有NGINX服务器正在使用tls1_3协议。需要拒绝tls1_3并允许tls1_2使用特定IP。 OpenSSL 1.1.1。
NGINX充当Jira / Confluence的代理。配置看起来应该如何实现?
server {
server_name example.com www.example.com;
listen 443 ssl http2;
include acme;
location /synchrony {
allow 127.0.0.0/8;
allow xxx;
deny all;
...
}
location / {
allow 127.0.0.0/8;
allow xxx;
allow xxx;
deny all;
...
}
ssl on;
...
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'xxx'
}
答案 0 :(得分:0)
总的来说,这并不是下面的完整配置,而是要通过使用流向您提供想法以及如何实现此目的。
ssl_protocols
指令不支持变量。但是,其值在server {}
个块中可以不同。
因此,您可以将现有的server
划分为两个特殊的server
,并让NGINX使用流将必要的路由路由到适当的server
:
upstream normal {
server 127.0.0.1:4443;
}
upstream notls13 {
server 127.0.0.1:4444;
}
map $remote_addr $upstream {
4.5.6.7 notls13;
default normal;
}
stream {
server {
listen 443;
proxy_pass $upstream;
}
}
http {
server {
server_name example.com www.example.com;
listen 4443 ssl http2;
include acme;
location /synchrony {
allow 127.0.0.0/8;
allow xxx;
deny all;
...
}
location / {
allow 127.0.0.0/8;
allow xxx;
allow xxx;
deny all;
...
}
ssl on;
...
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'xxx'
}
# special server for no TLS 1.3
server {
server_name example.com www.example.com;
listen 4444 ssl http2;
include acme;
location /synchrony {
allow 127.0.0.0/8;
allow xxx;
deny all;
...
}
location / {
allow 127.0.0.0/8;
allow xxx;
allow xxx;
deny all;
...
}
ssl on;
...
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'xxx'
}
}