Skip to content

[FEATURE REQUEST] allow enabling / disabling tls ciphers per service #1956

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mmiller1 opened this issue Jan 23, 2018 · 4 comments · Fixed by #2006
Closed

[FEATURE REQUEST] allow enabling / disabling tls ciphers per service #1956

mmiller1 opened this issue Jan 23, 2018 · 4 comments · Fixed by #2006
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.

Comments

@mmiller1
Copy link
Contributor

Is this possible currently? I don't see any mention in the docs, but we run some legacy services that have many clients requiring less secure ciphers, but we would rather not enable these for services where it's not required.

Thanks
@pieterlange
Copy link
Contributor

Not technically possible (inherent to the protocol), but you can run a separate nginx ingress pool using https://github.com/kubernetes/ingress-nginx#annotation-ingressclass and expose this pool on a separate Service (type: LoadBalancer)

@aledbf
Copy link
Member

aledbf commented Jan 23, 2018

@mmiller1 is not possible per service but yes per host (server_name in nginx)
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers
This is not supported right now but you can use the server-snippet annotation to achieve this
Like this:

ingress.kubernetes.io/server-snippet: |
  ssl_ciphers "your ciphers";

Keep in mind that this will affect all the paths in the host (possible multiple services)

@mmiller1
Copy link
Contributor Author

Thanks @aledbf this is exactly what I needed

@aledbf aledbf added enhancement help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Jan 23, 2018
@pieterlange
Copy link
Contributor

Sorry, I somehow misread you were trying to switch TLS protocol versions.. and i was not aware nginx was able to switch ciphers per vhost!

You risk specifying invalid (per TLS/SSL version) ciphers though (so this should probably be checked by the controller if this is implemented as annotation)

@aramase aramase mentioned this issue Jan 31, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for enabling ssl_ciphers per host aramase/ingress
3 participants
@aledbf @pieterlange @mmiller1