HAProxy ALOHA Documentation 15.5

Advanced TLS Options

Below we list other arguments that you can add to a bind line when configuring TLS offloading.

Set encryption ciphers for TLS 1.2 and older

Use the ciphers argument to set the list of TLS encryption ciphers to use, separated by colons, in order of preference. Fallback algorithms go at the end of the list. HAProxy ALOHA will choose the first cipher that the client also supports.

Use this argument only for SSL and TLS versions up to TLS version 1.2. For TLS version 1.3 and newer, use ciphersuites.

Sets the list of preferred ciphers.

frontend ft_myapp
  mode http
  bind :443 ssl crt default ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305

Set encryption ciphers for TLS 1.3 and newer

Use the ciphersuites argument to set the list of TLS encryption ciphers to use, separated by colons, in order of preference. Fallback algorithms go at the end of the list. HAProxy ALOHA will choose the first cipher that the client also supports.

Use this argument for TLS version 1.3 and newer. For older versions of SSL and TLS, use ciphers instead.

Sets the list of preferred ciphers.

frontend ft_myapp
  mode http
  bind :443 ssl crt default ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

Set the maximum allowed SSL or TLS version

Use the ssl-max-ver argument to set the maximum version of SSL or TLS to use. Clients will not be able to use versions newer than that.

Values:

  • SSLv3

  • TLSv1.0

  • TLSv1.1

  • TLSv1.2

  • TLSv1.3

Enforce TLS version 1.2 as the newest accepted version.

frontend ft_myapp
  mode http
  bind :443 ssl crt default ssl-max-ver TLSv1.2

Set the minimum allowed SSL or TLS version

Use the ssl-min-ver argument to set the minimum version of SSL or TLS to use. Clients will not be able to use versions older than that.

Values:

  • SSLv3

  • TLSv1.0

  • TLSv1.1

  • TLSv1.2

  • TLSv1.3

Enforce TLS version 1.2 as the oldest accepted version.

frontend ft_myapp
  mode http
  bind :443 ssl crt default ssl-min-ver TLSv1.2

Next up

Web Application Firewall