Nginx_ingress配置ssl_dhparam

chulinx
8,188 阅读2分钟

Nginx_ingress配置ssl_dhparam

前言

公司近期漏扫扫出安全套接层(Secure Sockets Layer,SSL 公共密钥小于1024的安全隐患, 当服务器SSL/TLS的瞬时Diffie-Hellman公共密钥小于等于1024位时,存在可以恢复纯文本信息的风险

生成2048位的dhparam的证书

openssl dhparam -out dhparam.pem 2048

创建secret

kubectl create secret generic  dhparam --from-file=dhparam.pem  -n nginx-ingress

更改nginx-ingress-controller的configMap

配置ssl-dh-param: [namespace]/[secretName]

apiVersion: v1
data:
  enable-vts-status: "false"
  ssl-ciphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  ssl-dh-param: nginx-ingress/dhparam
  ssl-protocols: TLSv1 TLSv1.1 TLSv1.2
kind: ConfigMap
metadata:
  labels:
    app: nginx-ingress
    chart: nginx-ingress-1.6.11
    component: controller
    heritage: Tiller
    release: public-porter
  name: public-porter-nginx-ingress-controller
  namespace: nginx-ingress

重启nginx-ingress-controller

kubectl delete -n nginx-ingress pod public-porter-nginx-ingress-controller-57676dcd55-2tf5t

查看配置是否生效

kubectl exec -it public-porter-nginx-ingress-controller-57676dcd55-vqgr5 -n nginx-ingress grep "dh" nginx.conf
	# allow custom DH file http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
	ssl_dhparam /etc/ingress-controller/ssl/nginx-ingress-dhparam.pem;
	ssl_ecdh_curve auto;

问题

  • Error reading Secret xx from local store

这种错误一般是因为把证书当成configMap配置导致的,ssl-dh-param参数只认secret

  • nginx.conf没有ssl_dhparam配置项

这个一般是因为证书文件名不是dhparam.pem导致的,创建证书一定要openssl dhparam -out dhparam.pem 2048 指定证书名字为dhparam.pem才行

  • 关于以上为题,其实可以在nginx-ingress源码找到答案
	sslDHParam := ""
	if cfg.SSLDHParam != "" {
		secretName := cfg.SSLDHParam

		secret, err := n.store.GetSecret(secretName) //获取的是secret名字
		if err != nil {
			klog.Warningf("Error reading Secret %q from local store: %v", secretName, err)
		} else {
			nsSecName := strings.Replace(secretName, "/", "-", -1)
			dh, ok := secret.Data["dhparam.pem"] //获取secret的data下的dhparam.pem证书内容
			if ok {
				pemFileName, err := ssl.AddOrUpdateDHParam(nsSecName, dh, n.fileSystem)
				if err != nil {
					klog.Warningf("Error adding or updating dhparam file %v: %v", nsSecName, err)
				} else {
					sslDHParam = pemFileName
				}
			}
		}
	}
avatar
文章
阅读
粉丝
相关推荐
Nginx 配置 SSL(HTTPS)
1.7k阅读
 · 
2点赞
4. Ingress
1.1k阅读
 · 
0点赞
nginx 一把梭!(超详细讲解+实操)
40k阅读
 · 
829点赞
Java替换RequestBody和RequestParam参数的属性
3.6k阅读
 · 
22点赞
有Tomcat,为什么还要Nginx?
37k阅读
 · 
434点赞
大白话说明白Ingress / IngressController / IngressClass的区别
1.6k阅读
 · 
7点赞
k8s实战-使用Ingress
1.3k阅读
 · 
14点赞
Nginx配置ssl证书
744阅读
 · 
1点赞
docker部署nginx php,内附nginx代理web服务及SSL配置
3.2k阅读
 · 
2点赞
三年前端还不会配置Nginx?刷完这篇就够了
58k阅读
 · 
1.3k点赞

友情链接: