I'm rewriting a complex HAProxy config file and would like to be sure how
ssl-default-bind-options and bind options work together.

I would like to configure safe options by default, but still allow
less-safe protocols on some frontend. I'm puzzled by "force-X"
documentation (does it really "force" protocol or just allow it ? What if I
use several force-X options all together ?) and want to be sure of the

Here is what I would like to do :
frontend foo : supports TLS 1.2 and TLS 1.3
frontend foo-unsecure : supports everything from sslv3 to TLS 1.3
frontend foo-unsecure2 : supports TLS 1.1 to TLS 1.3

And here is how I would write it down :

# Default (safe) config :
ssl-default-bind-options no-sslv3 no-tls10 no-tls11

frontend foo
bind ssl

frontend foo-unsecure
bind ssl force-sslv3 force-tls10 force-tls11

frontend foo-unsecure2
bind ssl force-tls11

I dont want to use 'ssl-min-ver' or 'ssl-max-ver' because the config file
is auto-generated from a database, and it would make the code more

Thank you for your feedback.


Reply via email to