# TLSv1.3 supported:
# if haproxy -v >= 1.8.1 && openssl -v >= 1.1.1
# if apache2 -v >= 2.4.36 && openssl -v >= 1.1.1
# if nginx -v >= 1.23.4 && openssl -v >= 1.1.1
openssl version
openssl -v
haproxy -v
apache2 -v
nginx -v
Disable » TLSv1 » TLSv1.1
Enable » TLSv1.2 » TLSv1.3
✅ Security » Certificate » TLS » cid.chorke.org
www.cdn77.com/tls-test/result?domain=cid.chorke.org
✅ Security » Certificate » TLS » auto.loanplus.io
www.cdn77.com/tls-test/result?domain=auto.loanplus.io
✅ Security » Certificate » TLS » apix.loanplus.io
www.cdn77.com/tls-test/result?domain=apix.loanplus.io
✅ Security » Certificate » TLS » ci.finology.group
www.cdn77.com/tls-test/result?domain=ci.finology.group
✅ Security » Certificate » TLS » id.finology.group
www.cdn77.com/tls-test/result?domain=id.finology.group
✅ Security » Certificate » TLS » n8n.finology.group
www.cdn77.com/tls-test/result?domain=n8n.finology.group
✅ Security » Certificate » TLS » mail.finology.group
www.cdn77.com/tls-test/result?domain=mail.finology.group
✅ Security » Certificate » TLS » minio.finology.group
www.cdn77.com/tls-test/result?domain=minio.finology.group
✅ Security » Certificate » TLS » files.minio.finology.group
www.cdn77.com/tls-test/result?domain=files.minio.finology.group
🟥 Security » Certificate » TLS » dev-files.loanstreet.com.my
www.cdn77.com/tls-test/result?domain=dev-files.loanstreet.com.my
Enable » TLSv1.2 » TLSv1.3 » Nginx
curl -fsSL https://ssl-config.mozilla.org/ffdhe2048.txt\
| sudo tee /etc/nginx/dhparam.pem >/dev/null
cat << CFG | sudo tee /etc/nginx/sites-available/academia.chorke.org >/dev/null
server {
listen 443 ssl;
ssl on;
server_name academia.chorke.org;
ssl_certificate /etc/letsencrypt/live/academia.chorke.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/academia.chorke.org/privkey.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3 TLSv1.2;
# ssl_dhparam /etc/nginx/dhparam.pem;
# ssl_ciphers "EECDH+AESGCM,EDH+AESGCM";
ssl_ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";
# -- skipped --
error_page 500 502 503 504 /500.html;
client_max_body_size 25M;
keepalive_timeout 10;
}
CFG
Enable » TLSv1.2 » TLSv1.3 » Apache
Enable » TLSv1.2 » TLSv1.3 » HAProxy
cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then cat ${d}/{fullchain,privkey}.pem|tee ${d}.pem >/dev/null;fi;done
SSL_CRT_LIST="$(cd /etc/letsencrypt/live/;for d in *;do if [ -d "${d}" ];then printf "crt ${PWD}/${d}.pem ";fi;done)"
cat << CFG | sudo tee /etc/haproxy/proxy-configs/shahed.biz-https-all.cfg >/dev/null
# ##############################################################################
# https frontend config for *.chorke.org, *.chorke.com, *.shahed.biz
# this config added by chorke academia, inc
frontend fnt_shahed_biz_ssl
bind *:443 ssl ${SSL_CRT_LIST}alpn h2,http/1.1 ssl-min-ver TLSv1.2 ssl-max-ver TLSv1.3
mode http
CFG
Enable » TLSv1.2 » TLSv1.3 » PostgreSQL
Playground
openssl s_client -tls1 -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_1 -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_2 -connect cid.chorke.org:443 </dev/null
openssl s_client -tls1_3 -connect cid.chorke.org:443 </dev/null
|
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.aa.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ab.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ac.shahed.shahed.biz &>/dev/null &
xdg-open https://www.cdn77.com/tls-test/result?domain=k8s.ad.shahed.shahed.biz &>/dev/null &
|
|
|
|
|
|
References