Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default server "_" causing SSL_POLICY and TLS 1.3 to break. #1237

Closed
noaho opened this issue Feb 27, 2019 · 4 comments
Closed

Default server "_" causing SSL_POLICY and TLS 1.3 to break. #1237

noaho opened this issue Feb 27, 2019 · 4 comments
Assignees
@buchdag

Comments

@noaho
Copy link

noaho commented Feb 27, 2019
edited

Hi, in the latest nginx, the first SSL server in the config file is influencing the other sites SSL config.

Because the logic which uses a default self signed cert for sites not specified is first in the nginx config, SSL defaults are initialized, leaving TLS 1.1 on and stopping TLS 1.3 from working properly.

Due to the way openssl works, it's currently impossible to select different TLS settings per site, on the same server, thus the default influences the other sections. Hence the "most strict" SSL configuration must be set as default, or the first configuration will override the others.

Reference:
https://trac.nginx.org/nginx/ticket/844
http://nginx.org/en/docs/http/request_processing.html

This is the code in https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl that I am referring to:

"{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
server {
server_name _;"

This is causing a host of issues below:
#1181
#1177

(Related issue, actually the cause of this issue)
#765

You can also see this issue demonstrated over here:
nginxinc/docker-nginx#190

Can we make the default cert for SSL disabled by default? Or somehow build the SSL_POLICY into the default site?
@Nottt
Copy link

Nottt commented Apr 12, 2019

Any solution? I'd really like to enable TLS 1.3

@johnpyp
Copy link

johnpyp commented Jun 17, 2019
edited

If other people are having this issue, you can solve it by using the docker-gen + nginx setup and deleting this part (like the issue mentions) of the nginx.tmpl file https://github.com/jwilder/nginx-proxy/blob/master/nginx.tmpl#L102-L116

I've only tested with letsencrypt + nginx + docker-gen setup, so results may vary.

@buchdag buchdag mentioned this issue Jun 15, 2021
Closed
@buchdag
Copy link
Member

buchdag commented Jun 15, 2021
edited

@noaho correct me if I'm wrong, but the issue is also in the other direction: using the most strict SSL configuration set as a default would have the lest strict SSL_POLICY not working properly.

As you (and @kleptox in #1568) pointed you, this can't and won't be fixed by nginx devs.

Should we then consider that per-proxied container SSL_POLICY can't really work because of this limitation and that we should somehow change that to a global per proxy SSL_POLICY, with corresponding doc and rendered template warnings ?

@buchdag buchdag self-assigned this May 10, 2023
@buchdag
Copy link
Member

buchdag commented Dec 19, 2023

This should have been fixed by #2186 and #2338

@buchdag buchdag closed this as completed Dec 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@buchdag buchdag

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@noaho @Nottt @buchdag @johnpyp