Nginx反向代理配置不使用SSL配置

时间:2020-08-12 19:34:03

标签: ssl nginx reverse-proxy

我为反向代理配置了以下配置(本例中为gitea,但服务器上的所有托管应用似乎都存在问题)

server {
listen      80;
listen [::]:80;
server_name gitea.xxx.com www.gitea.lxxx.com;
rewrite ^ https://gitea.xxx.com$request_uri? permanent;
}


server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name gitea.xx.com www.gitea.xx.com;
  ssl_certificate /etc/ssl/wildcard.xx.com.bundle.crt;
  ssl_certificate_key /etc/ssl/wildcard.xx.com.key;

  # TLSv1.3 Requires 
  #ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
  # ssl_protocols TLSv1.2;
  #ssl_prefer_server_ciphers on;
  # openssl dhparam -out /etc/nginx/dhparam.pem 2048 :
  #ssl_dhparam /etc/nginx/dhparam.pem;
  #ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
  #ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  #ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
  #ssl_session_timeout  10m;
  #ssl_session_cache shared:SSL:10m;
  #ssl_session_tickets off; # Requires nginx >= 1.5.9
  #ssl_stapling on; # Requires nginx >= 1.3.7
  #ssl_stapling_verify on; # Requires nginx => 1.3.7      
  #    ssl_protocols SSLv3 TLSv1.1 TLSv1.2 TLSv1.3;

  #    ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM;
 
 client_max_body_size 25m;
 charset utf-8;

 access_log /var/log/nginx/gitea.xx.com/access.log;
 error_log /var/log/nginx/gitea.XX.com/error.log;

 add_header X-Robots-Tag "noindex, nofollow";

 root /var/www/default/html;
 index index.html index.htm;

 location / {
      proxy_pass http://localhost:3000/;
      # pass Host-header (from client) through:
      proxy_set_header Host $host;

      # websocket
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $http_connection;
    }

  location /.well-known/ {
     root /var/www/default/html;
  }

}

我尝试了几种变体,甚至全部注释掉了,但是在所有变体中,ssllabs测试仪显示我的网站仅支持tlsv1.3

这是Nginx.conf 

user  www-data;
worker_processes  auto;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
   worker_connections  1024;
}


http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

 log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

 access_log  /var/log/nginx/access.log  main;

 sendfile        on;
 #tcp_nopush     on;

 keepalive_timeout  65;
 server_tokens off;
 #gzip  on;

 include /etc/nginx/conf.d/*.conf;
}

有人知道为什么我不能正确配置ssl_protocols参数吗?

0 个答案:

没有答案
相关问题
最新问题