On 2013-08-20 18:06, Vincent Bernat wrote:
❦ 20 août 2013 23:37 CEST, Erwin Schliske <[email protected]> :
is it possible to use SSL with PFS (Perfect Forward Secrecy) in
HaProxy 1.5?
Yes. There is nothing to do. It works out of the box. If you modify
default ciphers, just ensure that they contain the appropriate DHE or
ECDH ciphers. You can check this with `openssl ciphers`.
For example:
frontend ft_test
mode http
bind 0.0.0.0:443 ssl crt /etc/ssl/private/<concat cert + privkey>
ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
# Enable this if your want HSTS (recommended, but be careful)
# rspadd Strict-Transport-Security:\ max-age=31536000
---
Julien Vehent
(307) 363-2101
http://jve.linuxwall.info
