Security Policy
Scenarios
When you add HTTPS listeners, you can select desired security policies to improve service security. A security policy is a combination of TLS protocols and cipher suites.
Adding a Security Policy
- Log in to the management console.
- In the upper left corner of the page, click
and select the desired region and project. - Hover on
in the upper left corner to display Service List and choose Network > Elastic Load Balancing. - Locate the load balancer and click its name.
- Under Listeners, click Add Listener.
- In the Add Listener dialog, expand Advanced Settings, and select a security policy. Table 1 lists the parameters to be configured.
Table 1 Security policy parametersParameter
|
Description
|
TLS Version
|
Cipher Suite
|
|---|
TLS-1-0
|
TLS 1.0, TLS 1.1, and TLS 1.2 and supported cipher suites (high compatibility and moderate security)
|
TLS 1.2
TLS 1.1
TLS 1.0
|
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-SHA:AES256-SHA
|
TLS-1-1
|
TLS 1.1 and TLS 1.2 and supported cipher suites (moderate compatibility and moderate security)
|
TLS 1.2
TLS 1.1
|
TLS-1-2
|
TLS 1.2 and supported cipher suites (moderate compatibility and high security)
|
TLS 1.2
|
TLS-1-2-Strict
|
Strict TLS 1.2 and supported cipher suites (low compatibility and ultra-high security)
|
TLS 1.2
|
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384
|
- Click OK.
Differences Between Security Policies
Table 2 Differences among the four types of security policiesSecurity Policy
|
TLS-1-0
|
TLS-1-1
|
TLS-1-2
|
TLS-1-2-Strict
|
TLS-1-2-FS
|
|---|
TLS versions
|
Protocol-TLS 1.3
|
-
|
-
|
-
|
-
|
√
|
Protocol-TLS 1.2
|
√
|
√
|
√
|
√
|
√
|
Protocol-TLS 1.1
|
√
|
√
|
-
|
-
|
-
|
Protocol-TLS 1.0
|
√
|
-
|
-
|
-
|
-
|
Cipher suites
|
EDHE-RSA-AES128-GCM-SHA256
|
√
|
√
|
√
|
√
|
-
|
ECDHE-RSA-AES256-GCM-SHA384
|
√
|
√
|
√
|
√
|
√
|
ECDHE-RSA-AES128-SHA256
|
√
|
√
|
√
|
√
|
√
|
ECDHE-RSA-AES256-SHA384
|
√
|
√
|
√
|
√
|
√
|
AES128-GCM-SHA256
|
√
|
√
|
√
|
√
|
-
|
AES256-GCM-SHA384
|
√
|
√
|
√
|
√
|
-
|
AES128-SHA256
|
√
|
√
|
√
|
√
|
-
|
AES256-SHA256
|
√
|
√
|
√
|
√
|
-
|
ECDHE-RSA-AES128-SHA
|
√
|
√
|
√
|
-
|
-
|
ECDHE-RSA-AES256-SHA
|
√
|
√
|
√
|
-
|
-
|
AES128-SHA
|
√
|
√
|
√
|
-
|
-
|
AES256-SHA
|
√
|
√
|
√
|
-
|
-
|
ECDHE-ECDSA-AES128-GCM-SHA256
|
√
|
√
|
√
|
√
|
√
|
ECDHE-ECDSA-AES128-SHA256
|
√
|
√
|
√
|
√
|
√
|
ECDHE-ECDSA-AES128-SHA
|
√
|
√
|
√
|
-
|
-
|
ECDHE-ECDSA-AES256-GCM-SHA384
|
√
|
√
|
√
|
√
|
√
|
ECDHE-ECDSA-AES256-SHA384
|
√
|
√
|
√
|
√
|
√
|
ECDHE-ECDSA-AES256-SHA
|
√
|
√
|
√
|
-
|
-
|
Modifying a Security Policy
When you modify a security policy, ensure that the security group containing backend servers allows access from 100.125.0.0/16 and allows ICMP packets for UDP health checks. Otherwise, backend servers will be considered unhealthy, and routing will be affected.
- Log in to the management console.
- In the upper left corner of the page, click and select the desired region and project.
- Hover on in the upper left corner to display Service List and choose Network > Elastic Load Balancing.
- Locate the load balancer and click its name.
- Locate the listener and click
on the right of its name. - On the Modify Listener page, expand Advanced Settings and modify the security policy.
- Click OK.
Parent topic: Advanced Features of HTTP/HTTPS Listeners