IoT Edge Hub can be configurated to expose endpoints on an IoT Edge device to allow downstream clients to connect to IoT Hub via the edge device. For improved security, customers might want to limit the version of TLS as well as cipher suites supported by these edge device endpoints. Below, we describe an architecture to enable this.
We leverage a haproxy reverse proxy IoT Edge module to limit TLS versions and cipher suites supported by the external facing endpoints on the IoT Edge device. The diagram below illustrates this approach:
-
Clone this repository.
-
Modify /edge-modules/edgehub-proxy/haproxy.cfg with desired configuration and save the file. Values to set:
Setting Value TLS Modify the ssl-default-bind-optionsentry.
Full list of options.
Usessl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11to expose only TLS v1.2Cipher suite Modify the ssl-default-bind-ciphersentry.
Full list of options. -
Build the image by running the following command:
$ ./edge-modules/edgehub-proxy/build.sh -i eh-proxy -t x86_64To build an image for ARM, run the above command on a Linux ARM32 machine and change the -t switch to
armv7l -
Tag the image as desired and push to the container registry used for your IoT Edge deployment.
-
Remove the entire PortBindings section from the HostConfig section of IoT Edge Hub's Container Create Options.
-
Add the previously built proxy module to the deployment, with the following Container Create Options:
{ "HostConfig": { "PortBindings": { "443/tcp": [ { "HostPort": "443" } ], "5671/tcp": [ { "HostPort": "5671" } ], "8883/tcp": [ { "HostPort": "8883" } ] } } }
You can use the openssl s_client command to test TLS versions and cipher suites exposed by the IoT Edge device (via the proxy module). Here is an example.