HAProxy ALOHA Documentation 13.5

Advanced TLS Options

The table below lists other arguments that you can add to a bind line when configuring TLS offloading.

Argument

Description

ciphers

Sets the list of TLS encryption ciphers to use, separated by colons, in order of preference. Fallback algorithms go at the end of the list. HAProxy ALOHA will choose the first cipher that the client also supports.

Use this argument only for SSL and TLS versions up to TLS version 1.2. For TLS version 1.3 and newer, use ciphersuites.

Sets the list of preferred ciphers.

frontend ft_myapp
  mode http
  bind :443 ssl crt default ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256...

ciphersuites

Sets the list of TLS encryption ciphers to use, separated by colons, in order of preference. Fallback algorithms go at the end of the list. HAProxy ALOHA will choose the first cipher that the client also supports.

Use this argument for TLS version 1.3 and newer. For older versions of SSL and TLS, use ciphers instead.

Sets the list of preferred ciphers.

frontend ft_myapp
  mode http
  bind :443 ssl crt default ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384...

ssl-max-ver

Sets the maximum version of SSL or TLS to use. Client will not be able to use versions newer than that.

Values:

  • SSLv3

  • TLSv1.0

  • TLSv1.1

  • TLSv1.2

  • TLSv1.3

Enforce TLS version 1.2 as the oldest accepted version.

frontend ft_myapp
  mode http
  bind :443 ssl crt default ssl-max-ver TLSv1.2

ssl-min-ver

Sets the minimum version of SSL or TLS to use. Clients will not be able to use versions older than that.

Values:

  • SSLv3

  • TLSv1.0

  • TLSv1.1

  • TLSv1.2

  • TLSv1.3

Enforce TLS version 1.2 as the oldest accepted version.

frontend ft_myapp
  mode http
  bind :443 ssl crt default ssl-min-ver TLSv1.2

Next up

API
HAProxyConf 2022 - Call for papers