ssl - Traefik 的推荐 TLS 密码
问题描述
我正在 Traefik 中寻找 SSL/TLS 的推荐配置。我已经开始minVersion = "VersionTLS12"
避免使用较弱的旧版本,并在 Go 中找到了支持的密码。通过SSLLabs的建议进行交叉检查,我得出了以下顺序(顺序很重要):
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
]
[更新] 后来与 Mozilla 的SSL Config Generator进行了交叉检查,删除了 SHA-1 并使用建议的顺序:
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
]
那有意义吗?我想避免使用弱密码,但要包含尽可能多的强密码以实现兼容性。
解决方案
您可以使用此页面生成您的 traefik 配置:https ://ssl-config.mozilla.org/#server=traefik&server-version=1.7.12&config=intermediate
# generated 2019-07-17, https://ssl-config.mozilla.org/#server=traefik&server-version=1.7.12&config=intermediate
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
]
[[entryPoints.https.tls.certificates]]
certFile = "/path/to/signed_cert_plus_intermediates"
keyFile = "/path/to/private_key"
推荐阅读
- matlab - 从符号微分的结果创建函数句柄的问题
- c++ - 嵌入式 C++ - 虚拟析构函数和堆内存
- autodesk-forge - 如何从模型衍生 API 元数据创建模型浏览器,如对象
- chart.js - 如何仅在最后一个栏显示 chartjs 数据标签?
- kotlin - 从 Gradle Fat Jar 加载 Kotlin 主类失败
- javascript - 时间函数在nodejs中无法正常工作
- javascript - 如何为数据传输生成 HMAC-SHA-256 登录 javascript?
- javascript - Axios POST 的发送状态和数据未显示在 req.body 中
- java - CompletionService 与 CompletableFuture
- android - 如何在Android中使用for循环从R.color获取所有颜色