Hello guys,
I enabled ssl_reject_handshake in the first 443 server segment of nginx.conf to prevent someone from scanning the IP to detect the certificate.
```
server {
listen 443 ssl reuseport;
listen [::]:443 ssl;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_dhparam /root/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLSv1.2:!ADH:!RSA:!PSK:!SHA256:!SHA384;
ssl_early_data on;
ssl_reject_handshake on;
}
```
I then placed the real server configuration file under the conf.d folder.
```
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
root /usr/share/nginx/html;
ssl_certificate /acme.sh/example.com_ecc/fullchain.cer;
ssl_certificate_key /acme.sh/example.com_ecc/example.com.key;
ssl_certificate /acme.sh/example.com/fullchain.cer;
ssl_certificate_key /acme.sh/example.com/example.com.key;
ssl_stapling on;
resolver 8.8.8.8 1.1.1.1 valid=300s;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_dhparam /root/dhparam;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLSv1.2:!ADH:!RSA:!PSK:!SHA256:!SHA384;
ssl_early_data on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options sameorigin always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
add_header X-Content-Type-Options nosniff always;
add_header Permissions-Policy "accelerometer=(), autoplay=(), camera=(), clipboard-write=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), interest-cohort=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=()" always;
add_header Content-Security-Policy "default-src 'self' blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-src 'self';" always;
proxy_set_header Early-Data $ssl_early_data;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ /\. {
deny all;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|avif|webp)$ {
log_not_found off;
}
}
```
Then I found a problem, if I turn off TLS 1.2 on the first 443 server segment and only use TLS 1.3, then the other servers are also TLS 1.3 only.
It seems that ssl_ciphers, ssl_dhparam, ssl_early_data, ssl_protocols, ssl_session_cache, and ssl_session_timeout all have inheritance.
Is this normal?
Best regards,
wordlesswind