前言
公司近期漏扫扫出安全套接层(Secure Sockets Layer,SSL 公共密钥小于1024的安全隐患, 当服务器SSL/TLS的瞬时Diffie-Hellman公共密钥小于等于1024位时,存在可以恢复纯文本信息的风险
生成2048位的dhparam的证书
1 | openssl dhparam -out dhparam.pem 2048 |
创建secret
1 | kubectl create secret generic dhparam --from-file=dhparam.pem -n nginx-ingress |
更改nginx-ingress-controller的configMap
配置ssl-dh-param: [namespace]/[secretName]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 apiVersion: v1
data:
enable-vts-status: "false"
ssl-ciphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl-dh-param: nginx-ingress/dhparam
ssl-protocols: TLSv1 TLSv1.1 TLSv1.2
kind: ConfigMap
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.6.11
component: controller
heritage: Tiller
release: public-porter
name: public-porter-nginx-ingress-controller
namespace: nginx-ingress
重启nginx-ingress-controller
1 | kubectl delete -n nginx-ingress pod public-porter-nginx-ingress-controller-57676dcd55-2tf5t |
查看配置是否生效
1 | kubectl exec -it public-porter-nginx-ingress-controller-57676dcd55-vqgr5 -n nginx-ingress grep "dh" nginx.conf |
问题
- Error reading Secret xx from local store
这种错误一般是因为把证书当成configMap配置导致的,ssl-dh-param参数只认secret
- nginx.conf没有ssl_dhparam配置项
这个一般是因为证书文件名不是dhparam.pem导致的,创建证书一定要openssl dhparam -out dhparam.pem 2048 指定证书名字为dhparam.pem才行
- 关于以上为题,其实可以在nginx-ingress源码找到答案
1 | sslDHParam := "" |
- 本文作者: ChuLinx
- 本文链接: http://yoursite.com/2019/11/30/kubernetes_nginx_ingress配置ssl_dhparam/
- 版权声明: 本博客所有文章除特别声明外,均采用 MIT 许可协议。转载请注明出处!