漏洞扫描结果:
Severity:Medium
Vulnerability:Weak SSL Version (SSLv2, SSL v3, TLS v1.0 and TLS v1.1)、SSL Weak Cipher Suites Supported
这个漏洞的原因就是ssl版本太低。
检查了自己架构之后,发现问题出在nginx上,于是对nginx的ssl版本进行调整。针对不同版本的nginx的ssl配置,参考:
https://ssl-config.mozilla.org/#server=nginx&version=1.19.8&config=intermediate&openssl=1.1.1d&guideline=5.6
我的版本是1.19,配置如下:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name xxxx.xxxx.com;
if ($http_user_agent ~* (Scrapy|Curl|HttpClient)) {
return 403;
}
if ($http_user_agent ~ "FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bo