Inheritance issues with ssl_protocols and ssl_ciphers...

wordlesswind nginx-forum at forum.nginx.org
Sat Nov 12 10:24:36 UTC 2022 

Hello guys,

I enabled ssl_reject_handshake in the first 443 server segment of nginx.conf
to prevent someone from scanning the IP to detect the certificate.

```
server {
        listen   443 ssl reuseport;
        listen   [::]:443 ssl;

        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  1d;

        ssl_dhparam          /root/dhparam;

        ssl_protocols        TLSv1.2 TLSv1.3;
        ssl_ciphers          TLSv1.2:!ADH:!RSA:!PSK:!SHA256:!SHA384;

        ssl_early_data       on;

        ssl_reject_handshake  on;
    }
```

I then placed the real server configuration file under the conf.d folder.

```
server {
    listen   443 ssl http2;
    listen   [::]:443 ssl http2;
    server_name  example.com;
    root     /usr/share/nginx/html;

    ssl_certificate      /acme.sh/example.com_ecc/fullchain.cer;
    ssl_certificate_key  /acme.sh/example.com_ecc/example.com.key;

    ssl_certificate      /acme.sh/example.com/fullchain.cer;
    ssl_certificate_key  /acme.sh/example.com/example.com.key;

    ssl_stapling         on;
    resolver             8.8.8.8 1.1.1.1 valid=300s;
    ssl_stapling_verify  on;

    ssl_session_cache    shared:SSL:10m;
    ssl_session_timeout  1d;

    ssl_dhparam          /root/dhparam;

    ssl_protocols        TLSv1.2 TLSv1.3;
    ssl_ciphers          TLSv1.2:!ADH:!RSA:!PSK:!SHA256:!SHA384;

    ssl_early_data       on;

    add_header  Strict-Transport-Security "max-age=63072000;
includeSubDomains; preload" always;
    add_header  X-Frame-Options sameorigin always;
    add_header  Referrer-Policy strict-origin-when-cross-origin always;
    add_header  X-Content-Type-Options nosniff always;
    add_header  Permissions-Policy "accelerometer=(), autoplay=(),
camera=(), clipboard-write=(), fullscreen=(), geolocation=(), gyroscope=(),
hid=(), interest-cohort=(), magnetometer=(), microphone=(), payment=(),
publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(),
usb=()" always;
    add_header  Content-Security-Policy "default-src 'self' blob: data:
https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline'
'unsafe-eval'; frame-src 'self';" always;
    proxy_set_header Early-Data $ssl_early_data;

    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }
 
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    location ~ /\. {
        deny all;
    }
 
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|avif|webp)$ {
        log_not_found off;
    }
}
```

Then I found a problem, if I turn off TLS 1.2 on the first 443 server
segment and only use TLS 1.3, then the other servers are also TLS 1.3 only.

It seems that ssl_ciphers, ssl_dhparam, ssl_early_data, ssl_protocols,
ssl_session_cache, and ssl_session_timeout all have inheritance.

Is this normal?

Best regards,
wordlesswind

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,295733,295733#msg-295733

More information about the nginx mailing list