Re: tcpdump and Haproxy SSL Offloading

Lukas Tribus Sun, 05 Jun 2016 03:20:08 -0700

Hi,


Am 05.06.2016 um 02:19 schrieb Igor Cicimov:


> In haproxy.cfg I used these cipher I found recommended:
> ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM

I would not recommend this. Check [1] and [2] for some uptodaterecommendations.

Yes, removing ECDHE-RSA-AES256-SHA will force the server to use thenon-FS RC4 cipher.

Regarding the 408 problem, please have a look at the http-ignore-probesoption [3].




Regards,

Lukas



[1] https://wiki.mozilla.org/Security/Server_Side_TLS

[2]https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.6&openssl=1.0.2&hsts=no&profile=intermediate[3]http://cbonte.github.io/haproxy-dconv/configuration-1.6.html#4-option%20http-ignore-probes

Re: tcpdump and Haproxy SSL Offloading

Reply via email to