In Nginx revers proxy unable to disable TLS1

Discussion:

blason

2018-12-01 06:02:19 UTC

Hi Team,

I have deployed nginx in reverse proxy mode and trying to disable TLS1
and1.1 in configuation file but somehow it still shows when site is scanned
by SSLlabs.

Any idea why?

nginx version: nginx/1.10.1

ssl_prefer_server_ciphers On;
ssl_protocols TLSv1.2;
ssl_ciphers
ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;
ssl_dhparam /etc/ssl/stest.pem;

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,282222,282222#msg-282222

Maxim Dounin

2018-12-03 14:13:31 UTC

Permalink

Hello!

Post by blason
Hi Team,
I have deployed nginx in reverse proxy mode and trying to disable TLS1
and1.1 in configuation file but somehow it still shows when site is scanned
by SSLlabs.
Any idea why?
nginx version: nginx/1.10.1
ssl_prefer_server_ciphers On;
ssl_protocols TLSv1.2;
ssl_ciphers
ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;
ssl_dhparam /etc/ssl/stest.pem;

Make sure you change ssl_protocols in the right context. It is
not possible to change enabled SSL protocols in a SNI-based
virtual server, so you have to define the "ssl_protocols"
directive in the default server for the listening socket. Most
simple solution would be define "ssl_protocols" in the "http"
context, so it will be used for all servers.

--
Maxim Dounin
http://mdounin.ru/

blason

2018-12-10 04:56:33 UTC

Permalink

Hello,

Do you mean I need to mention in each and every reverse proxy stanza or in
default config?

Is this right?

[***@xxxxxx conf.d]# vi default.conf
server {
listen 80 default_server;
#server_name "";
server_name _;
return 444;
ssl_protocols TLSv1.2;

#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;

location / {
root /usr/share/nginx/html;
index index.html index.htm;
}

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,282222,282316#msg-282316

Maxim Dounin

2018-12-10 15:03:52 UTC

Permalink

Hello!

Post by blason
Do you mean I need to mention in each and every reverse proxy stanza or in
default config?

You have to configure ssl_protocols in the default server for the
listening socket in question.

As previously suggested, most simple solution would be to
configure ssl_protocols in the http{} block in nginx.conf.

Post by blason
Is this right?
server {
listen 80 default_server;
#server_name "";
server_name _;
return 444;
ssl_protocols TLSv1.2;
#charset koi8-r;
#access_log /var/log/nginx/log/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}

No. The server{} block in question is default for the port 80,
which is plain HTTP, and does not use SSL. Note

Post by blason
listen 80 default_server;

is the only listening socket in this server block.

You need to configure ssl_protocols in the server{} block which is
the default for HTTPS listening socket, usually on port 443.

--
Maxim Dounin
http://mdounin.ru/