proxy_ssl_protocols
The proxy_ssl_protocols directive specifies the SSL/TLS protocols that are accepted when establishing a secure connection to a proxied server.
Description
The proxy_ssl_protocols directive is utilized to define which versions of the SSL and TLS protocols an NGINX server will accept when it connects to a proxied backend server over a secure channel. Supporting a variety of protocols, such as TLSv1, TLSv1.1, and TLSv1.2 (or later versions), ensures that the proxy operates within the required security standards. By specifying these protocols, administrators can enhance the security compliance of their NGINX configuration by allowing only secure versions for the communication with upstream servers.
This directive can be placed in the http, server, and location contexts, enabling flexibility in configuration. For example, an NGINX server serving multiple applications on different servers can enforce distinct SSL protocol versions based on application requirements. Admins should note that as newer versions of SSL/TLS are released, it is considered good practice to deprecate older, less secure versions to protect sensitive data. The arguments to this directive are a list of SSL/TLS protocol versions, which must be provided at least once; omitting this will lead to an invalid configuration.
Config Example
location /secure {
proxy_pass https://backend.example.com;
proxy_ssl_protocols TLSv1.2; # Only allow TLSv1.2 for backend connections
}Specifying outdated or insecure protocols may expose your application to vulnerabilities.
The accepted protocols must be supported by both NGINX and the upstream server; otherwise, secure connections may fail.
This directive is only effective when SSL/TLS is configured for proxying.]
Ensure that you restart or reload NGINX after changes for them to take effect.