Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow specifying haproxy SSL Cipher list #4587

Merged
merged 1 commit into from
Jun 28, 2017
Merged

Allow specifying haproxy SSL Cipher list #4587

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 47 additions & 10 deletions architecture/core_concepts/routes.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,14 @@ WebSocket traffic uses the same route conventions and supports the same TLS
termination types as other traffic.
====

For a secure connection to be established a cipher common to the client and sever
must be nogotiated. As time goes on new more secure
link:https://wiki.mozilla.org/Security/Server_Side_TLS[ciphers] become available and
are integrated into client software. As older clients become obsolete, the older less
secure ciphers can be dropped. The router by default, supports a broad range of commonly
available clients. The router can be configured to use a selected set of xref:ciphers[ciphers]
that support desired clients and don't include the less secure ciphers.

[[routes-template-routers]]

=== Template Routers
Expand Down Expand Up @@ -287,14 +295,9 @@ will "linger" around for that period. xref:time-units[(TimeUnits)]
|`*ROUTER_ALLOW_WILDCARD_ROUTES*`| | When set to `true` or `TRUE`, any routes with a wildcard policy of `Subdomain` that pass the router admission checks will be serviced by the HAProxy router.
|`*ROUTER_DISABLE_NAMESPACE_OWNERSHIP_CHECK*` | | Set to `true` to relax the namespace ownership policy.
|`*ROUTER_STRICT_SNI*` | | xref:strict-sni[strict-sni]
|`*ROUTER_CIPHERS*` | intermediate | Specify the set of xref:ciphers[ciphers] supported by bind.
|===

[[time-units]]
*TimeUnits* are represented by a number followed by the unit: `us`
*(microseconds), `ms` (milliseconds, default), `s` (seconds), `m` (minutes), `h`
*(hours), `d` (days). The regular expression is:
[1-9][0-9]*(us\|ms\|s\|m\|h\|d)

[NOTE]
====
If you want to run multiple routers on the same machine, you must change the
Expand All @@ -303,6 +306,13 @@ ports that the router is listening on, `ROUTER_SERVICE_SNI_PORT` and
they are unique on the machine. These ports will not be exposed externally.
====

[[time-units]]
== Timeouts
*TimeUnits* are represented by a number followed by the unit:
`us` (microseconds), `ms` (milliseconds, default), `s` (seconds), `m` (minutes), `h`
(hours), `d` (days).
The regular expression is: [1-9][0-9]*(us\|ms\|s\|m\|h\|d)

[[strict-sni]]
== HAProxy Strict SNI

Expand All @@ -324,6 +334,33 @@ $ oc adm router --strict-sni

This sets `ROUTER_STRICT_SNI=true`.

[[ciphers]]
== Router Cipher Suite

Each client, e.g., Chrome 30, Java8, includes a suite of ciphers that it can use to securely connect with the router.
The router must have at least one of the ciphers for the connection to complete. The
link:https://wiki.mozilla.org/Security/Server_Side_TLS[Security/Server Side TLS] reference guide provides
three reference profiles that support various clients.

.Router Cipher Profiles
[cols="2,6", options="header"]
|===
|Profile | Oldest compatible client
|modern| Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, Java 8
|intermediate|Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
|old|Windows XP IE6, Java 6
|===

The router defaults to the "intermediate" profile. A different profile may be selected when the router is created
by using the --ciphers option, or after the router is created by changing the `ROUTER_CIPHERS` environment variable.
The values are: modern, intermediate, or old. Alternatively, a set of ":" separated ciphers may be provided. The ciphers
must be from the set displayed by:

----
openssl ciphers
----


[[route-hostnames]]

== Route Host Names
Expand Down Expand Up @@ -968,7 +1005,7 @@ For example, to deny the `[{asterisk}.]open.header.test`, `[{asterisk}.]openshif
`[{asterisk}.]block.it` routes for the `myrouter` route:

----
$ oadm router myrouter ...
$ oc adm router myrouter ...
$ oc set env dc/myrouter ROUTER_DENIED_DOMAINS="open.header.test, openshift.org, block.it"
----

Expand All @@ -994,7 +1031,7 @@ $ oc expose service/<name> --hostname="api.openshift.org"
Alternatively, to block any routes where the host name is _not_ set to `[{asterisk}.]stickshift.org` or `[{asterisk}.]kates.net`:

----
$ oadm router myrouter ...
$ oc adm router myrouter ...
$ oc set env dc/myrouter ROUTER_ALLOWED_DOMAINS="stickshift.org, kates.net"
----

Expand All @@ -1020,7 +1057,7 @@ $ oc expose service/<name> --hostname="www.deny.it"
To implement both scenarios, run:

----
$ oadm router adrouter ...
$ oc adm router adrouter ...
$ oc env dc/adrouter ROUTER_ALLOWED_DOMAINS="openshift.org, kates.net" \
ROUTER_DENIED_DOMAINS="ops.openshift.org, metrics.kates.net"
----
Expand Down Expand Up @@ -1114,7 +1151,7 @@ This feature can be set during router creation or by setting an environment
variable in the router's deployment configuration.

----
$ oadm router ... --disable-namespace-ownership-check=true
$ oc adm router ... --disable-namespace-ownership-check=true
----

----
Expand Down
Loading