From 0e63ad593ee455755e38a5a6797582873da82da3 Mon Sep 17 00:00:00 2001
From: Walter Oggioni <oggioni.walter@gmail.com>
Date: Mon, 8 Sep 2025 04:18:27 +0800
Subject: [PATCH] fixed nginx imageTLS configuration

---
 nginx/Dockerfile      | 3 ++-
 nginx/conf/nginx.conf | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/nginx/Dockerfile b/nginx/Dockerfile
index 693161f..5a4ad87 100644
--- a/nginx/Dockerfile
+++ b/nginx/Dockerfile
@@ -91,10 +91,11 @@ RUN --mount=type=cache,target=/var/cache/apk \
     --mount=type=bind,from=build,source=/ngx_headers_more,target=/ngx_headers_more \
     --mount=type=bind,from=build,source=/ngx_brotli,target=/ngx_brotli \
     --mount=type=bind,from=build,source=/njs,target=/njs \
-	--mount=type=bind,source=install.sh,target=/install.sh \
+    --mount=type=bind,source=install.sh,target=/install.sh \
 	 (cd nginx && sh /install.sh)
 RUN --mount=type=cache,target=/var/cache/apk apk del .install_deps
 
+COPY --from=build /home/luser/libressl/openssl.cnf /etc/ssl/openssl.cnf
 COPY conf/nginx.conf /etc/nginx/nginx.conf
 COPY conf/nginx.vh.no-default.conf /etc/nginx/conf.d/default.conf
 
diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf
index d11bc55..f2064c2 100644
--- a/nginx/conf/nginx.conf
+++ b/nginx/conf/nginx.conf
@@ -40,7 +40,7 @@ http {
 
     keepalive_disable  msie6;
 
-    ssl_protocols TLSv1.3;
+    ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ecdh_curve X25519:P-521:P-384;
     ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-CAMELLIA256-SHA256:DHE-RSA-CAMELLIA256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA256:CAMELLIA128-SHA;
     ssl_prefer_server_ciphers on;