Disable TLS1.0 on Nginx

To disable TLS1.0, add this line in the nginx’s configuration file and restart nginx. This line makes nginx to accept only TLS1.1 and 1.2, if this line is not there, it supports all versions of TLS, 1.0, 1.1 and 1.2.

ssl_protocols TLSv1.1 TLSv1.2;

If you installed ssl certificate with certbot from letsencrypt. You will have to remove TLSv1 from this file, and restart nginx.

/etc/letsencrypt/options-ssl-nginx.conf

If the above still don’t remove the TLSv1, try using the grep to search for TLSv1

grep -ri "TLSv1" /etc/nginx

The usual location of the nginx config file on a ubuntu os is located at

/etc/nginx/sites-available/default

To restart nginx on a ubuntu os.

sudo service nginx restart

To check what versions of TLS a server supports with nmap, the ip address can be replaced with a domain name.

nmap -sV --script ssl-enum-ciphers 443 123.456.78.9

To install nmap if it is not yet installed

sudo apt-get install nmap

https://www.ssllabs.com/ssltest/analyze.html, can also check the supported tls versions for a server.

A sever block on the nigix config file will look like this.

server {
  listen 80;
  server_name YOUR_SERVER_EXTERNAL_IP_ADDRESS_or_YOUR_DOMAIN_NAME;
  listen 443 ssl;
  ssl_certificate /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;
  ssl_protocols TLSv1.1 TLSv1.2;
  location / {
    proxy_pass "http://127.0.0.1:8080";
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_cache_bypass $http_upgrade;
  }
}

Check out this post for step by step instructions to set up a simple nginx server with http and https, as a reverse proxy server for a simple nodejs app.

Search within Codexpedia

Custom Search

Search the entire web

Custom Search