AWS Cloudformation:Loadbalancer自定义SSL协商策略
正在尝试使用自定义SSL协商策略设置cloudformation模板。我得到的云信息错误是: 创建失败的AWS::ElasticLoadBalancement::无法启用LoadBalancer BackendELB SSLNegotiationPolicy 我的cloudformation模板部分如下所示:AWS Cloudformation:Loadbalancer自定义SSL协商策略,ssl,amazon-web-services,amazon-cloudformation,Ssl,Amazon Web Services,Amazon Cloudformation,正在尝试使用自定义SSL协商策略设置cloudformation模板。我得到的云信息错误是: 创建失败的AWS::ElasticLoadBalancement::无法启用LoadBalancer BackendELB SSLNegotiationPolicy 我的cloudformation模板部分如下所示: "Policies" : [ { "PolicyName": "SSLNegotiationPolicy",
"Policies" : [
{
"PolicyName": "SSLNegotiationPolicy",
"PolicyType": "SSLNegotiationPolicyType",
"Attributes": [
{ "Name" : "Protocol-TLSv1", "Value" : "true" },
{ "Name" : "Protocol-TLSv1.1", "Value" : "true" },
{ "Name" : "Protocol-TLSv1.2", "Value" : "true" },
{ "Name" : "Protocol-SSLv2", "Value" : "false" },
{ "Name" : "Protocol-SSLv3", "Value" : "false" },
{ "Name" : "ECDHE-RSA-AES128-GCM-SHA256", "Value" : "true" },
{ "Name" : "ECDHE-ECDSA-AES128-SHA256", "Value" : "true" },
{ "Name" : "ECDHE-RSA-AES128-SHA256", "Value" : "true" },
{ "Name" : "ECDHE-ECDSA-AES128-SHA", "Value" : "true" },
{ "Name" : "ECDHE-RSA-AES128-SHA", "Value" : "true" },
{ "Name" : "DHE-RSA-AES128-SHA", "Value" : "true" },
{ "Name" : "ECDHE-ECDSA-AES256-GCM-SHA384", "Value" : "true" },
{ "Name" : "ECDHE-RSA-AES256-GCM-SHA384", "Value" : "true" },
{ "Name" : "ECDHE-ECDSA-AES256-SHA384", "Value" : "true" },
{ "Name" : "ECDHE-RSA-AES256-SHA384", "Value" : "true" },
{ "Name" : "ECDHE-RSA-AES256-SHA", "Value" : "true" },
{ "Name" : "ECDHE-ECDSA-AES256-SHA", "Value" : "true" },
{ "Name" : "AES128-GCM-SHA256", "Value" : "true" },
{ "Name" : "AES128-SHA256", "Value" : "true" },
{ "Name" : "AES128-SHA", "Value" : "true" },
{ "Name" : "AES256-GCM-SHA384", "Value" : "true" },
{ "Name" : "AES256-SHA256", "Value" : "true" },
{ "Name" : "AES256-SHA", "Value" : "true" },
{ "Name" : "DHE-DSS-AES128-SHA", "Value" : "true" },
{ "Name" : "RC4-SHA", "Value" : "false" },
{ "Name" : "ECDHE-ECDSA-RC4-SHA", "Value" : "false" }
],
"InstancePorts" : [ "443" ]
}
]
如果我删除InstancePorts部分,那么ELB将创建一个没有错误的实例,但是新的负载平衡器不使用概述的策略
有什么想法吗
附带问题:是否有必要将策略的每个值都设置为true或false,或者如果模板中未定义密码,它是否默认为建议的SSL策略中定义的值?我认为您的做法是正确的。您可以通过以下方式查看现有安全策略内容:
aws elb describe-load-balancer-policies
我指定了所有内容以确保完整性,如以下政策:
"Policies" : [
{
"PolicyName" : "My-ELBSecurityPolicy-2014-10-DisableRC4",
"PolicyType" : "SSLNegotiationPolicyType",
"Attributes" : [
{ "Name": "Protocol-SSLv2", "Value": "false" },
{ "Name": "Protocol-TLSv1", "Value": "true" },
{ "Name": "Protocol-SSLv3", "Value": "false" },
{ "Name": "Protocol-TLSv1.1", "Value": "true" },
{ "Name": "Protocol-TLSv1.2", "Value": "true" },
{ "Name": "Server-Defined-Cipher-Order", "Value": "true" },
{ "Name": "ECDHE-ECDSA-AES128-GCM-SHA256", "Value": "true" },
{ "Name": "ECDHE-RSA-AES128-GCM-SHA256", "Value": "true" },
{ "Name": "ECDHE-ECDSA-AES128-SHA256", "Value": "true" },
{ "Name": "ECDHE-RSA-AES128-SHA256", "Value": "true" },
{ "Name": "ECDHE-ECDSA-AES128-SHA", "Value": "true" },
{ "Name": "ECDHE-RSA-AES128-SHA", "Value": "true" },
{ "Name": "DHE-RSA-AES128-SHA", "Value": "true" },
{ "Name": "ECDHE-ECDSA-AES256-GCM-SHA384", "Value": "true" },
{ "Name": "ECDHE-RSA-AES256-GCM-SHA384", "Value": "true" },
{ "Name": "ECDHE-ECDSA-AES256-SHA384", "Value": "true" },
{ "Name": "ECDHE-RSA-AES256-SHA384", "Value": "true" },
{ "Name": "ECDHE-RSA-AES256-SHA", "Value": "true" },
{ "Name": "ECDHE-ECDSA-AES256-SHA", "Value": "true" },
{ "Name": "AES128-GCM-SHA256", "Value": "true" },
{ "Name": "AES128-SHA256", "Value": "true" },
{ "Name": "AES128-SHA", "Value": "true" },
{ "Name": "AES256-GCM-SHA384", "Value": "true" },
{ "Name": "AES256-SHA256", "Value": "true" },
{ "Name": "AES256-SHA", "Value": "true" },
{ "Name": "DHE-DSS-AES128-SHA", "Value": "true" },
{ "Name": "CAMELLIA128-SHA", "Value": "false" },
{ "Name": "EDH-RSA-DES-CBC3-SHA", "Value": "false" },
{ "Name": "DES-CBC3-SHA", "Value": "false" },
{ "Name": "ECDHE-RSA-RC4-SHA", "Value": "false" },
{ "Name": "RC4-SHA", "Value": "false" },
{ "Name": "ECDHE-ECDSA-RC4-SHA", "Value": "false" },
{ "Name": "DHE-DSS-AES256-GCM-SHA384", "Value": "false" },
{ "Name": "DHE-RSA-AES256-GCM-SHA384", "Value": "false" },
{ "Name": "DHE-RSA-AES256-SHA256", "Value": "false" },
{ "Name": "DHE-DSS-AES256-SHA256", "Value": "false" },
{ "Name": "DHE-RSA-AES256-SHA", "Value": "false" },
{ "Name": "DHE-DSS-AES256-SHA", "Value": "false" },
{ "Name": "DHE-RSA-CAMELLIA256-SHA", "Value": "false" },
{ "Name": "DHE-DSS-CAMELLIA256-SHA", "Value": "false" },
{ "Name": "CAMELLIA256-SHA", "Value": "false" },
{ "Name": "EDH-DSS-DES-CBC3-SHA", "Value": "false" },
{ "Name": "DHE-DSS-AES128-GCM-SHA256", "Value": "false" },
{ "Name": "DHE-RSA-AES128-GCM-SHA256", "Value": "false" },
{ "Name": "DHE-RSA-AES128-SHA256", "Value": "false" },
{ "Name": "DHE-DSS-AES128-SHA256", "Value": "false" },
{ "Name": "DHE-RSA-CAMELLIA128-SHA", "Value": "false" },
{ "Name": "DHE-DSS-CAMELLIA128-SHA", "Value": "false" },
{ "Name": "ADH-AES128-GCM-SHA256", "Value": "false" },
{ "Name": "ADH-AES128-SHA", "Value": "false" },
{ "Name": "ADH-AES128-SHA256", "Value": "false" },
{ "Name": "ADH-AES256-GCM-SHA384", "Value": "false" },
{ "Name": "ADH-AES256-SHA", "Value": "false" },
{ "Name": "ADH-AES256-SHA256", "Value": "false" },
{ "Name": "ADH-CAMELLIA128-SHA", "Value": "false" },
{ "Name": "ADH-CAMELLIA256-SHA", "Value": "false" },
{ "Name": "ADH-DES-CBC3-SHA", "Value": "false" },
{ "Name": "ADH-DES-CBC-SHA", "Value": "false" },
{ "Name": "ADH-RC4-MD5", "Value": "false" },
{ "Name": "ADH-SEED-SHA", "Value": "false" },
{ "Name": "DES-CBC-SHA", "Value": "false" },
{ "Name": "DHE-DSS-SEED-SHA", "Value": "false" },
{ "Name": "DHE-RSA-SEED-SHA", "Value": "false" },
{ "Name": "EDH-DSS-DES-CBC-SHA", "Value": "false" },
{ "Name": "EDH-RSA-DES-CBC-SHA", "Value": "false" },
{ "Name": "IDEA-CBC-SHA", "Value": "false" },
{ "Name": "RC4-MD5", "Value": "false" },
{ "Name": "SEED-SHA", "Value": "false" },
{ "Name": "DES-CBC3-MD5", "Value": "false" },
{ "Name": "DES-CBC-MD5", "Value": "false" },
{ "Name": "RC2-CBC-MD5", "Value": "false" },
{ "Name": "PSK-AES256-CBC-SHA", "Value": "false" },
{ "Name": "PSK-3DES-EDE-CBC-SHA", "Value": "false" },
{ "Name": "KRB5-DES-CBC3-SHA", "Value": "false" },
{ "Name": "KRB5-DES-CBC3-MD5", "Value": "false" },
{ "Name": "PSK-AES128-CBC-SHA", "Value": "false" },
{ "Name": "PSK-RC4-SHA", "Value": "false" },
{ "Name": "KRB5-RC4-SHA", "Value": "false" },
{ "Name": "KRB5-RC4-MD5", "Value": "false" },
{ "Name": "KRB5-DES-CBC-SHA", "Value": "false" },
{ "Name": "KRB5-DES-CBC-MD5", "Value": "false" },
{ "Name": "EXP-EDH-RSA-DES-CBC-SHA", "Value": "false" },
{ "Name": "EXP-EDH-DSS-DES-CBC-SHA", "Value": "false" },
{ "Name": "EXP-ADH-DES-CBC-SHA", "Value": "false" },
{ "Name": "EXP-DES-CBC-SHA", "Value": "false" },
{ "Name": "EXP-RC2-CBC-MD5", "Value": "false" },
{ "Name": "EXP-KRB5-RC2-CBC-SHA", "Value": "false" },
{ "Name": "EXP-KRB5-DES-CBC-SHA", "Value": "false" },
{ "Name": "EXP-KRB5-RC2-CBC-MD5", "Value": "false" },
{ "Name": "EXP-KRB5-DES-CBC-MD5", "Value": "false" },
{ "Name": "EXP-ADH-RC4-MD5", "Value": "false" },
{ "Name": "EXP-RC4-MD5", "Value": "false" },
{ "Name": "EXP-KRB5-RC4-SHA", "Value": "false" },
{ "Name": "EXP-KRB5-RC4-MD5", "Value": "false" }
]
}
]
您还必须参考ELB规范本身中的策略:
"Listeners" : [
{ "LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP" },
{ "LoadBalancerPort" : "443",
"InstancePort" : "80",
"Protocol" : "HTTPS",
"SSLCertificateId" : "arn:aws:iam::111111111111:server-certificate/somedomain.com",
"PolicyNames" : [ "My-ELBSecurityPolicy-2014-10-DisableRC4", "SomeOtherPolicy" ]
}
],
这有助于解决我的问题。基本上没有意识到必须在
PolicyNames
数组中引用策略名称。谢谢