Configuring TLS configuration using GlobalConfig
EnRoute Technical Reference
On this page
EnRoute can be configured to fine tune TLS configuration for downstream. Several TLS configuration parameters can be set -
ALPN Protocols
- the field tlsContext.alpnProtos
configures a list of ALPNs that should be offered to the downstream host. ALPNs are offered in the order they are specified in this list
Minimum TLS Version
- the filed tlsContext.minimumTlsVersion
can be set to provide the set of minimum TLS version that should be negotiated with downstream host
CipherSuites
- the field tlsContext.cipherSuites
is a list that can be used to provide a list of Cipher Suites that should be used. Only the list of Cipher Suites specified here are used.
The complete List of Cipher Suites against which the configuration is validated is as follows -
- "[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]"
- "[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]"
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "ECDHE-RSA-AES128-GCM-SHA256"
- "ECDHE-ECDSA-AES128-SHA"
- "ECDHE-RSA-AES128-SHA"
- "AES128-GCM-SHA256"
- "AES128-SHA"
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
- "ECDHE-ECDSA-AES256-SHA"
- "ECDHE-RSA-AES256-SHA"
- "AES256-GCM-SHA384"
- "AES256-SHA"
GlobalConfig for TLS
---
apiVersion: enroute.saaras.io/v1
kind: GlobalConfig
metadata:
labels:
app: web
name: gc-globals
namespace: default
spec:
name: gc-globals
type: globalconfig_globals
config: |
{
"tlsContext" : {
"alpnProtos" : ["http/1.1"],
"minimumTlsVersion" : "1.2",
"cipherSuites" : [
"[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]",
"[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA",
"ECDHE-RSA-AES256-SHA"
]
},
"access_log_format" : "[%START_TIME%] ACCESSLOG \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\"\n"
}