Aptible PaaS logoDocs
Search
⌘K
Docs
Product
AppsDatabasesPlatformSecurity & Compliance
PricingCustomersCompany
Install CLI
Log In
Getting Started
Starter Templates
Deploy an Example App
Is my App a good fit for Aptible?
Core Concepts
Apps
Deploying Apps
Connecting to Apps
App Endpoints
HTTP(S) Endpoints
ALB vs. ELB Endpoints
Health Checks
HTTP Request Headers
HTTPS Protocols
HTTPS Redirect
Maintenance Page
Endpoint Logs
TLS Endpoints
TCP Endpoints
Default Domain
Custom Domain
Custom Certificate
Managed TLS
IP Filtering
Ephemeral SSH Sessions
Outbound IP Addresses
Managing Apps
Databases
Platform Internals
Scaling
Logs
Metrics
Security & Compliance
Network Integrations
Billing & Payments
Reference
Aptible CLI
Aptible Terraform
Aptible Roadmap
Aptible Metadata Variables
Feature Support Matrix
Division of Responsibility
How-to Guides
App Guides
Database Guides
Metrics & Monitoring Guides
Logging Guides
Best Practices Guides
Business Continuity Guides
Security & Compliance Guides
Account & General Guides
Troubleshooting
Aptible Support
Common Errors & Issues

HTTPS Protocols

Aptible offer a few ways to configure the protocols used by your HTTP(S) Endpoints for HTTPS termination through a set of Configuration variables. These are the same variables as can be defined for TLS Endpoints. If set once on the application, they will apply to all TLS and HTTPS endpoints for that application.

SSL_PROTOCOLS_OVERRIDE: Control SSL / TLS Protocols

The SSL_PROTOCOLS_OVERRIDE variable lets you customize the SSL Protocols allowed on your Endpoint.

Available protocols depend on your Endpoint platform:

  • For ALB Endpoints: you can choose from these 6 combinations:
    • TLSv1 TLSv1.1 TLSv1.2 (default)
    • TLSv1 TLSv1.1 TLSv1.2 PFS
    • TLSv1.1 TLSv1.2
    • TLSv1.1 TLSv1.2 PFS
    • TLSv1.2
    • TLSv1.2 PFS
📘 Adding PFS modifies your Endpoint's ciphersuites to only support those that offer perfect-forward secrecy.
📘 The format for ALBs and ELBs is effectively identical: the only difference is the supported protocols. This means that if you have both ELB Endpoints and ALB Endpoints on a given app, or if you're upgrading from ELB to ALB, things will work as expected as long as you use protocols supported by ALBs, which are stricter.

SSL_CIPHERS_OVERRIDE: Control ciphers

📘 Note
This variable is only available on Legacy ELB endpoints.
On ALB Endpoints, you normally don't need to customize the ciphers available.

This variable lets you customize the SSL Ciphers used by your Endpoint.

The format is a string accepted by Nginx for its ssl_ciphers directive.

Pay very close attention to the required format, as here again a bad variable will prevent the proxies from starting.

DISABLE_WEAK_CIPHER_SUITES: an opinionated policy for ELBs

📘 This variable is only available on Legacy ELB endpoints. On ALB Endpoints, weak ciphers are disabled by default, so that setting has no effect.

Setting this variable to true (it has to be the exact string true) causes your Endpoint to stop accepting traffic over the SSLv3 protocol or using the RC4 cipher.

We strongly recommend setting this variable to true on all ELB Endpoints nowadays. Or, better, yet, upgrade to ALB Endpoints, where that's the default.

Examples

Set SSL_PROTOCOLS_OVERRIDE

aptible config:set --app "$APP_HANDLE" \
        "SSL_PROTOCOLS_OVERRIDE=TLSv1.1 TLSv1.2"

Set DISABLE_WEAK_CIPHER_SUITES

# Note: the value to enable DISABLE_WEAK_CIPHER_SUITES is the string "true"
# Setting it to e.g. "1" won't work.
aptible config:set --app "$APP_HANDLE" \
        DISABLE_WEAK_CIPHER_SUITES=true
HTTPS Protocols
Aptible logo
Product
Resources
Support
Company
548 Market St #75826 San Francisco, CA 94104
© 2023. All rights reserved. Privacy Policy