由于启用了 TLS 1.0 和 1.1,SSL 测试将我的结果限制为 B。我知道我应该在我的配置中添加以下行:ssl_protocols TLSv1.2 TLSv1.3;
这是我的最小化配置:
server {
root /var/www/mezinamiridici.cz/html;
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
ssl_certificate /etc/letsencrypt/live/mezinamiridici.cz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mezinamiridici.cz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
但是有一个错误:
2021/03/19 20:19:44 [warn] 32195#32195: duplicate value "TLSv1.2" in /etc/letsencrypt/options-ssl-nginx.conf:10
可能来自位于以下位置的 Lets Encrypt 配置/etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
我尝试将我的行移到该导入的上方或下方,但没有成功。有没有办法让这两种配置共存?
答案1
您在 NGINX conf 和 letsencrypt conf 中都定义了 ssl_protocols。将其合并到一个位置,然后在该位置调整所需的值。我建议仅将其放在 letsencrypt conf 中。