Hello, I'm rewriting a complex HAProxy config file and would like to be sure how ssl-default-bind-options and bind options work together.
I would like to configure safe options by default, but still allow less-safe protocols on some frontend. I'm puzzled by "force-X" documentation (does it really "force" protocol or just allow it ? What if I use several force-X options all together ?) and want to be sure of the behaviour. Here is what I would like to do : frontend foo : supports TLS 1.2 and TLS 1.3 frontend foo-unsecure : supports everything from sslv3 to TLS 1.3 frontend foo-unsecure2 : supports TLS 1.1 to TLS 1.3 And here is how I would write it down : # Default (safe) config : ssl-default-bind-options no-sslv3 no-tls10 no-tls11 frontend foo bind 127.0.0.1:8080 ssl frontend foo-unsecure bind 127.0.0.1:1234 ssl force-sslv3 force-tls10 force-tls11 frontend foo-unsecure2 bind 127.0.0.1:4321 ssl force-tls11 I dont want to use 'ssl-min-ver' or 'ssl-max-ver' because the config file is auto-generated from a database, and it would make the code more difficult. Thank you for your feedback. Olivier
