Merge pull request #690 from dtomcej/disable-tls10
Selectable TLS Versions
This commit is contained in:
commit
067f13b61c
4 changed files with 73 additions and 5 deletions
|
@ -177,10 +177,33 @@ type Redirect struct {
|
||||||
|
|
||||||
// TLS configures TLS for an entry point
|
// TLS configures TLS for an entry point
|
||||||
type TLS struct {
|
type TLS struct {
|
||||||
|
MinVersion string
|
||||||
|
CipherSuites []string
|
||||||
Certificates Certificates
|
Certificates Certificates
|
||||||
ClientCAFiles []string
|
ClientCAFiles []string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Map of allowed TLS minimum versions
|
||||||
|
var minVersion = map[string]uint16{
|
||||||
|
`VersionTLS10`: tls.VersionTLS10,
|
||||||
|
`VersionTLS11`: tls.VersionTLS11,
|
||||||
|
`VersionTLS12`: tls.VersionTLS12,
|
||||||
|
}
|
||||||
|
|
||||||
|
// Map of TLS CipherSuites from crypto/tls
|
||||||
|
var cipherSuites = map[string]uint16{
|
||||||
|
`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`: tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`: tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
`TLS_RSA_WITH_AES_128_GCM_SHA256`: tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
|
||||||
|
`TLS_RSA_WITH_AES_256_GCM_SHA384`: tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
|
||||||
|
`TLS_RSA_WITH_AES_128_CBC_SHA`: tls.TLS_RSA_WITH_AES_128_CBC_SHA,
|
||||||
|
`TLS_RSA_WITH_AES_256_CBC_SHA`: tls.TLS_RSA_WITH_AES_256_CBC_SHA,
|
||||||
|
`TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`: tls.TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||||
|
`TLS_RSA_WITH_3DES_EDE_CBC_SHA`: tls.TLS_RSA_WITH_3DES_EDE_CBC_SHA,
|
||||||
|
}
|
||||||
|
|
||||||
// Certificates defines traefik certificates type
|
// Certificates defines traefik certificates type
|
||||||
// Certs and Keys could be either a file path, or the file content itself
|
// Certs and Keys could be either a file path, or the file content itself
|
||||||
type Certificates []Certificate
|
type Certificates []Certificate
|
||||||
|
|
14
docs/toml.md
14
docs/toml.md
|
@ -183,6 +183,20 @@ Supported filters:
|
||||||
# address = ":80"
|
# address = ":80"
|
||||||
# [entryPoints.http.auth.basic]
|
# [entryPoints.http.auth.basic]
|
||||||
# users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
|
# users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
|
||||||
|
#
|
||||||
|
# To specify an https entrypoint with a minimum TLS version, and specifying an array of cipher suites (from crypto/tls):
|
||||||
|
# [entryPoints]
|
||||||
|
# [entryPoints.https]
|
||||||
|
# address = ":443"
|
||||||
|
# [entryPoints.https.tls]
|
||||||
|
# MinVersion = "VersionTLS12"
|
||||||
|
# CipherSuites = ["TLS_RSA_WITH_AES_256_GCM_SHA384"]
|
||||||
|
# [[entryPoints.https.tls.certificates]]
|
||||||
|
# CertFile = "integration/fixtures/https/snitest.com.cert"
|
||||||
|
# KeyFile = "integration/fixtures/https/snitest.com.key"
|
||||||
|
# [[entryPoints.https.tls.certificates]]
|
||||||
|
# CertFile = "integration/fixtures/https/snitest.org.cert"
|
||||||
|
# KeyFile = "integration/fixtures/https/snitest.org.key"
|
||||||
|
|
||||||
[entryPoints]
|
[entryPoints]
|
||||||
[entryPoints.http]
|
[entryPoints.http]
|
||||||
|
|
18
server.go
18
server.go
|
@ -387,6 +387,24 @@ func (server *Server) createTLSConfig(entryPointName string, tlsOption *TLS, rou
|
||||||
// BuildNameToCertificate parses the CommonName and SubjectAlternateName fields
|
// BuildNameToCertificate parses the CommonName and SubjectAlternateName fields
|
||||||
// in each certificate and populates the config.NameToCertificate map.
|
// in each certificate and populates the config.NameToCertificate map.
|
||||||
config.BuildNameToCertificate()
|
config.BuildNameToCertificate()
|
||||||
|
//Set the minimum TLS version if set in the config TOML
|
||||||
|
if minConst, exists := minVersion[server.globalConfiguration.EntryPoints[entryPointName].TLS.MinVersion]; exists {
|
||||||
|
config.PreferServerCipherSuites = true
|
||||||
|
config.MinVersion = minConst
|
||||||
|
}
|
||||||
|
//Set the list of CipherSuites if set in the config TOML
|
||||||
|
if server.globalConfiguration.EntryPoints[entryPointName].TLS.CipherSuites != nil {
|
||||||
|
//if our list of CipherSuites is defined in the entrypoint config, we can re-initilize the suites list as empty
|
||||||
|
config.CipherSuites = make([]uint16, 0)
|
||||||
|
for _, cipher := range server.globalConfiguration.EntryPoints[entryPointName].TLS.CipherSuites {
|
||||||
|
if cipherConst, exists := cipherSuites[cipher]; exists {
|
||||||
|
config.CipherSuites = append(config.CipherSuites, cipherConst)
|
||||||
|
} else {
|
||||||
|
//CipherSuite listed in the toml does not exist in our listed
|
||||||
|
return nil, errors.New("Invalid CipherSuite: " + cipher)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
return config, nil
|
return config, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -204,7 +204,20 @@
|
||||||
# address = ":80"
|
# address = ":80"
|
||||||
# [entryPoints.http.auth.basic]
|
# [entryPoints.http.auth.basic]
|
||||||
# users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
|
# users = ["test:traefik:a2688e031edb4be6a3797f3882655c05 ", "test2:traefik:518845800f9e2bfb1f1f740ec24f074e"]
|
||||||
|
#
|
||||||
|
# To specify an https entrypoint with a minimum TLS version, and specifying an array of cipher suites (from crypto/tls):
|
||||||
|
# [entryPoints]
|
||||||
|
# [entryPoints.https]
|
||||||
|
# address = ":443"
|
||||||
|
# [entryPoints.https.tls]
|
||||||
|
# MinVersion = "VersionTLS12"
|
||||||
|
# CipherSuites = ["TLS_RSA_WITH_AES_256_GCM_SHA384"]
|
||||||
|
# [[entryPoints.https.tls.certificates]]
|
||||||
|
# CertFile = "integration/fixtures/https/snitest.com.cert"
|
||||||
|
# KeyFile = "integration/fixtures/https/snitest.com.key"
|
||||||
|
# [[entryPoints.https.tls.certificates]]
|
||||||
|
# CertFile = "integration/fixtures/https/snitest.org.cert"
|
||||||
|
# KeyFile = "integration/fixtures/https/snitest.org.key"
|
||||||
|
|
||||||
# Enable retry sending request if network error
|
# Enable retry sending request if network error
|
||||||
#
|
#
|
||||||
|
|
Loading…
Add table
Reference in a new issue