Why am I still only connecting using TLS 1.0? Nginx

May 14, 2015 2.5k views
Nginx Security Configuration Management Server Optimization Linux Basics Ruby on Rails Ruby Ubuntu

I have a droplet spun up using Ubuntu 12.04.3 LTS and I have a Rails application with Unicorn running as my application server and nginx as my http server. I have my nginx conf located in /etc/nginx as follows

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

I have my sites-enabled config set to this:

upstream unicorn {
  server unix:/tmp/unicorn.application.sock fail_timeout=0;
}

server {
  listen 80;
  server_name application.com;
  rewrite ^ https://application.com$request_uri? permanent;
}

server {
  listen 443;
  server_name application.com;
  root /home/deployer/apps/application/current/public;

  ssl on;
  ssl_certificate /etc/nginx/ssl/application.crt;
  ssl_certificate_key /etc/nginx/ssl/application.key;

  ssl_session_timeout 5m;

  ssl_protocols SSLv2 TLSv1.1 TLSv1.2 TLSv1;
  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;

  location ^~ /assets/ {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
  }

  try_files $uri/index.html $uri @unicorn;
  location @unicorn {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header Host $http_host;
    proxy_redirect off;
    proxy_pass http://unicorn;
  }

  error_page 500 502 503 504 /500.html;
  client_max_body_size 4G;
  keepalive_timeout 10;
}

Yet after performing a reload (which gets no error) via service nginx reload

I still see when I connect to my web app that I am using TLSv1.0

What am I doing wrong to update the protocol used?

1 comment
Be the first one to answer this question.