Configuration NGINX uniquement TLSv1.2 ne fonctionne pas correctement

a marqué ce sujet comme résolu.
Auteur du sujet

Bonjour :)
Après avoir galéré, recherché pendant deux jours… Je me retourne vers vous ^^
Je recontre actuellement un soucis sur ma configuration NGINX, un de mes services ne doit être qu’en TLSv1.2, jusqu’à la aucun soucis, le TLSv1.2 est activé, MAIS les autres (TLSv1.1 et TLSv1) le sont aussi malgrès la directive ssl_protocols TLSv1.2;
Avez vous une idée d’ou pourrais venir le problème ?
(Bien sur, je vous montre mes configurations : )

(nginx.conf)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
worker_processes auto;
pid /tmp/nginx.pid;
daemon off;
pcre_jit on;

events {
    worker_connections 2048;
    use epoll;
}

http {
    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
    limit_conn limit_per_ip 128;
    limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
    limit_req zone=allips burst=150 nodelay;

    more_set_headers 'Server: secret';

    include /etc/nginx/conf/mime.types;
    default_type application/octet-stream;

    access_log /var/log/nginx/access.log combined;
    error_log /var/log/nginx/error.log crit;

    fastcgi_temp_path /tmp/fastcgi 1 2;
    proxy_temp_path /tmp/proxy 1 2;
    client_body_temp_path /tmp/client_body 1 2;

    client_body_buffer_size 10K;
    client_header_buffer_size 1k;
    client_max_body_size 8m;
    large_client_header_buffers 2 1k;

    aio threads;
    sendfile on;
    keepalive_timeout 15;
    keepalive_disable msie6;
    keepalive_requests 100;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;

    gzip on;
    gzip_comp_level 5;
    gzip_min_length 512;
    gzip_buffers 4 8k;
    gzip_proxied any;
    gzip_vary on;
    gzip_disable "msie6";
    gzip_types
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        application/vnd.ms-fontobject
        font/truetype
        font/opentype
        image/svg+xml;

    brotli on;
    brotli_static on;
    brotli_buffers 16 8k;
    brotli_comp_level 6;
    brotli_types
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        application/vnd.ms-fontobject
        font/truetype
        font/opentype
        image/svg+xml;

    include /sites-enabled/*.conf;
}

miaou.drycat.fr.conf

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
  listen 8000;
  listen [::]:8000;
  server_name miaou.drycat.fr;

  location /.well-known/acme-challenge {
        proxy_pass http://172.20.1.17:80;
        proxy_set_header Host            $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        include /conf.d/proxy-params.conf;
  }

  location / {
        return 301 https://$host$request_uri;
  }
}

server {
  listen 4430 ssl http2;
  listen [::]:4430 ssl http2;
  server_name miaou.drycat.fr;

  ssl_protocols TLSv1.2;
  ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
  ssl_ecdh_curve secp384r1;
  ssl_prefer_server_ciphers on;

  ssl_session_cache shared:SSL:10m;
  #ssl_session_tickets off; 
  ssl_session_timeout 10m; 

  ssl_certificate     /certs/miaou.drycat.fr/fullchain.pem;
  ssl_certificate_key /certs/miaou.drycat.fr/privkey.pem;
  ssl_trusted_certificate /certs/miaou.drycat.fr/chain.pem;
  ssl_dhparam  /certs/private/dhparam.pem;

  # https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625
  # https://tools.ietf.org/html/rfc7469#page-27
  
  add_header Strict-Transport-Security 'max-age=15768000; includeSubDomains; preload';
  add_header Content-Security-Policy "default-src 'self' wss://miaou.drycat.fr; script-src 'self' 'unsafe-inline'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; font-src 'self';  object-src 'none'; frame-ancestors 'none';";
  #add_header Content-Security-Policy " frame-ancestors 'none'; default-src 'none'; font-src 'self' ; img-src 'self' https://i.imgur.com data:; object-src 'none'; script-src 'self'; style-src 'self'; connect-src 'self' wss://miaou.drycat.fr";
  #add_header Content-security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' data: https://miaou.drycat.fr; connect-src 'self' wss://miaou.drycat.fr";
  add_header Referrer-Policy "strict-origin-when-cross-origin";
  add_header Public-Key-Pins 'pin-sha256="lMPS8h+7Jzeo3VOBAHHjjUNfamdIXTV4Uy4Sk7wB4Wk="; pin-sha256="lMPS8h+7Jzeo3VOBAHHjjUNfamdIXTV4Uy4Sk7wB4Wk="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="MM4IF1PPjXVY0afclS3viYdxl0ujhOwW3C1PZH/7R4E="; max-age=1296000; includeSubDomains';

  ssl_stapling on;
  ssl_stapling_verify on; 

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 0;
  large_client_header_buffers 4 32k;
  gzip off;
  brotli off;

  location /.well-known/acme-challenge {
        proxy_pass http://172.20.1.17:443;
        proxy_set_header Host            $host;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto https;
  }

  location / {
    try_files $uri @proxy;
  }

  location @proxy {
    proxy_pass http://172.20.1.26:3000;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;

    proxy_pass_header Server;

    proxy_buffering off;
    proxy_redirect off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }

  location /api/v1/streaming {
    proxy_pass http://172.20.1.27:4000;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;

    proxy_buffering off;
    proxy_redirect off;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    tcp_nodelay on;
  }
}

`

Merci d’avance :)

+0 -0

Cette réponse a aidé l’auteur du sujet

As-tu pris en compte cette remarque de Nginx ci-dessous concernant OpenSSL ?

The TLSv1.1 and TLSv1.2 parameters are supported starting from versions 1.1.13 and 1.0.12, so when the OpenSSL version 1.0.1 or higher is used on older nginx versions, these protocols work, but cannot be disabled.
Nginx

HTTP/1.1 418 I’m a teapot

+2 -0
Auteur du sujet

Je passe le sujet en résolu, merci @EtienneR je me suis dirigé vers ce que tu m’as dis (je suis passé sur boringSSL et j’ai gagné en perf, même si certains services sont plus compatible (IE8, Chrome 21, Android 4.3 et j’en passe) avec ça

Merci :)

+0 -0
Vous devez être connecté pour pouvoir poster un message.
Connexion

Pas encore inscrit ?

Créez un compte en une minute pour profiter pleinement de toutes les fonctionnalités de Zeste de Savoir. Ici, tout est gratuit et sans publicité.
Créer un compte