Eu tenho um problema com a minha instalação do nginx. No arquivo principal default.conf eu habilitei TLSv1.3 com X25519 ecdhe curve mas eu tenho um subdomínio que não tem que usar essa curva. Na configuração do subdomínio, eu ativei somente o secp381r1, mas quando eu testo o subdomínio com ssllabs nos grupos nomeados suportados, vejo as três curvas que eu habilitei no arquivo default.conf. A mesma coisa aconteceu um tempo atrás, mas com os protocolos ativados! Como posso corrigir esse problema? Eu tentei mudar os nomes dos arquivos e reiniciei o nginx um bilhão de vezes, mas não funcionou. Estou executando o nginx 1.13.2 com o Openssl 1.1.1-Dev no Ubuntu 17.04.
Aqui está o teste ssllabs do meu domínio principal: link
E aqui está o teste para o subdomínio: link
Aqui está a configuração principal:
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_tokens off;
ssl_certificate /etc/nginxssl/rsa/chain2rsa.pem;
ssl_certificate_key /etc/nginxssl/rsa/rsa4096.key;
ssl_certificate /etc/nginxssl/ec/echain2.pem;
ssl_certificate_key /etc/nginxssl/ec/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dh8192.pem;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:AES256+EECDH:AES256+EDH:!aNULL;
ssl_ecdh_curve X25519:secp521r1:secp384r1;
ssl_session_cache shared:SSL:5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginxssl/rsa/rsachain.pem;
resolver 8.8.8.8;
resolver_timeout 15s;
expires $expires;
#add_header Public-Key-Pins 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg=""; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/enforce"';
#add_header Public-Key-Pins-Report-Only 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg=""; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/reportOnly"';
add_header Cache-Control "max-age=0; no-cache";
add_header Content-Security-Policy "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/enforce";
add_header Content-Security-Policy-Report-Only "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/reportOnly";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header P3P 'CP=This is not a P3P Security Policy. Privacy Info At: https://alessandroz.pro/privacypolicy.html';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Expect-CT "enforce; max-age=30; report-uri https://azreport.report-uri.io/r/default/ct/enforce";
add_header Accept-Ranges bytes;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
root /usr/share/nginx/www;
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt {log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires 365d;
log_not_found off;
}
index index.php index.html index.htm index.nginx-debian.html;
server_name alessandroz.pro;
error_page 405 =200 $uri;
location ~ /.well-known {
allow all;
}
location ^~ / {
try_files $uri $uri/ /index.php$is_args$args;
include /etc/nginx/mime.types;
location ~ \.php$ {
include /etc/nginx/snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
#location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
#gzip off;
#root /usr/share/nginx/tripwire;
#autoindex on;
#fastcgi_pass unix:/var/run/fcgiwrap.socket;
#nclude /etc/nginx/fastcgi_params;
#fastcgi_param DOCUMENT_ROOT /usr/share/nginx/tripwire;
#fastcgi_param SCRIPT_FILENAME /usr/share/nginx/tripwire$fastcgi_script_name;
#}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
deny all;
}
}
}
server {
listen 80;
server_name alessandroz.pro;
return 301 https://alessandroz.pro$request_uri;
gzip off;
}
E aqui está o arquivo de configuração do subdomínio:
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_tokens off;
ssl_certificate /etc/nginxssl/rsa/chain2rsa.pem;
ssl_certificate_key /etc/nginxssl/rsa/rsa4096.key;
ssl_certificate /etc/nginxssl/ec/echain2.pem;
ssl_certificate_key /etc/nginxssl/ec/privkey.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dh4096.pem;
#ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:AES256+EECDH:AES256+EDH:!aNULL;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginxssl/rsa/rsachain.pem;
resolver 8.8.8.8;
resolver_timeout 15s;
expires $expires;
add_header Public-Key-Pins 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/enforce"';
add_header Public-Key-Pins-Report-Only 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/reportOnly"';
add_header Cache-Control "max-age=0; no-cache";
add_header Content-Security-Policy "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/enforce";
add_header Content-Security-Policy-Report-Only "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/reportOnly";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header P3P 'CP=This is not a P3P Security Policy. Privacy Info At: https://alessandroz.pro/privacypolicy.html';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Expect-CT "enforce; max-age=30; report-uri https://azreport.report-uri.io/r/default/ct/enforce";
add_header Accept-Ranges bytes;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
root /usr/share/nginx/www/ssl;
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt {log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires 365d;
log_not_found off;
}
index index.php index.html index.htm index.nginx-debian.html;
server_name ssl.alessandroz.pro;
error_page 405 =200 $uri;
location ~ /.well-known {
allow all;
}
location ^~ / {
try_files $uri $uri/ /index.php$is_args$args;
include /etc/nginx/mime.types;
location ~ \.php$ {
include /etc/nginx/snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
#location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
#gzip off;
#root /usr/share/nginx/tripwire;
#autoindex on;
#fastcgi_pass unix:/var/run/fcgiwrap.socket;
#nclude /etc/nginx/fastcgi_params;
#fastcgi_param DOCUMENT_ROOT /usr/share/nginx/tripwire;
#fastcgi_param SCRIPT_FILENAME /usr/share/nginx/tripwire$fastcgi_script_name;
#}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
deny all;
}
}
}
server {
listen 80;
server_name ssl.alessandroz.pro;
return 301 https://ssl.alessandroz.pro$request_uri;
gzip off;
}