An existing nginx ingress named nginx-proxy
running on the K8 cluster.
Now, there is a requirement from the Dev team to disable TLS 1.0, 1.1 support.
Upon searching, I could see this solution using configmap.
Do you think applying/creating a new configmap as follows to an existing nginx ingress helps me to resolve the issue?
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-proxy
data:
ssl-protocols: "TLSv1.2 TLSv1.3"
Adding a new configmap like that to an existing nginx ingress breaks anything?. Because this is for the production website.
A piece of advice would be really helpful.
2
Answers
It seems ingress-nginx uses TLS 1.2 and 1.3 only by default. The snippet you added to your question can be used to enable older TLS versions – like 1.0 and 1.1.
[source]
You can check which versions of TLS (and ciphers) are enabled by issuing
replace
<ingress-nginx>
with your ingress IP.You can follow this official document or disabling the TLS 1.0
You need to update the ciphers also as perversion instead of using the default one.
You can try with the above configmap.
Also, I would recommend updating the SSL/TLS cert if you using in ingress.
If you are using the cert-manager please try deleting the secret which containing the SSL/TLS cert for ingress endpoint and try getting the cert again using the cert-manager once.