Disable TLS1.0 on Nginx
To disable TLS1.0, add this line in the nginx’s configuration file and restart nginx. This line makes nginx to accept only TLS1.1 and 1.2, if this line is not there, it supports all versions of TLS, 1.0, 1.1 and 1.2.
ssl_protocols TLSv1.1 TLSv1.2;
If you installed ssl certificate with certbot from letsencrypt. You will have to remove TLSv1 from this file, and restart nginx.
/etc/letsencrypt/options-ssl-nginx.conf
If the above still don’t remove the TLSv1, try using the grep to search for TLSv1
grep -ri "TLSv1" /etc/nginx
The usual location of the nginx config file on a ubuntu os is located at
/etc/nginx/sites-available/default
To restart nginx on a ubuntu os.
sudo service nginx restart
To check what versions of TLS a server supports with nmap, the ip address can be replaced with a domain name.
nmap -sV --script ssl-enum-ciphers 443 123.456.78.9
To install nmap if it is not yet installed
sudo apt-get install nmap
https://www.ssllabs.com/ssltest/analyze.html, can also check the supported tls versions for a server.
A sever block on the nigix config file will look like this.
server { listen 80; server_name YOUR_SERVER_EXTERNAL_IP_ADDRESS_or_YOUR_DOMAIN_NAME; listen 443 ssl; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_protocols TLSv1.1 TLSv1.2; location / { proxy_pass "http://127.0.0.1:8080"; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_cache_bypass $http_upgrade; } }
Check out this post for step by step instructions to set up a simple nginx server with http and https, as a reverse proxy server for a simple nodejs app.
Search within Codexpedia
Search the entire web