diff --git a/content/nginx/admin-guide/load-balancer/http-load-balancer.md b/content/nginx/admin-guide/load-balancer/http-load-balancer.md
index a01b69aed..cfce044ca 100644
--- a/content/nginx/admin-guide/load-balancer/http-load-balancer.md
+++ b/content/nginx/admin-guide/load-balancer/http-load-balancer.md
@@ -427,7 +427,7 @@ http {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/company.com.crt;
ssl_certificate_key /etc/nginx/ssl/company.com.key;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_protocols TLSv1.2 TLSv1.3;
location / {
proxy_pass https://exchange;
diff --git a/content/nginx/admin-guide/mail-proxy/mail-proxy.md b/content/nginx/admin-guide/mail-proxy/mail-proxy.md
index ab47d4813..a2f29c46d 100644
--- a/content/nginx/admin-guide/mail-proxy/mail-proxy.md
+++ b/content/nginx/admin-guide/mail-proxy/mail-proxy.md
@@ -166,7 +166,7 @@ To enable SSL/TLS for the mail proxy:
```nginx
mail {
#...
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
}
```
@@ -223,7 +223,7 @@ mail {
ssl on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
diff --git a/content/nginx/admin-guide/security-controls/securing-http-traffic-upstream.md b/content/nginx/admin-guide/security-controls/securing-http-traffic-upstream.md
index d2e353616..978bab7c5 100644
--- a/content/nginx/admin-guide/security-controls/securing-http-traffic-upstream.md
+++ b/content/nginx/admin-guide/security-controls/securing-http-traffic-upstream.md
@@ -77,7 +77,7 @@ Optionally, you can specify which SSL protocols and ciphers are used:
```nginx
location /upstream {
#...
- proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
}
```
@@ -133,7 +133,7 @@ http {
proxy_pass https://backend.example.com;
proxy_ssl_certificate /etc/nginx/client.pem;
proxy_ssl_certificate_key /etc/nginx/client.key;
- proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;
diff --git a/content/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream.md b/content/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream.md
index 13ec0bc3f..d40ccac1b 100644
--- a/content/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream.md
+++ b/content/nginx/admin-guide/security-controls/securing-tcp-traffic-upstream.md
@@ -58,7 +58,7 @@ Optionally, specify which SSL protocols and ciphers to use:
```nginx
server {
...
- proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
}
```
@@ -98,7 +98,7 @@ stream {
proxy_ssl_certificate /etc/ssl/certs/backend.crt;
proxy_ssl_certificate_key /etc/ssl/certs/backend.key;
- proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/ssl/certs/trusted_ca_cert.crt;
diff --git a/content/nginx/admin-guide/security-controls/terminating-ssl-http.md b/content/nginx/admin-guide/security-controls/terminating-ssl-http.md
index 792b7ce00..66656532d 100644
--- a/content/nginx/admin-guide/security-controls/terminating-ssl-http.md
+++ b/content/nginx/admin-guide/security-controls/terminating-ssl-http.md
@@ -22,7 +22,7 @@ server {
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
#...
}
@@ -39,10 +39,10 @@ In this case it is important to restrict access to the file. Note that although
The [ssl_protocols](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols) and [ssl_ciphers](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ciphers ) directives can be used to require that clients use only the strong versions and ciphers of SSL/TLS when establishing connections.
-Since version 1.9.1, NGINX uses these defaults:
+Since version 1.23.4, NGINX uses these defaults:
```nginx
-ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
```
@@ -118,7 +118,7 @@ http {
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
#...
}
diff --git a/content/nginx/admin-guide/security-controls/terminating-ssl-tcp.md b/content/nginx/admin-guide/security-controls/terminating-ssl-tcp.md
index bf7ab028f..af416b053 100644
--- a/content/nginx/admin-guide/security-controls/terminating-ssl-tcp.md
+++ b/content/nginx/admin-guide/security-controls/terminating-ssl-tcp.md
@@ -62,7 +62,7 @@ Additionally, the [ssl_protocols](https://nginx.org/en/docs/stream/ngx_stream_ss
```nginx
server {
#...
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
}
```
@@ -152,7 +152,7 @@ stream {
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
- ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+ ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
diff --git a/content/nginx/deployment-guides/load-balance-third-party/microsoft-exchange.md b/content/nginx/deployment-guides/load-balance-third-party/microsoft-exchange.md
index bfaabc179..1c1a48769 100644
--- a/content/nginx/deployment-guides/load-balance-third-party/microsoft-exchange.md
+++ b/content/nginx/deployment-guides/load-balance-third-party/microsoft-exchange.md
@@ -475,7 +475,7 @@ The directives in the top‑level `stream` configuration block configure TCP loa
server {
listen 993;
status_zone exchange-imaps;
- proxy_pass exchange-imaps;
+ proxy_pass exchange-imaps;
}
```
@@ -488,7 +488,7 @@ The directives in the top‑level `stream` configuration block configure TCP loa
server {
listen 25; # SMTP port can be changed here (to 587, for example)
status_zone exchange-smtp;
- proxy_pass exchange-smtp;
+ proxy_pass exchange-smtp;
}
```
@@ -517,7 +517,7 @@ These directives in the top‑level `http` configuration block configure global
```nginx
# In the 'http' block
- keepalive_timeout 3h;
+ keepalive_timeout 3h;
proxy_read_timeout 3h;
```
@@ -542,7 +542,7 @@ These directives define virtual servers for HTTP and HTTPS traffic in the top‑
```nginx
# In the 'http' block
server {
- listen 443 ssl;
+ listen 443 ssl;
status_zone exchange-combined;
}
```
@@ -564,9 +564,9 @@ These directives define virtual servers for HTTP and HTTPS traffic in the top‑
```nginx
# In the 'server' block for HTTPS traffic
- ssl_certificate /etc/nginx/ssl/company.com.crt;
+ ssl_certificate /etc/nginx/ssl/company.com.crt;
ssl_certificate_key /etc/nginx/ssl/company.com.key;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_protocols TLSv1.2 TLSv1.3;
```
Directive documentation: [ssl_certificate](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate), [ssl_certificate_key](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key), [ssl_protocols](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols)
@@ -668,11 +668,11 @@ These directives complete the configuration for basic load balancing of Exchange
```nginx
# In the 'server' block for HTTPS traffic
location / {
- proxy_pass https://exchange;
- proxy_buffering off;
- proxy_http_version 1.1;
+ proxy_pass https://exchange;
+ proxy_buffering off;
+ proxy_http_version 1.1;
proxy_request_buffering off;
- proxy_set_header Connection "Keep-Alive";
+ proxy_set_header Connection "Keep-Alive";
}
```
@@ -730,10 +730,10 @@ http {
listen 443 ssl;
http2 on;
client_max_body_size 2G;
- ssl_certificate /etc/nginx/ssl/company.com.crt;
- ssl_certificate_key /etc/nginx/ssl/company.com.key;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- status_zone exchange-combined;
+ ssl_certificate /etc/nginx/ssl/company.com.crt;
+ ssl_certificate_key /etc/nginx/ssl/company.com.key;
+ ssl_protocols TLSv1.2 TLSv1.3;
+ status_zone exchange-combined;
location = / {
return 301 "/owa/";
@@ -745,11 +745,11 @@ http {
}
location / {
- proxy_pass https://exchange;
- proxy_buffering off;
- proxy_http_version 1.1;
+ proxy_pass https://exchange;
+ proxy_buffering off;
+ proxy_http_version 1.1;
proxy_request_buffering off;
- proxy_set_header Connection "Keep-Alive";
+ proxy_set_header Connection "Keep-Alive";
}
}
}
@@ -780,13 +780,13 @@ stream {
server {
listen 993;
status_zone exchange-imaps;
- proxy_pass exchange-imaps;
+ proxy_pass exchange-imaps;
}
server {
listen 25; # SMTP port can be changed here (to 587, for example)
status_zone exchange-smtp;
- proxy_pass exchange-smtp;
+ proxy_pass exchange-smtp;
}
}
```
@@ -820,9 +820,6 @@ Exchange CASs interact with various applications used by clients on different ty
{{}}
-
-
-
##### Configuring Granular URL Location Control
@@ -892,9 +889,9 @@ Exchange CASs interact with various applications used by clients on different ty
```nginx
# In the 'server' block for HTTPS traffic
location / {
- proxy_pass https://exchange;
+ proxy_pass https://exchange;
proxy_http_version 1.1;
- proxy_set_header Connection "";
+ proxy_set_header Connection "";
}
```
@@ -907,9 +904,9 @@ Exchange CASs interact with various applications used by clients on different ty
location /ecp {
#allow 172.16.0.0/16; # Replace with your admin network
#deny all;
- proxy_pass https://exchange-ecp;
+ proxy_pass https://exchange-ecp;
proxy_http_version 1.1;
- proxy_set_header Connection "";
+ proxy_set_header Connection "";
}
```
@@ -920,9 +917,9 @@ Exchange CASs interact with various applications used by clients on different ty
```nginx
# In the 'server' block for HTTPS traffic
location /mapi {
- proxy_pass https://exchange-mapi;
+ proxy_pass https://exchange-mapi;
proxy_http_version 1.1;
- proxy_set_header Connection "";
+ proxy_set_header Connection "";
}
```
@@ -931,9 +928,9 @@ Exchange CASs interact with various applications used by clients on different ty
```nginx
# In the 'server' block for HTTPS traffic
location /Microsoft-Server-ActiveSync {
- proxy_pass https://exchange-activesync;
+ proxy_pass https://exchange-activesync;
proxy_http_version 1.1;
- proxy_set_header Connection "";
+ proxy_set_header Connection "";
}
```
@@ -942,9 +939,9 @@ Exchange CASs interact with various applications used by clients on different ty
```nginx
# In the 'server' block for HTTPS traffic
location /owa {
- proxy_pass https://exchange-owa;
+ proxy_pass https://exchange-owa;
proxy_http_version 1.1;
- proxy_set_header Connection "";
+ proxy_set_header Connection "";
}
```
@@ -953,11 +950,11 @@ Exchange CASs interact with various applications used by clients on different ty
```nginx
# In the 'server' block for HTTPS traffic
location /rpc/rpcproxy.dll {
- proxy_pass https://exchange-rpc;
- proxy_buffering off;
- proxy_http_version 1.1;
+ proxy_pass https://exchange-rpc;
+ proxy_buffering off;
+ proxy_http_version 1.1;
proxy_request_buffering off;
- proxy_set_header Connection "Keep-Alive";
+ proxy_set_header Connection "Keep-Alive";
}
```
@@ -1018,27 +1015,27 @@ These directives configure NGINX Plus health checks.
location /ecp {
#allow 172.16.0.0/16; # Replace with your admin network
#deny all;
- proxy_pass https://exchange-ecp;
+ proxy_pass https://exchange-ecp;
proxy_http_version 1.1;
- proxy_set_header Connection "";
- health_check uri=/ecp/healthcheck.htm interval=3s
- match=exchange-health;
+ proxy_set_header Connection "";
+ health_check uri=/ecp/healthcheck.htm interval=3s
+ match=exchange-health;
}
location /mapi {
- proxy_pass https://exchange-mapi;
+ proxy_pass https://exchange-mapi;
proxy_http_version 1.1;
- proxy_set_header Connection "";
- health_check uri=/mapi/healthcheck.htm interval=3s
- match=exchange-health;
+ proxy_set_header Connection "";
+ health_check uri=/mapi/healthcheck.htm interval=3s
+ match=exchange-health;
}
location /owa {
- proxy_pass https://exchange-owa;
+ proxy_pass https://exchange-owa;
proxy_http_version 1.1;
- proxy_set_header Connection "";
- health_check uri=/owa/healthcheck.htm interval=3s
- match=exchange-health;
+ proxy_set_header Connection "";
+ health_check uri=/owa/healthcheck.htm interval=3s
+ match=exchange-health;
}
```
@@ -1234,10 +1231,10 @@ http {
http2 on;
client_max_body_size 2G;
- ssl_certificate /etc/nginx/ssl/company.com.crt;
+ ssl_certificate /etc/nginx/ssl/company.com.crt;
ssl_certificate_key /etc/nginx/ssl/company.com.key;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- status_zone exchange-combined;
+ ssl_protocols TLSv1.2 TLSv1.3;
+ status_zone exchange-combined;
location = / {
return 301 "/owa/";
@@ -1249,9 +1246,9 @@ http {
}
location / {
- proxy_pass https://exchange;
+ proxy_pass https://exchange;
proxy_http_version 1.1;
- proxy_set_header Connection "";
+ proxy_set_header Connection "";
}
location /ecp {
@@ -1263,43 +1260,43 @@ http {
#allow 172.16.0.0/16; # Replace with your admin network
#deny all;
- proxy_pass https://exchange-ecp;
+ proxy_pass https://exchange-ecp;
proxy_http_version 1.1;
- proxy_set_header Connection "";
- health_check uri=/ecp/healthcheck.htm interval=3s
- match=exchange-health;
+ proxy_set_header Connection "";
+ health_check uri=/ecp/healthcheck.htm interval=3s
+ match=exchange-health;
}
location /mapi {
- proxy_pass https://exchange-mapi;
+ proxy_pass https://exchange-mapi;
proxy_http_version 1.1;
- proxy_set_header Connection "";
- health_check uri=/mapi/healthcheck.htm interval=3s
- match=exchange-health;
+ proxy_set_header Connection "";
+ health_check uri=/mapi/healthcheck.htm interval=3s
+ match=exchange-health;
}
location /Microsoft-Server-ActiveSync {
- proxy_pass https://exchange-active-sync;
+ proxy_pass https://exchange-active-sync;
proxy_http_version 1.1;
- proxy_set_header Connection "";
+ proxy_set_header Connection "";
}
location /owa {
- proxy_pass https://exchange-owa;
+ proxy_pass https://exchange-owa;
proxy_http_version 1.1;
- proxy_set_header Connection "";
- health_check uri=/owa/healthcheck.htm interval=3s
- match=exchange-health;
+ proxy_set_header Connection "";
+ health_check uri=/owa/healthcheck.htm interval=3s
+ match=exchange-health;
}
location /rpc/rpcproxy.dll {
- proxy_pass https://exchange-rpc;
- proxy_buffering off;
- proxy_http_version 1.1;
- proxy_request_buffering off;
+ proxy_pass https://exchange-rpc;
+ proxy_buffering off;
+ proxy_http_version 1.1;
+ proxy_request_buffering off;
proxy_set_header Connection "Keep-Alive";
- health_check uri=/rpc/rpcproxy.dll interval=3s
- match=exchange-auth;
+ health_check uri=/rpc/rpcproxy.dll interval=3s
+ match=exchange-auth;
}
}
}
@@ -1330,13 +1327,13 @@ stream {
server {
listen 993;
status_zone exchange-imaps;
- proxy_pass exchange-imaps;
+ proxy_pass exchange-imaps;
}
server {
listen 25; # SMTP port can be changed here (to 587, for example)
status_zone exchange-smtp;
- proxy_pass exchange-smtp;
+ proxy_pass exchange-smtp;
}
}
```
@@ -1344,6 +1341,7 @@ stream {
### Revision History
+- Version 7 (June 2025) – Update for the `ssl_protocols` directive
- Version 6 (May 2024) – Update about HTTP/2 support (the [http2](https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2) directive)
- Version 5 (April 2018) – Update for NGINX Plus API (NGINX Plus R14)
- Version 4 (May 2017) – Update about HTTP/2 support (NGINX Plus Release 11 and later)
diff --git a/content/nginx/deployment-guides/migrate-hardware-adc/f5-big-ip-configuration.md b/content/nginx/deployment-guides/migrate-hardware-adc/f5-big-ip-configuration.md
index 1cc9c9455..f5e2a4dec 100644
--- a/content/nginx/deployment-guides/migrate-hardware-adc/f5-big-ip-configuration.md
+++ b/content/nginx/deployment-guides/migrate-hardware-adc/f5-big-ip-configuration.md
@@ -1,4 +1,4 @@
----
+ ---
description: Migrate load-balancing configuration from F5 BIG-IP LTM to NGINX Plus,
using our syntax conversion examples.
docs: DOCS-460
@@ -240,7 +240,7 @@ There are two methods for handling SSL/TLS traffic on a load balancer instance,
proxy_pass https://ssl_test_pool;
proxy_ssl_certificate /etc/nginx/ssl/client.pem;
proxy_ssl_certificate_key /etc/nginx/ssl/client.key;
- proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/nginx/ssl/trusted_ca_cert.crt;
proxy_ssl_verify on;
diff --git a/content/nginx/fips-compliance-nginx-plus.md b/content/nginx/fips-compliance-nginx-plus.md
index 7be51a7be..52a378a44 100644
--- a/content/nginx/fips-compliance-nginx-plus.md
+++ b/content/nginx/fips-compliance-nginx-plus.md
@@ -110,7 +110,7 @@ server {
ssl_certificate /etc/nginx/ssl/test.crt;
ssl_certificate_key /etc/nginx/ssl/test.key;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ ssl_protocols TLSv1.2 TLSv1.3;
location / {
root /usr/share/nginx/html;