> HAproxy Frontend --> HAproxy Backend --> Web servers > > > > What is the config for the frontend of the HAProxy Frontend? > > > > BTW.: HAProxy 1.5 is't maintained any more since 2020-01-10 > > https://www.haproxy.org/ > > > > You can get a more recent version from this repos. > > https://github.com/iusrepo?q=hap&type=all&language=&sort= > > https://github.com/DBezemer/rpm-haproxy > > > >> Thanks in advance, greetings!!! > > > > Regards > > Alex > > > > you really should upgrade haproxy. > > to configure ssl versions you can set global optoins (eg) > > ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 > no-tls-tickets > > in the global section. here i disallow tls v1.0 and v1.1. > you can have a look at > > https://mozilla.github.io/server-side-tls/ssl-config-generator/ > > to get a valid ssl config with ciphers etc. > > you have to consider two things: > > 1) which clients will access your haproxy (frontend). if you have old or > legacy browsers or even some applications with > (old java) this will affect the choice of ciphers and protocols. > > 2) which openssl version is installed on your server and which openssl > version will haproxy use. Some old openssl libs > don't support tls v1.2.... (maybe even not v1.1, if it's toooo old) > > markus >
