haproxy tls1.0 to tls1.3 proxy

ssl proxy haproxy

Solution 1:

Using HAProxy, You may specify different ciphers for bind and servers at the global section, which could look like this:

global
    # modern bind configuration, Only TLS1.3 enabled.
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets

or

global   
   # old configuration for the server side, only sslv3 and below are disabled, tls1.0,tls1.2 and tls1.3 are all enabled.
   ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
    ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-server-options no-sslv3 no-tls-tickets
    # you may also add the below:
    ssl-server-verify                none

I hope this works for you. HAProxy is very much flexible to suite your needs. Reference: https://ssl-config.mozilla.org/#server=haproxy

Solution 2:

Perhaps this this will help someone. If you want it to be set on a specific bind you can do so via the following:

bind YOUR_IP:443 ssl crt /etc/ssl/private/ alpn h2,http/1.1 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!CAMELLIA@SECLEVEL=1 ssl-min-ver TLSv1.0

Note the SECLEVEL=1.

Hope it helps someone.

Solution 3:

I had exactly same problem and on internet was no solution, but after 2 days I finally find solution with HAProxy (maybe it can help someone).

My case: Traffic -> myfakehost.com (listenning TLS1.0) -> myhost.com (listenning TLS1.2).

/etc/haproxy/haproxy.cfg:

frontend old_maps
  bind *:443 ssl crt /etc/haproxy/mycertificate.pem force-tlsv10
  mode tcp
  default_backend new_maps

backend new_maps
  mode http
  balance roundrobin
  option forwardfor
  http-request set-header Host myhost.com
  server mymaps myhost.com:443 ssl check verify none

As you can see I had few problems with certificates and I need use set-header option to change original URL to new URL.

Note: mycertificate.pem need to have in my case (private key, server certificate, intermediate certificate, root certificate) and myfakehost.com is alias for localhost in /etc/hosts

Debug tools:

 curl -v https://myfakehost.com
 openssl s_client -showcerts -connect myfakehost.com:443

Related

Using group policy preferences to push a file to C:\Windows on a restricted user
What is a good way to send user-generated newsletters/emails to thousands of subscribers?
One domain and multiple mail servers
Send google compute startup script output to stackdriver
Is it safe to add additional values to a TXT record in DNS
How to pass original recipient by Postfix to Procmail
How to enable EPEL repository on RHEL so I can upgrade Apache [duplicate]
I'm able to access router panel on 192.168.100.1, although I don't see such network in ipconfig [closed]
Httpd LimitRequestFieldSize not taken into account
How can I disable 128 bit ciphers in apache?
Outlook cannot send when connected to IMAP, but it can send mail if I connect it to POP3
OpenWRT - How to redirect all subdomains of a hostname, to the same host, so that it can be reverse proxied?