2014-11-05 74 views
2

嘗試使用自定義SSL協商策略設置一個雲信息模板。我得到的cloudformation錯誤是:AWS Cloudformation:Loadbalancer自定義SSL協商策略

CREATE_FAILED AWS :: ElasticLoadBalancing ::無法啓用負載平衡器BackendELB SSLNegotiationPolicy

我cloudformation模板部分如下:

"Policies" : [ 
       { 
        "PolicyName": "SSLNegotiationPolicy", 
        "PolicyType": "SSLNegotiationPolicyType", 
        "Attributes": [ 
         { "Name" : "Protocol-TLSv1", "Value" : "true" }, 
         { "Name" : "Protocol-TLSv1.1", "Value" : "true" }, 
         { "Name" : "Protocol-TLSv1.2", "Value" : "true" }, 
         { "Name" : "Protocol-SSLv2", "Value" : "false" }, 
         { "Name" : "Protocol-SSLv3", "Value" : "false" }, 
         { "Name" : "ECDHE-RSA-AES128-GCM-SHA256", "Value" : "true" }, 
         { "Name" : "ECDHE-ECDSA-AES128-SHA256", "Value" : "true" }, 
         { "Name" : "ECDHE-RSA-AES128-SHA256", "Value" : "true" }, 
         { "Name" : "ECDHE-ECDSA-AES128-SHA", "Value" : "true" }, 
         { "Name" : "ECDHE-RSA-AES128-SHA", "Value" : "true" }, 
         { "Name" : "DHE-RSA-AES128-SHA", "Value" : "true" }, 
         { "Name" : "ECDHE-ECDSA-AES256-GCM-SHA384", "Value" : "true" }, 
         { "Name" : "ECDHE-RSA-AES256-GCM-SHA384", "Value" : "true" }, 
         { "Name" : "ECDHE-ECDSA-AES256-SHA384", "Value" : "true" }, 
         { "Name" : "ECDHE-RSA-AES256-SHA384", "Value" : "true" }, 
         { "Name" : "ECDHE-RSA-AES256-SHA", "Value" : "true" }, 
         { "Name" : "ECDHE-ECDSA-AES256-SHA", "Value" : "true" }, 
         { "Name" : "AES128-GCM-SHA256", "Value" : "true" }, 
         { "Name" : "AES128-SHA256", "Value" : "true" }, 
         { "Name" : "AES128-SHA", "Value" : "true" }, 
         { "Name" : "AES256-GCM-SHA384", "Value" : "true" }, 
         { "Name" : "AES256-SHA256", "Value" : "true" }, 
         { "Name" : "AES256-SHA", "Value" : "true" }, 
         { "Name" : "DHE-DSS-AES128-SHA", "Value" : "true" }, 
         { "Name" : "RC4-SHA", "Value" : "false" }, 
         { "Name" : "ECDHE-ECDSA-RC4-SHA", "Value" : "false" } 
        ], 
        "InstancePorts" : [ "443" ] 
       } 
      ] 

如果我刪除InstancePorts部分,然後ELB創建沒有錯誤,但新負載平衡器不使用概述的策略。

任何想法?

側面問題:是否需要將策略的每個值設置爲true或false,或者密碼未在模板中定義,是否默認爲建議的SSL策略中定義的值?

回答

4

我認爲你在正確的軌道上。

aws elb describe-load-balancer-policies 

我指定所有的完整性,如下面的策略:

"Policies" : [ 
     { 
     "PolicyName" : "My-ELBSecurityPolicy-2014-10-DisableRC4", 
     "PolicyType" : "SSLNegotiationPolicyType", 
     "Attributes" : [ 
      { "Name": "Protocol-SSLv2", "Value": "false" }, 
      { "Name": "Protocol-TLSv1", "Value": "true" }, 
      { "Name": "Protocol-SSLv3", "Value": "false" }, 
      { "Name": "Protocol-TLSv1.1", "Value": "true" }, 
      { "Name": "Protocol-TLSv1.2", "Value": "true" }, 
      { "Name": "Server-Defined-Cipher-Order", "Value": "true" }, 
      { "Name": "ECDHE-ECDSA-AES128-GCM-SHA256", "Value": "true" }, 
      { "Name": "ECDHE-RSA-AES128-GCM-SHA256", "Value": "true" }, 
      { "Name": "ECDHE-ECDSA-AES128-SHA256", "Value": "true" }, 
      { "Name": "ECDHE-RSA-AES128-SHA256", "Value": "true" }, 
      { "Name": "ECDHE-ECDSA-AES128-SHA", "Value": "true" }, 
      { "Name": "ECDHE-RSA-AES128-SHA", "Value": "true" }, 
      { "Name": "DHE-RSA-AES128-SHA", "Value": "true" }, 
      { "Name": "ECDHE-ECDSA-AES256-GCM-SHA384", "Value": "true" }, 
      { "Name": "ECDHE-RSA-AES256-GCM-SHA384", "Value": "true" }, 
      { "Name": "ECDHE-ECDSA-AES256-SHA384", "Value": "true" }, 
      { "Name": "ECDHE-RSA-AES256-SHA384", "Value": "true" }, 
      { "Name": "ECDHE-RSA-AES256-SHA", "Value": "true" }, 
      { "Name": "ECDHE-ECDSA-AES256-SHA", "Value": "true" }, 
      { "Name": "AES128-GCM-SHA256", "Value": "true" }, 
      { "Name": "AES128-SHA256", "Value": "true" }, 
      { "Name": "AES128-SHA", "Value": "true" }, 
      { "Name": "AES256-GCM-SHA384", "Value": "true" }, 
      { "Name": "AES256-SHA256", "Value": "true" }, 
      { "Name": "AES256-SHA", "Value": "true" }, 
      { "Name": "DHE-DSS-AES128-SHA", "Value": "true" }, 
      { "Name": "CAMELLIA128-SHA", "Value": "false" }, 
      { "Name": "EDH-RSA-DES-CBC3-SHA", "Value": "false" }, 
      { "Name": "DES-CBC3-SHA", "Value": "false" }, 
      { "Name": "ECDHE-RSA-RC4-SHA", "Value": "false" }, 
      { "Name": "RC4-SHA", "Value": "false" }, 
      { "Name": "ECDHE-ECDSA-RC4-SHA", "Value": "false" }, 
      { "Name": "DHE-DSS-AES256-GCM-SHA384", "Value": "false" }, 
      { "Name": "DHE-RSA-AES256-GCM-SHA384", "Value": "false" }, 
      { "Name": "DHE-RSA-AES256-SHA256", "Value": "false" }, 
      { "Name": "DHE-DSS-AES256-SHA256", "Value": "false" }, 
      { "Name": "DHE-RSA-AES256-SHA", "Value": "false" }, 
      { "Name": "DHE-DSS-AES256-SHA", "Value": "false" }, 
      { "Name": "DHE-RSA-CAMELLIA256-SHA", "Value": "false" }, 
      { "Name": "DHE-DSS-CAMELLIA256-SHA", "Value": "false" }, 
      { "Name": "CAMELLIA256-SHA", "Value": "false" }, 
      { "Name": "EDH-DSS-DES-CBC3-SHA", "Value": "false" }, 
      { "Name": "DHE-DSS-AES128-GCM-SHA256", "Value": "false" }, 
      { "Name": "DHE-RSA-AES128-GCM-SHA256", "Value": "false" }, 
      { "Name": "DHE-RSA-AES128-SHA256", "Value": "false" }, 
      { "Name": "DHE-DSS-AES128-SHA256", "Value": "false" }, 
      { "Name": "DHE-RSA-CAMELLIA128-SHA", "Value": "false" }, 
      { "Name": "DHE-DSS-CAMELLIA128-SHA", "Value": "false" }, 
      { "Name": "ADH-AES128-GCM-SHA256", "Value": "false" }, 
      { "Name": "ADH-AES128-SHA", "Value": "false" }, 
      { "Name": "ADH-AES128-SHA256", "Value": "false" }, 
      { "Name": "ADH-AES256-GCM-SHA384", "Value": "false" }, 
      { "Name": "ADH-AES256-SHA", "Value": "false" }, 
      { "Name": "ADH-AES256-SHA256", "Value": "false" }, 
      { "Name": "ADH-CAMELLIA128-SHA", "Value": "false" }, 
      { "Name": "ADH-CAMELLIA256-SHA", "Value": "false" }, 
      { "Name": "ADH-DES-CBC3-SHA", "Value": "false" }, 
      { "Name": "ADH-DES-CBC-SHA", "Value": "false" }, 
      { "Name": "ADH-RC4-MD5", "Value": "false" }, 
      { "Name": "ADH-SEED-SHA", "Value": "false" }, 
      { "Name": "DES-CBC-SHA", "Value": "false" }, 
      { "Name": "DHE-DSS-SEED-SHA", "Value": "false" }, 
      { "Name": "DHE-RSA-SEED-SHA", "Value": "false" }, 
      { "Name": "EDH-DSS-DES-CBC-SHA", "Value": "false" }, 
      { "Name": "EDH-RSA-DES-CBC-SHA", "Value": "false" }, 
      { "Name": "IDEA-CBC-SHA", "Value": "false" }, 
      { "Name": "RC4-MD5", "Value": "false" }, 
      { "Name": "SEED-SHA", "Value": "false" }, 
      { "Name": "DES-CBC3-MD5", "Value": "false" }, 
      { "Name": "DES-CBC-MD5", "Value": "false" }, 
      { "Name": "RC2-CBC-MD5", "Value": "false" }, 
      { "Name": "PSK-AES256-CBC-SHA", "Value": "false" }, 
      { "Name": "PSK-3DES-EDE-CBC-SHA", "Value": "false" }, 
      { "Name": "KRB5-DES-CBC3-SHA", "Value": "false" }, 
      { "Name": "KRB5-DES-CBC3-MD5", "Value": "false" }, 
      { "Name": "PSK-AES128-CBC-SHA", "Value": "false" }, 
      { "Name": "PSK-RC4-SHA", "Value": "false" }, 
      { "Name": "KRB5-RC4-SHA", "Value": "false" }, 
      { "Name": "KRB5-RC4-MD5", "Value": "false" }, 
      { "Name": "KRB5-DES-CBC-SHA", "Value": "false" }, 
      { "Name": "KRB5-DES-CBC-MD5", "Value": "false" }, 
      { "Name": "EXP-EDH-RSA-DES-CBC-SHA", "Value": "false" }, 
      { "Name": "EXP-EDH-DSS-DES-CBC-SHA", "Value": "false" }, 
      { "Name": "EXP-ADH-DES-CBC-SHA", "Value": "false" }, 
      { "Name": "EXP-DES-CBC-SHA", "Value": "false" }, 
      { "Name": "EXP-RC2-CBC-MD5", "Value": "false" }, 
      { "Name": "EXP-KRB5-RC2-CBC-SHA", "Value": "false" }, 
      { "Name": "EXP-KRB5-DES-CBC-SHA", "Value": "false" }, 
      { "Name": "EXP-KRB5-RC2-CBC-MD5", "Value": "false" }, 
      { "Name": "EXP-KRB5-DES-CBC-MD5", "Value": "false" }, 
      { "Name": "EXP-ADH-RC4-MD5", "Value": "false" }, 
      { "Name": "EXP-RC4-MD5", "Value": "false" }, 
      { "Name": "EXP-KRB5-RC4-SHA", "Value": "false" }, 
      { "Name": "EXP-KRB5-RC4-MD5", "Value": "false" } 
     ] 
     } 
    ] 

您也可以參考策略中的ELB規範本身:

您可以查看現有的安全策略的內容
"Listeners" : [ 
     { "LoadBalancerPort" : "80", 
     "InstancePort" : "80", 
     "Protocol" : "HTTP" }, 
     { "LoadBalancerPort" : "443", 
     "InstancePort" : "80", 
     "Protocol" : "HTTPS", 
     "SSLCertificateId" : "arn:aws:iam::111111111111:server-certificate/somedomain.com", 
     "PolicyNames" : [ "My-ELBSecurityPolicy-2014-10-DisableRC4", "SomeOtherPolicy" ] 
     } 
    ], 
+0

這有助於解決我的問題。基本上沒有意識到你必須引用'PolicyNames'數組中的策略名稱。謝謝。 – tmont 2015-02-25 07:29:27