nginx 禁用 tls v1.0 和 v1.1 不工作
nginx disable tls v1.0 & v1.1 not working
我试图通过 nginx 在我的网络服务器上禁用 tls v1.0 和 tls v1.1,但是当我使用 tls checker 测试 tls 时,它不起作用并且仍然显示 tls v1.0 和 v1。 1 个已启用。
下面是我的nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 100M;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name test.mydomain.com;
return 301 https://$server_name$request_uri;
}
# Settings for a TLS enabled server.
#
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name test.mydomain.com;
include self-signed.conf;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
root /usr/share/nginx/html/public;
index index.php index.htm index.html;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ .php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
}
以下是 tls 检查器的结果:
任何建议都会很有帮助
我发现nginx web服务器前面有一个AWS Web Application Firewall 运行。从那里删除 TLS v1.0、v1.1 解决了这个问题。
我试图通过 nginx 在我的网络服务器上禁用 tls v1.0 和 tls v1.1,但是当我使用 tls checker 测试 tls 时,它不起作用并且仍然显示 tls v1.0 和 v1。 1 个已启用。
下面是我的nginx.conf:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 100M;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name test.mydomain.com;
return 301 https://$server_name$request_uri;
}
# Settings for a TLS enabled server.
#
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name test.mydomain.com;
include self-signed.conf;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";
root /usr/share/nginx/html/public;
index index.php index.htm index.html;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location ~ .php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
}
以下是 tls 检查器的结果:
任何建议都会很有帮助
我发现nginx web服务器前面有一个AWS Web Application Firewall 运行。从那里删除 TLS v1.0、v1.1 解决了这个问题。