Skip to content

OCPBUGS-58040: haproxy-config.template: Allow empty ciphers #661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 4 commits into
base: master
Choose a base branch
from
Draft

OCPBUGS-58040: haproxy-config.template: Allow empty ciphers #661

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bb39b5a
haproxy-config.template: Simplify ROUTER_CIPHERS
Miciah Jun 27, 2025
fdae233
haproxy-config.template: Introduce $routerCiphers
Miciah Jun 27, 2025
88f5fad
Introduce $routerCiphersuites
Miciah Jun 27, 2025
a538c79
haproxy-config.template: Allow empty ciphers
Miciah Jun 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 16 additions & 21 deletions images/router/haproxy/conf/haproxy-config.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
*/}}
{{- define "conf/haproxy.config" }}
{{- $workingDir := .WorkingDir }}
{{- $routerCiphers := env "ROUTER_CIPHERS" }}
{{- $routerCiphersuites := env "ROUTER_CIPHERSUITES" }}
{{- $defaultDestinationCA := .DefaultDestinationCA }}
{{- $dynamicConfigManager := .DynamicConfigManager }}
{{- $router_ip_v4_v6_mode := env "ROUTER_IP_V4_V6_MODE" "v4" }}
Expand Down Expand Up @@ -88,43 +90,36 @@ global
ssl-default-bind-options ssl-min-ver {{ env "SSL_MIN_VERSION" "TLSv1.2" }}
{{- if ne (env "SSL_MAX_VERSION" "") "" }} ssl-max-ver {{env "SSL_MAX_VERSION" }}{{ end }}

# The default cipher suite can be selected from the three sets recommended by https://wiki.mozilla.org/Security/Server_Side_TLS,
# or the user can provide one using the ROUTER_CIPHERS environment variable.
# By default when a cipher set is not provided, intermediate is used.
{{- if eq (env "ROUTER_CIPHERS" "intermediate") "modern" }}
# The default cipher suite can be selected from the three sets recommended by https://wiki.mozilla.org/Security/Server_Side_TLS,
# or the user can provide one using the ROUTER_CIPHERS environment variable.
# ROUTER_CIPHERS may be empty, in which case TLSv1.2 and earlier are not allowed.
{{- if eq $routerCiphers "modern" }}
# Modern cipher suite (no legacy browser support) from https://wiki.mozilla.org/Security/Server_Side_TLS
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
{{ else }}

{{- if eq (env "ROUTER_CIPHERS" "intermediate") "intermediate" }}
{{- else if eq $routerCiphers "intermediate" }}
# Intermediate cipher suite (default) from https://wiki.mozilla.org/Security/Server_Side_TLS
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
{{ else }}

{{- if eq (env "ROUTER_CIPHERS" "intermediate") "old" }}

{{- else if eq $routerCiphers "old" }}
# Old cipher suite (maximum compatibility but insecure) from https://wiki.mozilla.org/Security/Server_Side_TLS
tune.ssl.default-dh-param 1024
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP

{{- else }}
# user provided list of ciphers (Colon separated list as seen above)
# the env default is not used here since we can't get here with empty ROUTER_CIPHERS
{{- else }}
# User-provided list of ciphers (colon-separated list as seen above).
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers {{ env "ROUTER_CIPHERS" "ECDHE-ECDSA-CHACHA20-POLY1305" }}
{{- end }}
{{- end }}
ssl-default-bind-ciphers "{{ $routerCiphers }}"
{{- end }}
{{/*
The ssl-default-bind-ciphers option above configures ciphers for TLSv1.0,
TLSv1.1, and TLSv1.2; for TLSv1.3, cipher suites are configured using the
ssl-default-bind-ciphersuites option below.
*/}}
{{- with $ciphersuites := (env "ROUTER_CIPHERSUITES") }}
ssl-default-bind-ciphersuites {{ $ciphersuites }}
{{- end }}
# The TLSv1.3 cipher suites are configured separately
# using the ROUTER_CIPHERSUITES environment variable.
# This list may be empty, in which case TLSv1.3 is not allowed.
ssl-default-bind-ciphersuites "{{ $routerCiphersuites }}"

{{- with $captureCookie := .CaptureHTTPCookie }}
{{- if (gt $captureCookie.MaxLength 63) }}
tune.http.cookielen {{ $captureCookie.MaxLength }}
Expand Down