谷歌应用引擎 Node.js TLS 1.2 [英] Google App Engine Node.js TLS 1.2
问题描述
我们的应用托管在 Google App Engine Node.js(灵活环境)上.目前我们正在审核安全检查,未通过Google App Engine支持TLS 1.0和1.1版本的问题.
Our application hosted on Google App Engine Node.js (Flexible Environment). We are now under review of security inspection and failing on the issue that Google App Engine supports TLS 1.0 and 1.1 versions.
有没有办法强制只使用 TLS 1.2?还有低于 128 位的分组密码?
Is there a way to enforce the use of only TLS 1.2? And also block ciphers that are below 128 bit?
推荐答案
所以我也遇到了这个问题......发现 GCP 并没有那么有用.如果提出支持票,他们将在域级别提供帮助......这解决了安全问题......但您仍然会得到误报,这需要在每次渗透测试中进行解释(GAE 共享 IP 接受其他其他域的 TLS 版本).
So I also came up against this problem...and found that GCP weren't that helpful. They'll helpfully restrict at a domain level if a support ticket is put forwards....which resolves the security concern...but you'll still get false positives which need explaining at every penetration test (the GAE shared IPs accept other version of TLS for other domains).
一个很好的干净的解决方案;将 Cloudflare 用于您的 DNS.它们本质上充当中间人/Web 应用程序防火墙.除其他外(免费证书、WAF、DDOS 缓解、CDN、HTTPS 强制、HSTS 等),您可以根据需要设置最低 TLS 版本.我的现在最低 TLS 1.2,如果浏览器接受,则支持 TLS 1.3.我基本上也只有 GAE 上的端口 80/443 连接到 cloudflare,根本没有公共访问权限,因为所有流量首先通过 cloudflare.非常整洁 - 对公众开放的零端口和完全运营的网站!笔试的家伙们只是挠头收拾.
For a nice clean solution; use Cloudflare for your DNS. They essentially act as a middleman/web application firewall. Amongst other things (free certificates, WAF, DDOS mitigation, CDN, HTTPS force, HSTS etc etc etc), you're able to set the minimum TLS version as you wish. Mine is now minimum TLS 1.2, supporting TLS 1.3 if the browser accepts it. I've also essentially only got port 80/443 on GAE connected to cloudflare, with no public access at all, as all traffic goes through cloudflare first. Pretty neat - zero ports open to the public and a fully operations website! The pen test guys just scratched their heads and packed up.
哦...仅供参考 - 这种级别的配置是免费的.快乐的安全测试;-)
Oh...and FYI - it's free for this level of configuration. Happy security testing ;-)
这篇关于谷歌应用引擎 Node.js TLS 1.2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
