-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Default server "_" causing SSL_POLICY and TLS 1.3 to break. #1237
Comments
Any solution? I'd really like to enable TLS 1.3 |
If other people are having this issue, you can solve it by using the docker-gen + nginx setup and deleting this part (like the issue mentions) of the nginx.tmpl file https://github.com/jwilder/nginx-proxy/blob/master/nginx.tmpl#L102-L116 I've only tested with letsencrypt + nginx + docker-gen setup, so results may vary. |
@noaho correct me if I'm wrong, but the issue is also in the other direction: using the most strict SSL configuration set as a default would have the lest strict As you (and @kleptox in #1568) pointed you, this can't and won't be fixed by nginx devs. Should we then consider that per-proxied container |
Hi, in the latest nginx, the first SSL server in the config file is influencing the other sites SSL config.
Because the logic which uses a default self signed cert for sites not specified is first in the nginx config, SSL defaults are initialized, leaving TLS 1.1 on and stopping TLS 1.3 from working properly.
Due to the way openssl works, it's currently impossible to select different TLS settings per site, on the same server, thus the default influences the other sections. Hence the "most strict" SSL configuration must be set as default, or the first configuration will override the others.
Reference:
https://trac.nginx.org/nginx/ticket/844
http://nginx.org/en/docs/http/request_processing.html
This is the code in https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl that I am referring to:
"{{ if (and (exists "/etc/nginx/certs/default.crt") (exists "/etc/nginx/certs/default.key")) }}
server {
server_name _;"
This is causing a host of issues below:
#1181
#1177
(Related issue, actually the cause of this issue)
#765
You can also see this issue demonstrated over here:
nginxinc/docker-nginx#190
Can we make the default cert for SSL disabled by default? Or somehow build the SSL_POLICY into the default site?
The text was updated successfully, but these errors were encountered: