[建议] 添加最低tls版本选项

[cangkuai]

背景与遇到的问题

目前tls版本默认允许使用1.0和1.1这两个明确已经被弃用的tls版本，其实几乎所有设备都支持1.2版本了，而且有些设备明明支持1.2但是不禁止他真的会使用1.0（比如安卓4）

建议的解决方案

添加最低tls版本选项

[Lorna0]

duplicate:

• https://github.com/chaitin/SafeLine/issues/355

默认提供还是因为 1.0、1.1 的兼容性更强。而且禁用导致老旧设备无法访问网站时，网站管理员并不太容易判断出来是因为 tls 协议的问题，很容易以为雷池有问题。

短期内需要的话，可以直接在后台修改 nginx.conf ，删除 tls 1.0、1.1 。参考官网文档：自定义站点 nginx conf

[Lvshujun0918]

这种方法似乎没有持久化的可能，略显繁琐

[Lorna0]

这种方法似乎没有持久化的可能，略显繁琐

官网文档的自定义 nginx conf 方法都是持久化的。如果没有持久化，可能是故障。方便的话可以在交流群里提供一下信息，我们排查一下

[Lvshujun0918]

收到，我再试一下

[cangkuai]

resources/nginx/proxy_params这个文件也没看到改的地方呀

set $host_fixed $http_host;
if ($http_host = "") {
    set $host_fixed "default";
}

proxy_set_header Host $host_fixed;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_hide_header X-Powered-By;

[yrluke]

resources/nginx/proxy_params这个文件也没看到改的地方呀

set $host_fixed $http_host;
if ($http_host = "") {
    set $host_fixed "default";
}

proxy_set_header Host $host_fixed;
#proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $scheme;

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_hide_header X-Powered-By;

不是这个文件，是nginx.conf

[Lvshujun0918]

##
    # SSL Settings
    ##

    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    #ssl_prefer_server_ciphers on;
    #ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;

我对nginx.conf进行了如上修改，并使用reload重载，并未生效。不过似乎是重载的问题，我进容器执行nginx -t和nginx -s reload，均提示错误 @yrluke

[yrluke]

##
    # SSL Settings
    ##

    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    #ssl_prefer_server_ciphers on;
    #ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;

我对nginx.conf进行了如上修改，并使用reload重载，并未生效。不过似乎是重载的问题，我进容器执行nginx -t和nginx -s reload，均提示错误 @yrluke

帮你google了一下 https://groups.google.com/g/openresty/c/RXRSJqUD4Ac

[Lvshujun0918]

但是似乎还是没有给出解决方案

---- 回复的原邮件 ---- | 发件人 | @.> | | 发送日期 | 2024年04月03日 15:54 | | 收件人 | chaitin/SafeLine @.> | | 抄送人 | 吕舒君 @.>, Comment @.> | | 主题 | Re: [chaitin/SafeLine] [建议] 添加最低tls版本选项 (Issue #788) |

# SSL Settings
##

#ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
#ssl_prefer_server_ciphers on;
#ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

我对nginx.conf进行了如上修改，并使用reload重载，并未生效。不过似乎是重载的问题，我进容器执行nginx -t和nginx -s reload，均提示错误 @yrluke

帮你google了一下 https://groups.google.com/g/openresty/c/RXRSJqUD4Ac

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>

[Lvshujun0918]

调整后已正常，上面的配置可直接使用

[cangkuai]

我目前是在雷池外面又套了一层nginx用于tls设置，雷池和外层nginx走http通讯

[Lvshujun0918]

不需要的其实，nginx.conf直接改即可

[cangkuai]

主要是我怕直接改的话下次更新直接更炸了

[Lvshujun0918]

不会啊，没问题的，再不放心留个原始nginx.conf的备份足够了

[xbingW]

最新版 6.9.0 已支持配置