haproxy tls1.0 至 tls1.3 代理

Question 1

使用 HAProxy，您可以为绑定和服务器在全局部分，它看起来可能像这样：

global
    # modern bind configuration, Only TLS1.3 enabled.
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

或者

global   
   # old configuration for the server side, only sslv3 and below are disabled, tls1.0,tls1.2 and tls1.3 are all enabled.
   ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tls-tickets
    # you may also add the below:
    ssl-server-verify                none

我希望这对你有用。HAProxy 非常灵活，可以满足你的需求。 参考：https://ssl-config.mozilla.org/#server=haproxy

Answer

使用 HAProxy，您可以为绑定和服务器在全局部分，它看起来可能像这样：

global
    # modern bind configuration, Only TLS1.3 enabled.
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

或者

global   
   # old configuration for the server side, only sslv3 and below are disabled, tls1.0,tls1.2 and tls1.3 are all enabled.
   ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tls-tickets
    # you may also add the below:
    ssl-server-verify                none

我希望这对你有用。HAProxy 非常灵活，可以满足你的需求。 参考：https://ssl-config.mozilla.org/#server=haproxy

Question 2

我遇到了完全相同的问题，互联网上没有解决方案，但两天后我终于使用 HAProxy 找到了解决方案（也许它可以帮助某些人）。

我的情况：流量 -> myfakehost.com (监听 TLS1.0) -> myhost.com (监听 TLS1.2)。

/etc/haproxy/haproxy.cfg：

frontend old_maps
  bind *:443 ssl crt /etc/haproxy/mycertificate.pem force-tlsv10
  mode tcp
  default_backend new_maps

backend new_maps
  mode http
  balance roundrobin
  option forwardfor
  http-request set-header Host myhost.com
  server mymaps myhost.com:443 ssl check verify none

正如您所看到的，我遇到了一些证书问题，我需要使用set-header选项将原始 URL 更改为新 URL。

注意：mycertificate.pem在我的例子中需要有（私钥、服务器证书、中间证书、根证书）并且myfakehost.com是localhost/etc/hosts

调试工具：

 curl -v https://myfakehost.com
 openssl s_client -showcerts -connect myfakehost.com:443

Answer