Artem Goncharov
0751a20eaa
move elb docs to proper location Reviewed-by: OpenTelekomCloud Bot <None>
31 KiB
Security Policy
Scenarios
When you add HTTPS listeners, you can select desired security policies to improve service security. A security policy is a combination of TLS protocols and cipher suites.
Adding a Security Policy
- Log in to the management console.
- In the upper left corner of the page, click
and select the desired region and project. - Hover on
in the upper left corner to display Service List and choose Network > Elastic Load Balancing. - Locate the load balancer and click its name.
- Under Listeners, click Add Listener.
- In the Add Listener dialog, expand Advanced Settings, and select a security policy. Table 1 lists the parameters to be configured.
Table 1 Security policy parameters Parameter
Description
TLS Version
Cipher Suite
TLS-1-0
TLS 1.0, TLS 1.1, and TLS 1.2 and supported cipher suites (high compatibility and moderate security)
TLS 1.2
TLS 1.1
TLS 1.0
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-SHA:AES256-SHA
TLS-1-1
TLS 1.1 and TLS 1.2 and supported cipher suites (moderate compatibility and moderate security)
TLS 1.2
TLS 1.1
TLS-1-2
TLS 1.2 and supported cipher suites (moderate compatibility and high security)
TLS 1.2
TLS-1-2-Strict
Strict TLS 1.2 and supported cipher suites (low compatibility and ultra-high security)
TLS 1.2
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384
- Click OK.
Differences Between Security Policies
Security Policy |
TLS-1-0 |
TLS-1-1 |
TLS-1-2 |
TLS-1-2-Strict |
TLS-1-2-FS |
|---|---|---|---|---|---|
TLS versions |
|||||
Protocol-TLS 1.3 |
- |
- |
- |
- |
√ |
Protocol-TLS 1.2 |
√ |
√ |
√ |
√ |
√ |
Protocol-TLS 1.1 |
√ |
√ |
- |
- |
- |
Protocol-TLS 1.0 |
√ |
- |
- |
- |
- |
Cipher suites |
|||||
EDHE-RSA-AES128-GCM-SHA256 |
√ |
√ |
√ |
√ |
- |
ECDHE-RSA-AES256-GCM-SHA384 |
√ |
√ |
√ |
√ |
√ |
ECDHE-RSA-AES128-SHA256 |
√ |
√ |
√ |
√ |
√ |
ECDHE-RSA-AES256-SHA384 |
√ |
√ |
√ |
√ |
√ |
AES128-GCM-SHA256 |
√ |
√ |
√ |
√ |
- |
AES256-GCM-SHA384 |
√ |
√ |
√ |
√ |
- |
AES128-SHA256 |
√ |
√ |
√ |
√ |
- |
AES256-SHA256 |
√ |
√ |
√ |
√ |
- |
ECDHE-RSA-AES128-SHA |
√ |
√ |
√ |
- |
- |
ECDHE-RSA-AES256-SHA |
√ |
√ |
√ |
- |
- |
AES128-SHA |
√ |
√ |
√ |
- |
- |
AES256-SHA |
√ |
√ |
√ |
- |
- |
ECDHE-ECDSA-AES128-GCM-SHA256 |
√ |
√ |
√ |
√ |
√ |
ECDHE-ECDSA-AES128-SHA256 |
√ |
√ |
√ |
√ |
√ |
ECDHE-ECDSA-AES128-SHA |
√ |
√ |
√ |
- |
- |
ECDHE-ECDSA-AES256-GCM-SHA384 |
√ |
√ |
√ |
√ |
√ |
ECDHE-ECDSA-AES256-SHA384 |
√ |
√ |
√ |
√ |
√ |
ECDHE-ECDSA-AES256-SHA |
√ |
√ |
√ |
- |
- |
Modifying a Security Policy
When you modify a security policy, ensure that the security group containing backend servers allows access from 100.125.0.0/16 and allows ICMP packets for UDP health checks. Otherwise, backend servers will be considered unhealthy, and routing will be affected.
- Log in to the management console.
- In the upper left corner of the page, click and select the desired region and project.
- Hover on in the upper left corner to display Service List and choose Network > Elastic Load Balancing.
- Locate the load balancer and click its name.
- Locate the listener and click
on the right of its name. - On the Modify Listener page, expand Advanced Settings and modify the security policy.
- Click OK.