1、TLS问题
104743 - TLS 1.0 版协议检测 nginx使用配置选项: ssl_protocols TLSv1.2 TLSv1.3 127907 - nginx 1.9.5 < 1.16.1 / 1.17.x < 1.17.3 Multiple Vulnerabilities 150154 - nginx 0.6.x < 1.20.1 1-Byte Memory Overwrite RCE 134220 - nginx < 1.17.7 Information Disclosure 升级nginx版本为1.21.1
2、ssl问题
57582 - SSL Self-Signed Certificate
51192 - SSL Certificate Cannot Be Trusted
104743 - TLS Version 1.0 Protocol Detection
443端口处理一下
3、请求方式限制
11213 - HTTP TRACE / TRACK Methods Allowed
42873 - SSL Medium Strength Cipher Suites Supported (SWEET32)
104743 - TLS Version 1.0 Protocol Detection
所有server的location中加入限制:仅允许get、post请求 server { listen 80; server_name paytest.org.cn; rewrite ^(.*)$ https://$host$1 permanent; location / { limit_except GET POST { deny all; } } 在pve中设置了443端口允许访问的白名单
4、trace问题
11213 - HTTP TRACE / TRACK Methods Allowed
httpd的trace问题: vi /usr/local/apache/conf/httpd.conf 在尾部追加:TraceEnable off 重启httpd服务即可
5、TLS版本问题
104743 - TLS Version 1.0 Protocol Detection
# 原始配置 #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ; # 修复配置 ssl_protocols TLSv1.2 TLSv1.3;
6、ssl算法问题
42873 - SSL Medium Strength Cipher Suites Supported (SWEET32)
iptables -I INPUT -p tcp --dport 5432 -s 124.17.5.0/24 -j ACCEPT 在nginx.conf中修改ssl的算法: ssl_ciphers HIGH:!aNULL:!MD5:!DES:!3DES;
标签:TLS,1.17,1.0,ssl,SSL,漏洞,治理,nginx From: https://www.cnblogs.com/kunyashaw/p/17502667.html