AWS Cloudformation:负载均衡器自定义 SSL 协商策略

【问题标题】:AWS Cloudformation: Loadbalancer Custom SSL Negotiation PolicyAWS Cloudformation:负载均衡器自定义 SSL 协商策略
【发布时间】:2015-01-01 15:48:21
【问题描述】:

尝试使用自定义 SSL 协商策略设置 cloudformation 模板。我得到的 cloudformation 错误是:

CREATE_FAILED AWS::ElasticLoadBalancing::LoadBalancer BackendELB SSLNegotiationPolicy 无法启用

我的cloudformation模板部分如下:

"Policies" : [
                {
                    "PolicyName": "SSLNegotiationPolicy",
                    "PolicyType": "SSLNegotiationPolicyType",
                    "Attributes": [
                        { "Name" : "Protocol-TLSv1", "Value" : "true" },
                        { "Name" : "Protocol-TLSv1.1", "Value" : "true" },
                        { "Name" : "Protocol-TLSv1.2", "Value" : "true" },
                        { "Name" : "Protocol-SSLv2", "Value" : "false" },
                        { "Name" : "Protocol-SSLv3", "Value" : "false" },
                        { "Name" : "ECDHE-RSA-AES128-GCM-SHA256", "Value" : "true" },
                        { "Name" : "ECDHE-ECDSA-AES128-SHA256", "Value" : "true" },
                        { "Name" : "ECDHE-RSA-AES128-SHA256", "Value" : "true" },
                        { "Name" : "ECDHE-ECDSA-AES128-SHA", "Value" : "true" },
                        { "Name" : "ECDHE-RSA-AES128-SHA", "Value" : "true" },
                        { "Name" : "DHE-RSA-AES128-SHA", "Value" : "true" },
                        { "Name" : "ECDHE-ECDSA-AES256-GCM-SHA384", "Value" : "true" },
                        { "Name" : "ECDHE-RSA-AES256-GCM-SHA384", "Value" : "true" },
                        { "Name" : "ECDHE-ECDSA-AES256-SHA384", "Value" : "true" },
                        { "Name" : "ECDHE-RSA-AES256-SHA384", "Value" : "true" },
                        { "Name" : "ECDHE-RSA-AES256-SHA", "Value" : "true" },
                        { "Name" : "ECDHE-ECDSA-AES256-SHA", "Value" : "true" },
                        { "Name" : "AES128-GCM-SHA256", "Value" : "true" },
                        { "Name" : "AES128-SHA256", "Value" : "true" },
                        { "Name" : "AES128-SHA", "Value" : "true" },
                        { "Name" : "AES256-GCM-SHA384", "Value" : "true" },
                        { "Name" : "AES256-SHA256", "Value" : "true" },
                        { "Name" : "AES256-SHA", "Value" : "true" },
                        { "Name" : "DHE-DSS-AES128-SHA", "Value" : "true" },
                        { "Name" : "RC4-SHA", "Value" : "false" },
                        { "Name" : "ECDHE-ECDSA-RC4-SHA", "Value" : "false" }
                    ],
                    "InstancePorts" : [ "443" ]
               } 
           ]

如果我删除 InstancePorts 部分,则 ELB 创建时不会出现错误,但新的负载均衡器不使用概述的策略。

有什么想法吗?

附带问题:是否有必要将策略的每个值都设置为 true 或 false,或者如果模板中未定义密码,它是否默认为推荐的 SSL 策略中定义的值?

【问题讨论】:

    标签: ssl amazon-web-services amazon-cloudformation


    【解决方案1】:

    我认为你在正确的轨道上。您可以通过以下方式查看现有的安全策略内容:

    aws elb describe-load-balancer-policies

    为了完整性,我指定了所有内容,例如以下政策:

        "Policies" : [
      {
        "PolicyName" : "My-ELBSecurityPolicy-2014-10-DisableRC4",
        "PolicyType" : "SSLNegotiationPolicyType",
        "Attributes" : [
            { "Name": "Protocol-SSLv2", "Value": "false" }, 
            { "Name": "Protocol-TLSv1", "Value": "true" }, 
            { "Name": "Protocol-SSLv3", "Value": "false" }, 
            { "Name": "Protocol-TLSv1.1", "Value": "true" }, 
            { "Name": "Protocol-TLSv1.2", "Value": "true" }, 
            { "Name": "Server-Defined-Cipher-Order", "Value": "true" }, 
            { "Name": "ECDHE-ECDSA-AES128-GCM-SHA256", "Value": "true" }, 
            { "Name": "ECDHE-RSA-AES128-GCM-SHA256", "Value": "true" }, 
            { "Name": "ECDHE-ECDSA-AES128-SHA256", "Value": "true" }, 
            { "Name": "ECDHE-RSA-AES128-SHA256", "Value": "true" }, 
            { "Name": "ECDHE-ECDSA-AES128-SHA", "Value": "true" }, 
            { "Name": "ECDHE-RSA-AES128-SHA", "Value": "true" }, 
            { "Name": "DHE-RSA-AES128-SHA", "Value": "true" }, 
            { "Name": "ECDHE-ECDSA-AES256-GCM-SHA384", "Value": "true" }, 
            { "Name": "ECDHE-RSA-AES256-GCM-SHA384", "Value": "true" }, 
            { "Name": "ECDHE-ECDSA-AES256-SHA384", "Value": "true" }, 
            { "Name": "ECDHE-RSA-AES256-SHA384", "Value": "true" }, 
            { "Name": "ECDHE-RSA-AES256-SHA", "Value": "true" }, 
            { "Name": "ECDHE-ECDSA-AES256-SHA", "Value": "true" }, 
            { "Name": "AES128-GCM-SHA256", "Value": "true" }, 
            { "Name": "AES128-SHA256", "Value": "true" }, 
            { "Name": "AES128-SHA", "Value": "true" }, 
            { "Name": "AES256-GCM-SHA384", "Value": "true" }, 
            { "Name": "AES256-SHA256", "Value": "true" }, 
            { "Name": "AES256-SHA", "Value": "true" }, 
            { "Name": "DHE-DSS-AES128-SHA", "Value": "true" }, 
            { "Name": "CAMELLIA128-SHA", "Value": "false" }, 
            { "Name": "EDH-RSA-DES-CBC3-SHA", "Value": "false" }, 
            { "Name": "DES-CBC3-SHA", "Value": "false" }, 
            { "Name": "ECDHE-RSA-RC4-SHA", "Value": "false" }, 
            { "Name": "RC4-SHA", "Value": "false" }, 
            { "Name": "ECDHE-ECDSA-RC4-SHA", "Value": "false" }, 
            { "Name": "DHE-DSS-AES256-GCM-SHA384", "Value": "false" }, 
            { "Name": "DHE-RSA-AES256-GCM-SHA384", "Value": "false" }, 
            { "Name": "DHE-RSA-AES256-SHA256", "Value": "false" }, 
            { "Name": "DHE-DSS-AES256-SHA256", "Value": "false" }, 
            { "Name": "DHE-RSA-AES256-SHA", "Value": "false" }, 
            { "Name": "DHE-DSS-AES256-SHA", "Value": "false" }, 
            { "Name": "DHE-RSA-CAMELLIA256-SHA", "Value": "false" }, 
            { "Name": "DHE-DSS-CAMELLIA256-SHA", "Value": "false" }, 
            { "Name": "CAMELLIA256-SHA", "Value": "false" }, 
            { "Name": "EDH-DSS-DES-CBC3-SHA", "Value": "false" }, 
            { "Name": "DHE-DSS-AES128-GCM-SHA256", "Value": "false" }, 
            { "Name": "DHE-RSA-AES128-GCM-SHA256", "Value": "false" }, 
            { "Name": "DHE-RSA-AES128-SHA256", "Value": "false" }, 
            { "Name": "DHE-DSS-AES128-SHA256", "Value": "false" }, 
            { "Name": "DHE-RSA-CAMELLIA128-SHA", "Value": "false" }, 
            { "Name": "DHE-DSS-CAMELLIA128-SHA", "Value": "false" }, 
            { "Name": "ADH-AES128-GCM-SHA256", "Value": "false" }, 
            { "Name": "ADH-AES128-SHA", "Value": "false" }, 
            { "Name": "ADH-AES128-SHA256", "Value": "false" }, 
            { "Name": "ADH-AES256-GCM-SHA384", "Value": "false" }, 
            { "Name": "ADH-AES256-SHA", "Value": "false" }, 
            { "Name": "ADH-AES256-SHA256", "Value": "false" }, 
            { "Name": "ADH-CAMELLIA128-SHA", "Value": "false" }, 
            { "Name": "ADH-CAMELLIA256-SHA", "Value": "false" }, 
            { "Name": "ADH-DES-CBC3-SHA", "Value": "false" }, 
            { "Name": "ADH-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "ADH-RC4-MD5", "Value": "false" }, 
            { "Name": "ADH-SEED-SHA", "Value": "false" }, 
            { "Name": "DES-CBC-SHA", "Value": "false" }, 
            { "Name": "DHE-DSS-SEED-SHA", "Value": "false" }, 
            { "Name": "DHE-RSA-SEED-SHA", "Value": "false" }, 
            { "Name": "EDH-DSS-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "EDH-RSA-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "IDEA-CBC-SHA", "Value": "false" }, 
            { "Name": "RC4-MD5", "Value": "false" }, 
            { "Name": "SEED-SHA", "Value": "false" }, 
            { "Name": "DES-CBC3-MD5", "Value": "false" }, 
            { "Name": "DES-CBC-MD5", "Value": "false" }, 
            { "Name": "RC2-CBC-MD5", "Value": "false" }, 
            { "Name": "PSK-AES256-CBC-SHA", "Value": "false" }, 
            { "Name": "PSK-3DES-EDE-CBC-SHA", "Value": "false" }, 
            { "Name": "KRB5-DES-CBC3-SHA", "Value": "false" }, 
            { "Name": "KRB5-DES-CBC3-MD5", "Value": "false" }, 
            { "Name": "PSK-AES128-CBC-SHA", "Value": "false" }, 
            { "Name": "PSK-RC4-SHA", "Value": "false" }, 
            { "Name": "KRB5-RC4-SHA", "Value": "false" }, 
            { "Name": "KRB5-RC4-MD5", "Value": "false" }, 
            { "Name": "KRB5-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "KRB5-DES-CBC-MD5", "Value": "false" }, 
            { "Name": "EXP-EDH-RSA-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "EXP-EDH-DSS-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "EXP-ADH-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "EXP-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "EXP-RC2-CBC-MD5", "Value": "false" }, 
            { "Name": "EXP-KRB5-RC2-CBC-SHA", "Value": "false" }, 
            { "Name": "EXP-KRB5-DES-CBC-SHA", "Value": "false" }, 
            { "Name": "EXP-KRB5-RC2-CBC-MD5", "Value": "false" }, 
            { "Name": "EXP-KRB5-DES-CBC-MD5", "Value": "false" }, 
            { "Name": "EXP-ADH-RC4-MD5", "Value": "false" }, 
            { "Name": "EXP-RC4-MD5", "Value": "false" }, 
            { "Name": "EXP-KRB5-RC4-SHA", "Value": "false" }, 
            { "Name": "EXP-KRB5-RC4-MD5", "Value": "false" }
        ]
      }
    ]

    您还必须参考 ELB 规范本身中的策略:

        "Listeners" : [
      { "LoadBalancerPort" : "80",
        "InstancePort" : "80",
        "Protocol" : "HTTP" },
      { "LoadBalancerPort" : "443",
        "InstancePort" : "80",
        "Protocol" : "HTTPS",
        "SSLCertificateId" : "arn:aws:iam::111111111111:server-certificate/somedomain.com",
        "PolicyNames" : [ "My-ELBSecurityPolicy-2014-10-DisableRC4", "SomeOtherPolicy" ]
      }
    ],

    【讨论】:

    • 这有助于解决我的问题。基本上没有意识到您必须在 PolicyNames 数组中引用策略名称。谢谢。
    猜你喜欢
    • 2019-12-30
    • 2015-01-13
    • 1970-01-01
    • 2021-07-16
    • 2019-08-27
    • 1970-01-01
    • 2011-11-17
    • 2014-12-18
    • 2021-10-15
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode