пре 6 година · a031b55710
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -65,6 +65,7 @@ All notable changes to this project will be documented in this file.
 
				 - Fixed lograte bug and cleans up the messed up nginx/apache2 log permissions.
			
 
				 - Fixed IfModule mpm_itk.c for apache2 templates.
			
 
				 - Added mpm_itk for Deb10 single php installation only.
			
 
				+- Hardening nginx configuration, drop TLSv1.1 support.
			
 
				 
			
 
				 ## [1.0.6] - 2019-09-24 - Hotfix
			
 
				 ### Bugfixes
			
--- a/install/deb/nginx/nginx.conf
+++ b/install/deb/nginx/nginx.conf
@@ -106,7 +106,7 @@ http {
 
				     ssl_session_cache   shared:SSL:20m;
			
 
				     ssl_session_timeout 60m;
			
 
				     ssl_buffer_size     1400;
			
 
				-    ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
			
 
				+    ssl_protocols       TLSv1.2 TLSv1.3;
			
 
				     ssl_prefer_server_ciphers on;
			
 
				     ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
			
 
				     ssl_dhparam         /etc/ssl/dhparam.pem;
			
--- a/install/upgrade/versions/latest.sh
+++ b/install/upgrade/versions/latest.sh
@@ -151,6 +151,15 @@ if [ -e "/etc/mysql/my.cnf" ]; then
 
				     fi
			
 
				 fi
			
 
				 
			
 
				+# Hardening nginx configuration, drop TLSv1.1 support.
			
 
				+if [ -e "/etc/nginx/nginx.conf" ]; then
			
 
				+    nginx_tls_check=$(grep TLSv1.1 /etc/nginx/nginx.conf)
			
 
				+    if [ ! -z "$nginx_tls_check" ]; then
			
 
				+        echo "(*) Hardening nginx configuration, drop TLSv1.1 support..."
			
 
				+        sed -i 's/TLSv1.1 //g' /etc/nginx/nginx.conf
			
 
				+    fi
			
 
				+fi
			
 
				+
			
 
				 # Fix logrotate permission bug for nginx
			
 
				 if [ -e "/etc/logrotate/nginx" ]; then
			
 
				     sed -i "s/create 640 nginx adm/create 640/g" /etc/logrotate.d/nginx