traefik TLS/SSL 修复sweet32漏洞 [安全加固]——筑梦之路
2023-09-14 09:09:35 时间
Nginx SSL漏洞(SWEET32)扫描和修复 —— 筑梦之路_sweet32漏洞_筑梦之路的博客-CSDN博客
K8S组件SWEET32 CVE-2016-2183漏洞修复方案 —— 筑梦之路_筑梦之路的博客-CSDN博客
之前已经写过关于nginx K8S组件修复sweet32安全漏洞的相关文章,关于sweet32安全漏洞就不再做过多的介绍,查阅了一些资料,很少有关于traefik修复SWEET32安全漏洞的相关文章,今天这里写一下如何修复traefik此漏洞,增强安全性。
部署traefik 可以参考官方文档:
https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/
部署ssl证书
# 我这里以自签名证书为例,生产请申请域名证书
#生成证书
openssl genrsa -out ca.key 4096
#注意这里替换test.com为你自己的网址
openssl req -x509 -new -nodes -sha512 -days 36500 \
-subj "/C=CN/ST=SiChuan/L=ChengDu/O=Joe/OU=IT/CN=test.com" \
-key ca.key \
-out ca.crt
#签发证书
openssl genrsa -out tls.key 2048
openssl req -new -key tls.key -out tls.csr -days 36500
openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt -days 36500
#放入k8s
kubectl create secret generic ssl-cert --from-file=tls.crt --from-file=tls.key -n default
添加中间件
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-redirect-https
namespace: default
spec:
redirectScheme:
scheme: https
指定tlsoptions
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: traefik-tls-option
namespace: default
spec:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.2
- TLS_AES_256_GCM_SHA384 # TLS 1.3
- TLS_CHACHA20_POLY1305_SHA256 # TLS 1.3
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
编写路由
# 以traefik dashboard为例
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
spec:
entryPoints:
- web
routes:
- match: Host(`traefik.test.com`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: traefik-redirect-https
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-https
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.test.com`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: traefik-auth-middleware
tls:
#引用ssl证书
secretName: ssl-cert
#引用tlsoption
options:
name: traefik-tls-option
namespace: default
扫描验证
使用nmap扫描sweet32安全漏洞和nginx k8s组件一样,这里就不再赘述。