提供了编程的基础技术教程

zl程序教程

您现在的位置是:首页 >  其他

当前栏目

traefik TLS/SSL 修复sweet32漏洞 [安全加固]——筑梦之路

漏洞SSL安全 修复 筑梦之路 TLS 加固
2023-09-14 09:09:35 时间

Nginx SSL漏洞(SWEET32)扫描和修复 —— 筑梦之路_sweet32漏洞_筑梦之路的博客-CSDN博客

K8S组件SWEET32 CVE-2016-2183漏洞修复方案 —— 筑梦之路_筑梦之路的博客-CSDN博客

之前已经写过关于nginx K8S组件修复sweet32安全漏洞的相关文章,关于sweet32安全漏洞就不再做过多的介绍,查阅了一些资料,很少有关于traefik修复SWEET32安全漏洞的相关文章,今天这里写一下如何修复traefik此漏洞,增强安全性。

部署traefik 可以参考官方文档:

https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/

部署ssl证书

# 我这里以自签名证书为例,生产请申请域名证书

#生成证书
openssl genrsa -out ca.key 4096 

#注意这里替换test.com为你自己的网址
openssl req -x509 -new -nodes -sha512 -days 36500 \
  -subj "/C=CN/ST=SiChuan/L=ChengDu/O=Joe/OU=IT/CN=test.com" \
  -key ca.key \
  -out ca.crt

#签发证书
openssl genrsa -out tls.key 2048
 
openssl req -new -key tls.key -out tls.csr -days 36500
 
openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt -days 36500

#放入k8s
kubectl create secret generic ssl-cert --from-file=tls.crt --from-file=tls.key -n default

添加中间件

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-redirect-https
  namespace: default
spec:
  redirectScheme:
    scheme: https

指定tlsoptions

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: traefik-tls-option
  namespace: default
spec:
  minVersion: VersionTLS12
  cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
    - TLS_AES_256_GCM_SHA384                  # TLS 1.3
    - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3
  curvePreferences:
    - CurveP521
    - CurveP384
  sniStrict: true

编写路由

# 以traefik dashboard为例

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`traefik.test.com`)
      kind: Rule
      services: 
        - name: api@internal
          kind: TraefikService
      middlewares:
      - name: traefik-redirect-https
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard-https
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`traefik.test.com`)
    kind: Rule
    services:
    - name: api@internal
      kind: TraefikService
    middlewares:
    - name: traefik-auth-middleware
  tls:
    #引用ssl证书
    secretName: ssl-cert
    #引用tlsoption
    options:
      name: traefik-tls-option
      namespace: default

扫描验证

使用nmap扫描sweet32安全漏洞和nginx k8s组件一样,这里就不再赘述。

相关文章