Google App Engine Node.js TLS 1.2 [英] Google App Engine Node.js TLS 1.2
问题描述
我们的应用托管在Google App Engine Node.js(灵活环境)上.现在,我们正在接受安全检查的审查,并未能解决Google App Engine支持TLS 1.0和1.1版本的问题.
Our application hosted on Google App Engine Node.js (Flexible Environment). We are now under review of security inspection and failing on the issue that Google App Engine supports TLS 1.0 and 1.1 versions.
是否有一种方法可以仅强制使用TLS 1.2?还有低于128位的分组密码吗?
Is there a way to enforce the use of only TLS 1.2? And also block ciphers that are below 128 bit?
推荐答案
所以我也遇到了这个问题……发现GCP并没有帮助.如果提出了支持票证,他们将在域级别提供有帮助的限制...解决了安全问题...但是您仍然会得到误报,需要在每个渗透测试中都进行解释(GAE共享IP接受其他其他域的TLS版本).
So I also came up against this problem...and found that GCP weren't that helpful. They'll helpfully restrict at a domain level if a support ticket is put forwards....which resolves the security concern...but you'll still get false positives which need explaining at every penetration test (the GAE shared IPs accept other version of TLS for other domains).
一个很好的清洁解决方案;将Cloudflare用于您的DNS.它们本质上充当中间人/Web应用程序防火墙.除其他事项外(免费证书,WAF,DDOS缓解,CDN,HTTPS强制,HSTS等),您可以根据需要设置最低TLS版本.现在,我的最低版本为TLS 1.2,如果浏览器接受的话,则支持TLS 1.3.我还基本上只将GAE上的端口80/443连接到cloudflare,根本没有公共访问权限,因为所有流量都首先通过cloudflare.非常整洁-零端口向公众开放,并且是一个全面运营的网站!笔测试人员只是scratch了挠头,然后收拾行囊.
For a nice clean solution; use Cloudflare for your DNS. They essentially act as a middleman/web application firewall. Amongst other things (free certificates, WAF, DDOS mitigation, CDN, HTTPS force, HSTS etc etc etc), you're able to set the minimum TLS version as you wish. Mine is now minimum TLS 1.2, supporting TLS 1.3 if the browser accepts it. I've also essentially only got port 80/443 on GAE connected to cloudflare, with no public access at all, as all traffic goes through cloudflare first. Pretty neat - zero ports open to the public and a fully operations website! The pen test guys just scratched their heads and packed up.
哦...还有FYI-此级别的配置是免费的.快乐的安全测试;-)
Oh...and FYI - it's free for this level of configuration. Happy security testing ;-)
这篇关于Google App Engine Node.js TLS 1.2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
