Increasing HAProxy's SSL Security

Mon 23 May 2016

I use an HAProxy load balancer in front of my Apache server that runs this website, and I wanted to see how secure my SSL configuration was. I proceeded to the Qualys SSL Labs Server Test website, and to my dissappointment, I didn't do well. My server got a C.

C-Rating

I left HAProxy's default SSL configuration in place when I set it up, and many of the defaults are considered insecure these days. Specifically, my setup was receiving poor grades by allowing old, insecure protocols (SSL3) and insecure cipher suites.

After some Google searching, I found this guide which provided some good configurations for HAProxy. Specifically, in global, I added the following::

global
   tune.ssl.default-dh-param 2048

   ssl-default-bind-options no-sslv3 no-tls-tickets
   ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

After reloading the HAProxy service, I ran a new test, and voila! I received an A rating!

A-Rating

It should be noted that the above configuration will break compatibility with some very crusty browsers. If your visitors are still using Internet Explorer 6, tell them to upgrade.