是否可以配置 nginx 对某些 IP 使用 TLS1.2 版本,对用户定义的 IP 使用 TLS1.0 版本。
答案1
是的,您可以让一个server
块监听第一组 IP(并使用 TLSv1.2 配置该块),让另一个server
块监听其他 IP 地址。在后一个块中,您只需配置 TLSv1.0
举个例子
server {
listen 1.1.1.1:443 ssl;
server_name tls1_0.example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_protocols TLSv1;
ssl_ciphers "_cleared_for_brevity_";
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
// ..other config
tcp_nodelay on;
}
server {
listen 1.1.1.2:443 ssl;
server_name tls1_2.example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
ssl_protocols TLSv1.2;
ssl_ciphers "_cleared_for_brevity_";
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
// ..other config
tcp_nodelay on;
}