Configuring TLS configuration using GlobalConfig

EnRoute Technical Reference

EnRoute can be configured to fine tune TLS configuration for downstream. Several TLS configuration parameters can be set -

ALPN Protocols - the field tlsContext.alpnProtos configures a list of ALPNs that should be offered to the downstream host. ALPNs are offered in the order they are specified in this list Minimum TLS Version - the filed tlsContext.minimumTlsVersion can be set to provide the set of minimum TLS version that should be negotiated with downstream host CipherSuites - the field tlsContext.cipherSuites is a list that can be used to provide a list of Cipher Suites that should be used. Only the list of Cipher Suites specified here are used.

The complete List of Cipher Suites against which the configuration is validated is as follows -

  - "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
  - "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
  - "ECDHE-ECDSA-AES128-GCM-SHA256"
  - "ECDHE-RSA-AES128-GCM-SHA256"
  - "ECDHE-ECDSA-AES128-SHA"
  - "ECDHE-RSA-AES128-SHA"
  - "AES128-GCM-SHA256"
  - "AES128-SHA"
  - "ECDHE-ECDSA-AES256-GCM-SHA384"
  - "ECDHE-RSA-AES256-GCM-SHA384"
  - "ECDHE-ECDSA-AES256-SHA"
  - "ECDHE-RSA-AES256-SHA"
  - "AES256-GCM-SHA384"
  - "AES256-SHA"

GlobalConfig for TLS


---
apiVersion: enroute.saaras.io/v1
kind: GlobalConfig
metadata:
  labels:
    app: web
  name: gc-globals
  namespace: default
spec:
  name: gc-globals
  type: globalconfig_globals
  config: |
    {
      "tlsContext" : {
        "alpnProtos" : ["http/1.1"],
        "minimumTlsVersion" : "1.2",
        "cipherSuites" : [
                          "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]",
                          "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]",
                          "ECDHE-ECDSA-AES128-GCM-SHA256",
                          "ECDHE-RSA-AES128-GCM-SHA256",
                          "ECDHE-ECDSA-AES128-SHA",
                          "ECDHE-RSA-AES128-SHA",
                          "ECDHE-ECDSA-AES256-GCM-SHA384",
                          "ECDHE-RSA-AES256-GCM-SHA384",
                          "ECDHE-ECDSA-AES256-SHA",
                          "ECDHE-RSA-AES256-SHA"
                        ]

       },
      "access_log_format" : "[%START_TIME%] ACCESSLOG \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\"\n"

    }