1

I have a single frontend, but multiple backends. I'm upgrading security on some backends, and as a part of that, i want to only allow TLS1.2 or higher, when getting requests to those specific backends. There's still customers using the other backends, so I don't want to disrupt them, right now.

I have a config, similar to the one below. I've tried to set "ssl-min-ver" in the backend, I've also tried to add "no-ssl3 no-tls10 no-tls11" options to the backend, but that is apparently invalid.

So my question is, how do i make it so, that when backend "api-test" is used, a minium version of TLS of 1.2 is required, while the two other backends are unaffected?

Here is the config I'm referring to:

frontend frontend_ssl
    bind *:443 ssl crt /certificate.[somename].com.pem crt /etc/haproxy/certificates/

    acl is_api_[somename]_com hdr(host) -i api.[somename].com
    acl is_api_[somename]_test hdr(host) -i test-api.[somename].com

    use_backend api_prod if is_api_[somename]_com
    use_backend api_test if is_api_[somename]_test
    
    default_backend app_iis_http_4430

backend app_iis_http_4430
    server dk1h1iis 10.10.1.1:4430 check port 4430
    server dk1h2iis 10.10.1.2:4430 check port 4430

backend api_prod
    server dk1h1docker_prod 10.10.1.1:855 check port 855
    server dk1h2docker_prod 10.10.1.2:855 check port 855

backend api_test
    server dk1h1docker_test 10.10.1.1:856 check port 856
    server dk1h2docker_test 10.10.1.2:856 check port 856

EDIT: I've tried the options mentioned in the documentation here: https://cdn.haproxy.com/documentation/hapee/1-8r2/traffic-management/tls/#define-server-directive-settings-on-the-backend

so my api-test backend now looks like this:

backend api_test
    server dk1h1docker_test 10.10.1.1:856 no-sslv3 no-tlsv10 no-tlsv11 check port 856
    server dk1h2docker_test 10.10.1.2:856 no-sslv3 no-tlsv10 no-tlsv11 check port 856

It didn't help though. I can still reach the servers with TLS1.0

Talkar
  • 21
  • 6
  • Are you sure you are reaching the backend servers via TLS1.0? Because the haproxy frontend isn't configured to limit the version, so you are proxied between 1.0 and 1.2: client => haproxy (1.0), haproxy => backend (1.2)? – Fredrik Feb 09 '21 at 15:53
  • Related to what you said Fredrik, i found the issue. When the frontend is reached, there is no SSL from the frontend to the backends, which is why i can't limit the connections to the backend, to specific TLS/SSL versions. – Talkar Feb 10 '21 at 07:54

1 Answers1

1

The problem with what i was trying to achieve, with what configuration i had, was that the traffic between the frontends and backends, have no SSL/TLS, so it isn't possible to restrict to any version.

Instead i now check in the frontend, using ACL, and rejecting http-requests that use deprecated versions.

acl is_api_test hdr(host) -i test-api.[somename].com
acl is_ssl_version_deprecated ssl_fc_protocol SSLv3 TLSv1 TLSv1.1

http-request reject if is_api_test is_ssl_version_deprecated
Talkar
  • 21
  • 6