Nginx_ingress配置ssl_dhparam
前言
公司近期漏扫扫出安全套接层(Secure Sockets Layer,SSL 公共密钥小于1024的安全隐患, 当服务器SSL/TLS的瞬时Diffie-Hellman公共密钥小于等于1024位时,存在可以恢复纯文本信息的风险
生成2048位的dhparam的证书
openssl dhparam -out dhparam.pem 2048
创建secret
kubectl create secret generic dhparam --from-file=dhparam.pem -n nginx-ingress
更改nginx-ingress-controller的configMap
配置ssl-dh-param: [namespace]/[secretName]
apiVersion: v1
data:
enable-vts-status: "false"
ssl-ciphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
ssl-dh-param: nginx-ingress/dhparam
ssl-protocols: TLSv1 TLSv1.1 TLSv1.2
kind: ConfigMap
metadata:
labels:
app: nginx-ingress
chart: nginx-ingress-1.6.11
component: controller
heritage: Tiller
release: public-porter
name: public-porter-nginx-ingress-controller
namespace: nginx-ingress
重启nginx-ingress-controller
kubectl delete -n nginx-ingress pod public-porter-nginx-ingress-controller-57676dcd55-2tf5t
查看配置是否生效
kubectl exec -it public-porter-nginx-ingress-controller-57676dcd55-vqgr5 -n nginx-ingress grep "dh" nginx.conf
# allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
ssl_dhparam /etc/ingress-controller/ssl/nginx-ingress-dhparam.pem;
ssl_ecdh_curve auto;
问题
- Error reading Secret xx from local store
这种错误一般是因为把证书当成configMap配置导致的,ssl-dh-param参数只认secret
- nginx.conf没有ssl_dhparam配置项
这个一般是因为证书文件名不是dhparam.pem导致的,创建证书一定要openssl dhparam -out dhparam.pem 2048 指定证书名字为dhparam.pem才行
- 关于以上为题,其实可以在nginx-ingress源码找到答案
sslDHParam := ""
if cfg.SSLDHParam != "" {
secretName := cfg.SSLDHParam
secret, err := n.store.GetSecret(secretName) //获取的是secret名字
if err != nil {
klog.Warningf("Error reading Secret %q from local store: %v", secretName, err)
} else {
nsSecName := strings.Replace(secretName, "/", "-", -1)
dh, ok := secret.Data["dhparam.pem"] //获取secret的data下的dhparam.pem证书内容
if ok {
pemFileName, err := ssl.AddOrUpdateDHParam(nsSecName, dh, n.fileSystem)
if err != nil {
klog.Warningf("Error adding or updating dhparam file %v: %v", nsSecName, err)
} else {
sslDHParam = pemFileName
}
}
}
}