Welcome! Log In Create A New Profile

Advanced

Inheritance issues with ssl_protocols and ssl_ciphers...

Previous Message Next Message
Forum List Message List New Topic Print View
wordlesswind
November 12, 2022 05:24AM
Hello guys,

I enabled ssl_reject_handshake in the first 443 server segment of nginx.conf to prevent someone from scanning the IP to detect the certificate.

```
server {
listen 443 ssl reuseport;
listen [::]:443 ssl;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;

ssl_dhparam /root/dhparam;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLSv1.2:!ADH:!RSA:!PSK:!SHA256:!SHA384;

ssl_early_data on;

ssl_reject_handshake on;
}
```

I then placed the real server configuration file under the conf.d folder.

```
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
root /usr/share/nginx/html;

ssl_certificate /acme.sh/example.com_ecc/fullchain.cer;
ssl_certificate_key /acme.sh/example.com_ecc/example.com.key;

ssl_certificate /acme.sh/example.com/fullchain.cer;
ssl_certificate_key /acme.sh/example.com/example.com.key;

ssl_stapling on;
resolver 8.8.8.8 1.1.1.1 valid=300s;
ssl_stapling_verify on;

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;

ssl_dhparam /root/dhparam;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLSv1.2:!ADH:!RSA:!PSK:!SHA256:!SHA384;

ssl_early_data on;

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Frame-Options sameorigin always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
add_header X-Content-Type-Options nosniff always;
add_header Permissions-Policy "accelerometer=(), autoplay=(), camera=(), clipboard-write=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), interest-cohort=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=()" always;
add_header Content-Security-Policy "default-src 'self' blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-src 'self';" always;
proxy_set_header Early-Data $ssl_early_data;

location = /favicon.ico {
log_not_found off;
access_log off;
}

location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}

location ~ /\. {
deny all;
}

location ~* \.(js|css|png|jpg|jpeg|gif|ico|avif|webp)$ {
log_not_found off;
}
}
```

Then I found a problem, if I turn off TLS 1.2 on the first 443 server segment and only use TLS 1.3, then the other servers are also TLS 1.3 only.

It seems that ssl_ciphers, ssl_dhparam, ssl_early_data, ssl_protocols, ssl_session_cache, and ssl_session_timeout all have inheritance.

Is this normal?

Best regards,
wordlesswind
Reply Quote
RSS
Subject Author Posted

Inheritance issues with ssl_protocols and ssl_ciphers...

wordlesswind November 12, 2022 05:24AM

Re: Inheritance issues with ssl_protocols and ssl_ciphers...

Maxim Dounin November 12, 2022 06:38AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 139
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready