Bonjour 
Après avoir galéré, recherché pendant deux jours… Je me retourne vers vous 
Je recontre actuellement un soucis sur ma configuration NGINX, un de mes services ne doit être qu’en TLSv1.2, jusqu’à la aucun soucis, le TLSv1.2 est activé, MAIS les autres (TLSv1.1 et TLSv1) le sont aussi malgrès la directive ssl_protocols TLSv1.2;
Avez vous une idée d’ou pourrais venir le problème ?
(Bien sur, je vous montre mes configurations : )
(nginx.conf)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 | worker_processes auto;
pid /tmp/nginx.pid;
daemon off;
pcre_jit on;
events {
worker_connections 2048;
use epoll;
}
http {
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 128;
limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
limit_req zone=allips burst=150 nodelay;
more_set_headers 'Server: secret';
include /etc/nginx/conf/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log combined;
error_log /var/log/nginx/error.log crit;
fastcgi_temp_path /tmp/fastcgi 1 2;
proxy_temp_path /tmp/proxy 1 2;
client_body_temp_path /tmp/client_body 1 2;
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
aio threads;
sendfile on;
keepalive_timeout 15;
keepalive_disable msie6;
keepalive_requests 100;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
gzip on;
gzip_comp_level 5;
gzip_min_length 512;
gzip_buffers 4 8k;
gzip_proxied any;
gzip_vary on;
gzip_disable "msie6";
gzip_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/svg+xml;
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/vnd.ms-fontobject
font/truetype
font/opentype
image/svg+xml;
include /sites-enabled/*.conf;
}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 | map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 8000;
listen [::]:8000;
server_name miaou.drycat.fr;
location /.well-known/acme-challenge {
proxy_pass http://172.20.1.17:80;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
include /conf.d/proxy-params.conf;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 4430 ssl http2;
listen [::]:4430 ssl http2;
server_name miaou.drycat.fr;
ssl_protocols TLSv1.2;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
#ssl_session_tickets off;
ssl_session_timeout 10m;
ssl_certificate /certs/miaou.drycat.fr/fullchain.pem;
ssl_certificate_key /certs/miaou.drycat.fr/privkey.pem;
ssl_trusted_certificate /certs/miaou.drycat.fr/chain.pem;
ssl_dhparam /certs/private/dhparam.pem;
# https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625
# https://tools.ietf.org/html/rfc7469#page-27
add_header Strict-Transport-Security 'max-age=15768000; includeSubDomains; preload';
add_header Content-Security-Policy "default-src 'self' wss://miaou.drycat.fr; script-src 'self' 'unsafe-inline'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; frame-ancestors 'none';";
#add_header Content-Security-Policy " frame-ancestors 'none'; default-src 'none'; font-src 'self' ; img-src 'self' https://i.imgur.com data:; object-src 'none'; script-src 'self'; style-src 'self'; connect-src 'self' wss://miaou.drycat.fr";
#add_header Content-security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data: https://miaou.drycat.fr; connect-src 'self' wss://miaou.drycat.fr";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Public-Key-Pins 'pin-sha256="lMPS8h+7Jzeo3VOBAHHjjUNfamdIXTV4Uy4Sk7wB4Wk="; pin-sha256="lMPS8h+7Jzeo3VOBAHHjjUNfamdIXTV4Uy4Sk7wB4Wk="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="MM4IF1PPjXVY0afclS3viYdxl0ujhOwW3C1PZH/7R4E="; max-age=1296000; includeSubDomains';
ssl_stapling on;
ssl_stapling_verify on;
keepalive_timeout 70;
sendfile on;
client_max_body_size 0;
large_client_header_buffers 4 32k;
gzip off;
brotli off;
location /.well-known/acme-challenge {
proxy_pass http://172.20.1.17:443;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto https;
}
location / {
try_files $uri @proxy;
}
location @proxy {
proxy_pass http://172.20.1.26:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass_header Server;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
location /api/v1/streaming {
proxy_pass http://172.20.1.27:4000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
}
`
|
Merci d’avance
+0
-0
