无法在Nginx上禁用TLSv1

Question

在过去的3个小时里，我一直在努力在Nginx上禁用TLSv1。我已经浏览过网络，尝试了所有提到的东西，但都没有用。

我尝试过的事情包括：

• 在“服务器”选项卡中将"default_server“重新排序为ssl之前
• 移除首选密码
• 注释掉大量的"ssl_“，看看这是否有帮助。

在重新启动nginx服务之后，我一直使用"openssl s_client -connect example.com:443 -tlsv1“测试域。

这是我的/etc/nginx/nginx.conf文件：

user example www-data;

worker_processes auto;
worker_rlimit_nofile 100000;

pid /run/nginx.pid;

events {
    worker_connections 2048;
  multi_accept on;
}

http {
  index index.php;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

  real_ip_header X-Forwarded-For;

  log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_id';

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;

    keepalive_timeout 5;
  autoindex off;
  server_tokens off;
  port_in_redirect off;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    client_max_body_size 64m;
    client_body_buffer_size 128k;
    client_header_buffer_size 16k;
    large_client_header_buffers 4 16k;

  fastcgi_buffer_size 16k;
  fastcgi_buffers 4 16k;

  limit_req_zone $binary_remote_addr zone=goeasy:35m rate=1r/s;

  open_file_cache max=35000 inactive=30s;
  open_file_cache_valid 30s;
  open_file_cache_min_uses 2;

    gzip on;
  gzip_vary on;
  gzip_proxied any;
    gzip_types application/javascript application/x-javascript application/rss+xml text/javascript text/css text/plain image/x-icon image/svg+xml;
  gzip_buffers 4 16k;
  gzip_comp_level 6;

  map_hash_max_size 262144;
  map_hash_bucket_size 262144;

  map $status $writelog {
    444 0;
    default 1;
  }

  map $http_user_agent $bad_client {
    default 0;
    ~*(360Spider) 1;
    ~*(aiHitBot|AhrefsBot) 1;
    ~*(betaBot|BlackWidow|Bolt|BLEXBot|BUbiNG) 1;
    ~*(CazoodleBot|CPython|CCBot|ChinaClaw|Curious|CRAZYWEBCRAWLER|Custo) 1;
    ~*(Default|DIIbot|DISCo|discobot) 1;
    ~*(Exabot|eCatch|ecxi|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|ExtractorPro|EyeNetIE) 1;
    ~*(FlashGet|Findxbot) 1;
    ~*(GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|Go.*package.*|GrabNet|Grafula|GT::WWW|GuzzleHttp) 1;
    ~*(heritrix|HaosouSpider|HMView|HTTP::Lite|HTTrack) 1;
    ~*(ia_archiver|IDBot|id-search|id-search.org|InterGET|InternetSeer.com|IRLbot) 1;
    ~*(JetCar) 1;
    ~*(larbin|LeechFTP|Lightspeedsystems|litemage_walker|Link|LinksManager.com_bot|Lipperhey|linkwalker|LinkpadBot|lwp-trivial|ltx71) 1;
    ~*(Maxthon$|Mail.RU_Bot|MegaIndex.ru|meanpathbot|MFC_Tear_Sample|microsoft.url|Microsoft-IIS|Mozilla.*Indy|Mozilla.*NEWT|MJ12bot|MSFrontPage) 1;
    ~*(Navroad|NearSite|NetAnts|NetLyzer.*FastProbe|NetSpider|NetZIP|Nutch) 1;
    ~*(Octopus) 1;
    ~*(PageGrabber|panscient.com|pavuk|PECL::HTTP|PeoplePal|pcBrowser|Pi-Monster|PHPCrawl|PleaseCrawl|psbot|prijsbest|python-requests) 1;
    ~*(Qwantify) 1;
    ~*(RealDownload|ReGet|RedesScrapy|Rippers|RocketCrawler) 1;
    ~*(SBIder|Scrapy|Screaming|ScreenerBot|SEOprofiler|SeaMonkey$|SeznamBot|SemrushBot|sitecheck.internetseer.com|SiteSnagger) 1;
    ~*(SmartDownload|Snoopy|SputnikBot|Steeler|SuperBot|SuperHTTP|Surfbot|sqlmap) 1;
    ~*(tAkeOut|Teleport|Toata|TwengaBot|Typhoeus) 1;
    ~*(URI::Fetch|User-Agent|UserAgent) 1;
    ~*(voltron|Vagabondo|VoidEYE|Visbot) 1;
    ~*(webalta|WebAuto|[Ww]eb[Bb]andit|WebCollage|WebCopier|WebFetch|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WhatsApp) 1;
    ~*(WebZIP|Wget|Widow|Wotbox|WWW-Mechanize|WWWOFFLE) 1;
    ~*(zermelo|Zeus|Zeus.*Webster|ZyBorg) 1;
  }

  map $uri $redirected_url {
    default "none";
    include /etc/nginx/redirects.conf;
  }

  server {
    listen 80;
    listen [::]:80;

    server_name www.example.co.uk example.co.uk;

    if ($redirected_url != "none") {
      rewrite ^ $redirected_url permanent;
    }

    return 302 https://www.example.co.uk$request_uri;
  }

  server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name example.co.uk;

    ssl_certificate /etc/letsencrypt/live/example.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.co.uk/privkey.pem;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/example.co.uk/fullchain.pem;
    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
    resolver_timeout 5s;

    if ($redirected_url != "none") {
      rewrite ^ $redirected_url permanent;
    }

    return 302 https://www.example.co.uk$request_uri;
  }

  server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    server_name www.example.co.uk;

    ssl_certificate /etc/letsencrypt/live/example.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.co.uk/privkey.pem;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/example.co.uk/fullchain.pem;
    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
    resolver_timeout 5s;

    if ($redirected_url != "none") {
      rewrite ^ $redirected_url permanent;
    }

    root /var/www/current;

    access_log /var/log/nginx/access.log main if=$writelog;
    error_log /var/log/nginx/error.log error;

    if ($bad_client) {
      return 444;
    }

    location = /js/index.php/x.js {
      rewrite ^(.*\.php)/ $1 last;
    }

    location / {
      try_files $uri $uri/ @rewrite;
    }

    location ~ /(app|var|downloader|includes|pkginfo)/ {
      deny all;
    }

    location ~ rss/(order|catalog) {
      deny all;
    }
    location ~ ^/([^/])+\.(sh|pl|py|lua|inc|swp|phar|php_|log|ini|md|sql|conf|yml|zip|tar|.+gz)$ {
      deny all;
    }
    location ~ /\.(svn|git|hg|htpasswd|bash|ssh) {
      deny all;
    }
    location ~ /(dev/tests/|errors/local.xml|cron\.php) {
      deny all;
    }
    location ~* /(tmp|lib|media|shell|skin)/.*\.php$ {
      deny all;
    }

    location ~ ^/(wishlist|customer|catalogsearch|newsletter|tag/product/list|sales/guest/view|contacts/index/post|review/product/(view|list|post)|(fire|one.+)?checkout)/  {
      limit_req zone=goeasy burst=5;
      limit_req_status 429;

      if ($http_user_agent ~* "Baiduspider|AdsBot-Google|Googlebot|bingbot|Yahoo|Yandex") {
        return 410;
      }

      try_files $uri $uri/ @rewrite;
    }

    if ($request_uri !~ "/insights/") {
      set $no_index_php A;
    }
    if ($request_uri ~* "^(.*/)index\.php(/?)(.*)") {
      set $no_index_php "${no_index_php}B";
    }
    if ($no_index_php = AB) {
      return 301 $1$3;
    }

    if ($args ~ ^(brand|cat|color|dir|from|limit|price|type|mode|size|manufacturer)=.+) {
      set $filters A;
    }
    if ($http_user_agent ~* "Baiduspider|Googlebot|bingbot|Yahoo|Yandex") {
      set $filters "${filters}B";
    }
    if ($filters = AB) {
      return 410;
    }

    location ~ /jbwp/wp-config\.php {
      deny all;
    }
    location ~ /jbwp/wp-includes/(.*)\.php {
      deny all;
    }
    location ~ /jbwp/wp-admin/includes(.*)$ {
      deny all;
    }
    location ~ /jbwp/xmlrpc\.php {
      deny all;
    }
    location ~ /jbwp/wp-content/uploads/(.*)\.php(.?) {
      deny all;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
      expires max;

      log_not_found off;
      access_log off;

      add_header ETag "";
    }

    location ~* \.(swf|eot|ttf|otf|woff|woff2)$ {
      expires max;

      log_not_found off;
      access_log off;

      add_header ETag "";
      add_header Access-Control-Allow-Origin "example.co.uk, www.example.co.uk";
      add_header Cache-Control "public";
    }

    location @rewrite {
      rewrite / /index.php;
    }

    location ~ \.php$ {
      try_files $uri =404;

      add_header X-Request-Time $request_time always;
      add_header X-Request-ID $request_id always;
      add_header Link "<$scheme://$http_host$request_uri>; rel=\"canonical\"" always;

      include fastcgi_params;

      fastcgi_read_timeout 600;
      fastcgi_pass unix:/var/run/php/php5.6-fpm.sock;
      fastcgi_index index.php;

      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param HTTPS 'on';

      fastcgi_param DEBUG_MODE 'false';
      fastcgi_param MAINTENANCE_MODE 'false';

      fastcgi_keep_conn on;
    }
  }
}

Answer 1

我设法发现这个问题不是由Nginx配置文件引起的，而是由Cloudflare设置(https://community.cloudflare.com/t/how-do-i-disable-tls-1-0/2670/10)引起的。

我使用这个回购发现服务器没有故障(测试服务器ip_address:port) - https://github.com/drwetter/testssl.sh。

我使用的命令是"/bin/bash testssl.sh 256.98.767.762:443“(不是我的服务器真正的ip)