Had some trouble with this myself, so I thought it would be good to share my findings.
At work I'm currently managing a fairly large estate of websites. Ideally we'd have everything running TLSv1.2+, however there are various legacy applications which require TLSv1.0 due to various reasons.
Ideally we'd either upgrade said applications to support TLSv1.2, or get rid of them altogether, however it sadly takes some time for the gears to turn, so it isn't really an option.
Now the initial thought would be to just set the ssl_protocols
setting on a per server basis. You can try this, reload Nginx and notice there is no change, despite no warning in reload (which should occur here).
Whatever ssl_protocols
Nginx sees first, regardless of server, is what is used for all servers. There is a few similar settings where this is the case, however they are usually flagged as such on reload, this one is not.
From my research, there is three possible solutions to this.