Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1358862 - [RFE] Modify HAProxy Preference for SSL Ciphers
Summary: [RFE] Modify HAProxy Preference for SSL Ciphers
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Phil Cameron
QA Contact: Johnny Liu
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-21 15:59 UTC by Steven Walter
Modified: 2016-07-25 18:48 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-07-25 18:48:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Steven Walter 2016-07-21 15:59:12 UTC
1. Proposed title of this feature request
  Method to Modify HAProxy's Preference for SSL Ciphers

3. What is the nature and description of the request?

  Customer wants to set HAProxy service's preference to RSA ciphers above the Diffie Hellman ciphers. As some customers may have different preferences, it may be better to make it easier to modify the preference order rather than simply change the hard-coded order

4. Why does the customer need this?
  Security audit requirements

5. How would the customer like to achieve this?
  It seems a configuration file or environment variable could be a possibility

7. Is there already an existing RFE upstream or in Red Hat bugzilla?
  Not that I can tell for this specific issue

Comment 2 Ben Bennett 2016-07-21 20:00:12 UTC
You could do this today by adding a configmap with a replacement router template:

That way you can tweak the router ciphers without rebuilding an image.

Comment 3 Steven Walter 2016-07-22 14:22:15 UTC
Hey Ben, thanks. I'm looking through the template output generated by:

docker run --rm --interactive=true --tty --entrypoint=cat \ haproxy-config.template

As per the docs (used the github doc you sent but that does not show the command to get the output to write to file)

I am not seeing where one would make this sort of specification. The closest I can guess is one of the filepaths contain this information (like the /var/lib/haproxy/conf/ files); at risk of asking something basic, where would one make this sort of requirement?

Comment 4 Ben Bennett 2016-07-22 14:36:26 UTC
Sorry, I'm not sure I understand the question.  Use the 'docker run' command you have to get the image, but add > /tmp/haproxy.template to save it to disk.

Then edit the file and specify the path /tmp/haproxy.template as the argument to 'oc create configmap customrouter'.  You should be able to follow the rest of the guide from that point.

Comment 5 Ben Bennett 2016-07-22 14:37:37 UTC
Phil, if there are further questions about the workflow to replace the template in a router can you work with Steven to resolve them please?

Comment 6 Steven Walter 2016-07-22 14:49:16 UTC
My question is not the flow of saving and editing the file, nor using the custom template to deploy a custom router; but rather what in the template to edit. The guide only says "Make your edits then . . ." but specifies nothing about what edits to make. Obviously an extensive HAProxy editing guide is outside the scope of our documentation; but I am having trouble determining what edits to make.

Comment 7 Phil Cameron 2016-07-22 19:16:00 UTC
Steven, the haproxy-config.template becomes haproxy-config in the router container.
oc get pods -n default
oc rsh router.....
cat haproxy.config

So you need to edit the lines in haproxy-config.template that will get you the desired order in the haproxy.config file. You may start with looking at "ssl-default-bind-ciphers"

haproxy.config is haproxy's config file so looking for haproxy configuration on the web can help out as well (google for haproxy ssl cipher). 

Is this what you are looking for?

Comment 8 Steven Walter 2016-07-22 20:02:23 UTC
Hi, yeah I am starting to get closer to the issue. My initial confusion was that the ssl-default-bind-ciphers list does not seem appear in the template:

  # maxconn 4096
  . . .
  stats timeout 2m

  # maxconn 4096
  . . .

But it DOES appear in the config of the built image:

  # Intermediate cipher suite (default) from
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers ECD...DES-CBC3-SHA

  # maxconn 4096

Now that I see them side-by-side I see how the template turns into the config file though, and will do some Google work.

I'll write a KCS about this once I get it working, since it is not immediately obvious from the template and the documentation (reasonably) doesn't get into specifics. Thanks all.

Comment 9 Phil Cameron 2016-07-25 17:17:21 UTC
Steve, are we at a point that we can close this?

Comment 10 Steven Walter 2016-07-25 17:59:54 UTC
Hi, sorry, yes we can close this, thanks all.

Note You need to log in before you can comment on or make changes to this bug.