AWS Cloudformation:Loadbalancer自定义SSL协商策略 [英] AWS Cloudformation: Loadbalancer Custom SSL Negotiation Policy
本文介绍了AWS Cloudformation:Loadbalancer自定义SSL协商策略的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
尝试使用自定义SSL协商策略设置cloudformation模板。我遇到的cloudformation错误是:
Trying to set up a cloudformation template with a custom SSL Negotiation policy. The cloudformation error I am getting is:
CREATE_FAILED AWS :: ElasticLoadBalancing :: LoadBalancer BackendELB SSLNegotiationPolicy无法启用
CREATE_FAILED AWS::ElasticLoadBalancing::LoadBalancer BackendELB SSLNegotiationPolicy cannot be enabled
我的cloudformation模板部分如下:
My cloudformation template section is as follows:
"Policies" : [
{
"PolicyName": "SSLNegotiationPolicy",
"PolicyType": "SSLNegotiationPolicyType",
"Attributes": [
{ "Name" : "Protocol-TLSv1", "Value" : "true" },
{ "Name" : "Protocol-TLSv1.1", "Value" : "true" },
{ "Name" : "Protocol-TLSv1.2", "Value" : "true" },
{ "Name" : "Protocol-SSLv2", "Value" : "false" },
{ "Name" : "Protocol-SSLv3", "Value" : "false" },
{ "Name" : "ECDHE-RSA-AES128-GCM-SHA256", "Value" : "true" },
{ "Name" : "ECDHE-ECDSA-AES128-SHA256", "Value" : "true" },
{ "Name" : "ECDHE-RSA-AES128-SHA256", "Value" : "true" },
{ "Name" : "ECDHE-ECDSA-AES128-SHA", "Value" : "true" },
{ "Name" : "ECDHE-RSA-AES128-SHA", "Value" : "true" },
{ "Name" : "DHE-RSA-AES128-SHA", "Value" : "true" },
{ "Name" : "ECDHE-ECDSA-AES256-GCM-SHA384", "Value" : "true" },
{ "Name" : "ECDHE-RSA-AES256-GCM-SHA384", "Value" : "true" },
{ "Name" : "ECDHE-ECDSA-AES256-SHA384", "Value" : "true" },
{ "Name" : "ECDHE-RSA-AES256-SHA384", "Value" : "true" },
{ "Name" : "ECDHE-RSA-AES256-SHA", "Value" : "true" },
{ "Name" : "ECDHE-ECDSA-AES256-SHA", "Value" : "true" },
{ "Name" : "AES128-GCM-SHA256", "Value" : "true" },
{ "Name" : "AES128-SHA256", "Value" : "true" },
{ "Name" : "AES128-SHA", "Value" : "true" },
{ "Name" : "AES256-GCM-SHA384", "Value" : "true" },
{ "Name" : "AES256-SHA256", "Value" : "true" },
{ "Name" : "AES256-SHA", "Value" : "true" },
{ "Name" : "DHE-DSS-AES128-SHA", "Value" : "true" },
{ "Name" : "RC4-SHA", "Value" : "false" },
{ "Name" : "ECDHE-ECDSA-RC4-SHA", "Value" : "false" }
],
"InstancePorts" : [ "443" ]
}
]
如果我删除InstancePorts部分,则ELB会正确创建,但是新的负载均衡器不会使用
If I remove the InstancePorts section then the ELB creates with no errors, but the new load balancer doesn't use the policy outlined.
有什么想法吗?
附带问题:是否有必要将策略的每个值都设置为true或false,或者如果模板中未定义密码,则默认使用建议的SSL策略中定义的值吗?
Side question: Is it necessary to set every value of your policy to either true or false or if the cipher is not defined in the template, does it default to the value defined in the recommended SSL policy?
推荐答案
我认为您的做法正确。您可以使用以下命令查看现有的安全策略内容:
I think you're on the right track. You can view the existing security policy contents with:
aws elb describe-load-balancer-policies
我为完整起见指定了所有内容,例如以下策略:
I specify everything for completeness, such as the policy below:
"Policies" : [
{
"PolicyName" : "My-ELBSecurityPolicy-2014-10-DisableRC4",
"PolicyType" : "SSLNegotiationPolicyType",
"Attributes" : [
{ "Name": "Protocol-SSLv2", "Value": "false" },
{ "Name": "Protocol-TLSv1", "Value": "true" },
{ "Name": "Protocol-SSLv3", "Value": "false" },
{ "Name": "Protocol-TLSv1.1", "Value": "true" },
{ "Name": "Protocol-TLSv1.2", "Value": "true" },
{ "Name": "Server-Defined-Cipher-Order", "Value": "true" },
{ "Name": "ECDHE-ECDSA-AES128-GCM-SHA256", "Value": "true" },
{ "Name": "ECDHE-RSA-AES128-GCM-SHA256", "Value": "true" },
{ "Name": "ECDHE-ECDSA-AES128-SHA256", "Value": "true" },
{ "Name": "ECDHE-RSA-AES128-SHA256", "Value": "true" },
{ "Name": "ECDHE-ECDSA-AES128-SHA", "Value": "true" },
{ "Name": "ECDHE-RSA-AES128-SHA", "Value": "true" },
{ "Name": "DHE-RSA-AES128-SHA", "Value": "true" },
{ "Name": "ECDHE-ECDSA-AES256-GCM-SHA384", "Value": "true" },
{ "Name": "ECDHE-RSA-AES256-GCM-SHA384", "Value": "true" },
{ "Name": "ECDHE-ECDSA-AES256-SHA384", "Value": "true" },
{ "Name": "ECDHE-RSA-AES256-SHA384", "Value": "true" },
{ "Name": "ECDHE-RSA-AES256-SHA", "Value": "true" },
{ "Name": "ECDHE-ECDSA-AES256-SHA", "Value": "true" },
{ "Name": "AES128-GCM-SHA256", "Value": "true" },
{ "Name": "AES128-SHA256", "Value": "true" },
{ "Name": "AES128-SHA", "Value": "true" },
{ "Name": "AES256-GCM-SHA384", "Value": "true" },
{ "Name": "AES256-SHA256", "Value": "true" },
{ "Name": "AES256-SHA", "Value": "true" },
{ "Name": "DHE-DSS-AES128-SHA", "Value": "true" },
{ "Name": "CAMELLIA128-SHA", "Value": "false" },
{ "Name": "EDH-RSA-DES-CBC3-SHA", "Value": "false" },
{ "Name": "DES-CBC3-SHA", "Value": "false" },
{ "Name": "ECDHE-RSA-RC4-SHA", "Value": "false" },
{ "Name": "RC4-SHA", "Value": "false" },
{ "Name": "ECDHE-ECDSA-RC4-SHA", "Value": "false" },
{ "Name": "DHE-DSS-AES256-GCM-SHA384", "Value": "false" },
{ "Name": "DHE-RSA-AES256-GCM-SHA384", "Value": "false" },
{ "Name": "DHE-RSA-AES256-SHA256", "Value": "false" },
{ "Name": "DHE-DSS-AES256-SHA256", "Value": "false" },
{ "Name": "DHE-RSA-AES256-SHA", "Value": "false" },
{ "Name": "DHE-DSS-AES256-SHA", "Value": "false" },
{ "Name": "DHE-RSA-CAMELLIA256-SHA", "Value": "false" },
{ "Name": "DHE-DSS-CAMELLIA256-SHA", "Value": "false" },
{ "Name": "CAMELLIA256-SHA", "Value": "false" },
{ "Name": "EDH-DSS-DES-CBC3-SHA", "Value": "false" },
{ "Name": "DHE-DSS-AES128-GCM-SHA256", "Value": "false" },
{ "Name": "DHE-RSA-AES128-GCM-SHA256", "Value": "false" },
{ "Name": "DHE-RSA-AES128-SHA256", "Value": "false" },
{ "Name": "DHE-DSS-AES128-SHA256", "Value": "false" },
{ "Name": "DHE-RSA-CAMELLIA128-SHA", "Value": "false" },
{ "Name": "DHE-DSS-CAMELLIA128-SHA", "Value": "false" },
{ "Name": "ADH-AES128-GCM-SHA256", "Value": "false" },
{ "Name": "ADH-AES128-SHA", "Value": "false" },
{ "Name": "ADH-AES128-SHA256", "Value": "false" },
{ "Name": "ADH-AES256-GCM-SHA384", "Value": "false" },
{ "Name": "ADH-AES256-SHA", "Value": "false" },
{ "Name": "ADH-AES256-SHA256", "Value": "false" },
{ "Name": "ADH-CAMELLIA128-SHA", "Value": "false" },
{ "Name": "ADH-CAMELLIA256-SHA", "Value": "false" },
{ "Name": "ADH-DES-CBC3-SHA", "Value": "false" },
{ "Name": "ADH-DES-CBC-SHA", "Value": "false" },
{ "Name": "ADH-RC4-MD5", "Value": "false" },
{ "Name": "ADH-SEED-SHA", "Value": "false" },
{ "Name": "DES-CBC-SHA", "Value": "false" },
{ "Name": "DHE-DSS-SEED-SHA", "Value": "false" },
{ "Name": "DHE-RSA-SEED-SHA", "Value": "false" },
{ "Name": "EDH-DSS-DES-CBC-SHA", "Value": "false" },
{ "Name": "EDH-RSA-DES-CBC-SHA", "Value": "false" },
{ "Name": "IDEA-CBC-SHA", "Value": "false" },
{ "Name": "RC4-MD5", "Value": "false" },
{ "Name": "SEED-SHA", "Value": "false" },
{ "Name": "DES-CBC3-MD5", "Value": "false" },
{ "Name": "DES-CBC-MD5", "Value": "false" },
{ "Name": "RC2-CBC-MD5", "Value": "false" },
{ "Name": "PSK-AES256-CBC-SHA", "Value": "false" },
{ "Name": "PSK-3DES-EDE-CBC-SHA", "Value": "false" },
{ "Name": "KRB5-DES-CBC3-SHA", "Value": "false" },
{ "Name": "KRB5-DES-CBC3-MD5", "Value": "false" },
{ "Name": "PSK-AES128-CBC-SHA", "Value": "false" },
{ "Name": "PSK-RC4-SHA", "Value": "false" },
{ "Name": "KRB5-RC4-SHA", "Value": "false" },
{ "Name": "KRB5-RC4-MD5", "Value": "false" },
{ "Name": "KRB5-DES-CBC-SHA", "Value": "false" },
{ "Name": "KRB5-DES-CBC-MD5", "Value": "false" },
{ "Name": "EXP-EDH-RSA-DES-CBC-SHA", "Value": "false" },
{ "Name": "EXP-EDH-DSS-DES-CBC-SHA", "Value": "false" },
{ "Name": "EXP-ADH-DES-CBC-SHA", "Value": "false" },
{ "Name": "EXP-DES-CBC-SHA", "Value": "false" },
{ "Name": "EXP-RC2-CBC-MD5", "Value": "false" },
{ "Name": "EXP-KRB5-RC2-CBC-SHA", "Value": "false" },
{ "Name": "EXP-KRB5-DES-CBC-SHA", "Value": "false" },
{ "Name": "EXP-KRB5-RC2-CBC-MD5", "Value": "false" },
{ "Name": "EXP-KRB5-DES-CBC-MD5", "Value": "false" },
{ "Name": "EXP-ADH-RC4-MD5", "Value": "false" },
{ "Name": "EXP-RC4-MD5", "Value": "false" },
{ "Name": "EXP-KRB5-RC4-SHA", "Value": "false" },
{ "Name": "EXP-KRB5-RC4-MD5", "Value": "false" }
]
}
]
您还必须在ELB规范本身中引用该策略:
You also have to reference the policy in the ELB specification itself:
"Listeners" : [
{ "LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP" },
{ "LoadBalancerPort" : "443",
"InstancePort" : "80",
"Protocol" : "HTTPS",
"SSLCertificateId" : "arn:aws:iam::111111111111:server-certificate/somedomain.com",
"PolicyNames" : [ "My-ELBSecurityPolicy-2014-10-DisableRC4", "SomeOtherPolicy" ]
}
],
这篇关于AWS Cloudformation:Loadbalancer自定义SSL协商策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
