In Nginx revers proxy unable to disable TLS1

Maxim Dounin mdounin at
Mon Dec 10 15:03:52 UTC 2018


On Sun, Dec 09, 2018 at 11:56:33PM -0500, blason wrote:

> Do you mean I need to mention in each and every reverse proxy stanza or in
> default config?

You have to configure ssl_protocols in the default server for the 
listening socket in question.

As previously suggested, most simple solution would be to 
configure ssl_protocols in the http{} block in nginx.conf.

> Is this right?
> [root at xxxxxx conf.d]# vi default.conf
> server {
>     listen       80 default_server;
>     #server_name  "";
>     server_name  _;
>         return 444;
> ssl_protocols TLSv1.2;
>     #charset koi8-r;
>     #access_log  /var/log/nginx/log/host.access.log  main;
>     location / {
>         root   /usr/share/nginx/html;
>         index  index.html index.htm;
>     }

No.  The server{} block in question is default for the port 80, 
which is plain HTTP, and does not use SSL.  Note

>     listen       80 default_server;

is the only listening socket in this server block.

You need to configure ssl_protocols in the server{} block which is 
the default for HTTPS listening socket, usually on port 443.

Maxim Dounin

More information about the nginx mailing list