search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
21.79k stars 2.52k forks source link

Last updates introduce weak SSL TLS cipher #2720

Open xofox25 opened 1 year ago

xofox25 commented 1 year ago

Describe the bug Doing a SSL Labs (https://www.ssllabs.com) check capped the grade to B because of weak SSL cipher accepted. I saw this with my monitoring tool (PRTG from paessler) All my domain / subdomain managed by NPM are impacted.

Nginx Proxy Manager Version jc21/nginx-proxy-manager:2.9.20 or jc21/nginx-proxy-manager:2.9.21

To Reproduce test your site with https://www.ssllabs.com/ssltest/index.html

Expected behavior Cipher TLS 1.1 and TLS 1.0 denied

Screenshots image

image

image

nietzscheanic commented 1 year ago

TLSv1 and TLSv1.1 aren't supported anymore since version 2.9.17 of NPM (that's a bug imo). So in combination with the invalid HSTS policy message from SSL Labs I'm pretty sure there is something like a reverse proxy between SSL Labs and your NPM or you're yousing an older version of NPM (something before 2019-05-02) or you changed your ssl-ciphers.conf but even then the NPM version has to be something < 2.9.17.

xofox25 commented 1 year ago

I haven't changed anything on my conf. Just have this issue after a watchtower process update.

To retrieve my A+ grade, I found a workaround : Using the file _forced_ssl.conf with the following content :

{% if certificate and certificate_id > 0 -%}
{% if ssl_forced == 1 or ssl_forced == true %}
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
{% endif %}
{% endif %}

and adding it in volume in the docker-compose.yml

Finally, just need made a change in certificate tab of the proxy host to be ok

nietzscheanic commented 1 year ago

pull request https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2932

github-actions[bot] commented 7 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1:

enekux commented 6 months ago

We have recently detected the same issue, but non of the workarounds helped us. Finally, the cause of the problem was with CloudFlare and after following the steps in the next article, we got the A+ rating:

https://servebolt.com/help/technical-resources/how-to-get-an-a-rating-with-cloudflare-ssl/

Thanks and regards,