Home / server / Questions / 1156490
Accepted
Kendrick
Asked: 2024-03-19 13:10:21 +0800 CST

Can Nginx translate TLS 1.0 to 1.3 for clients incompatible with TLS 1.3?

  • 772

I have old appliances that either do not support TLS or only support TLS 1.0.

Can Nginx translate between these incompatible devices using only HTTP or TLS 1.0 and endpoints that use TLS 1.3?

nginx

1 Answers

  1. Best Answer

    Short and Dirty Answer:

    Yes, you can, but you should retire such old equipment. Nginx doesn't care what's beyond it, even if it is a valid or invalid SSL certificate in the Default Configuration.

    Sample Configuration:

    server {
        server_name tld.domain.it;
        access_log /var/log/nginx/tld.domain.it.access.log;
        error_log /var/log/nginx/tld.domain.it.error.log;
        listen [::]:443 ssl ;
        listen 443 SSL ;
        #Useful for the old site
        proxy_no_cache 1;
        proxy_cache_bypass 1;
        
        #For reaaaly old broken stuff, force IE-Emulation Mode (may help)
        #add_header ‘X-UA-Compatible’ ‘IE=EmulateIE7’;
        
        #Force tls1
        #proxy_ssl_protocols TLSv1

        # I prefer to log also rewrite
        rewrite_log on;
        proxy_pass                              https://127.0.0.1:12345;
        proxy_set_header                        Host $http_host;

    }

    ssl_certificate /etc/letsencrypt/live/exmaple.it/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/example.it/privkey.pem; 


}

    References

    https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/ https://nginx.org/en/docs/http/ngx_http_proxy_module.html

    • 2