nginx环境下ssl配置如何高达A

2016年12月23日 · 服务器配置 · 2,860 views

通过https://www.ssllabs.com/ssltest/测试ssl安全性,比如Heartbleed等漏洞。

nginx配置中启用ssl配置如下:

[sourcecode language="plain"]listen 443 ssl http2;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/www.jianqu.net.pem;
ssl_certificate_key /usr/local/nginx/conf/ssl/www.jianqu.net.key;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam2048.pem;
ssl_session_tickets on;
ssl_session_ticket_key /usr/local/nginx/conf/ssl/session_ticket.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_session_cache builtin:1000 shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
resolver 223.6.6.6 223.5.5.5 valid=300s;
resolver_timeout 5s;
server_name www.jianqu.net jianqu.net;[/sourcecode]

说明:

ssl_protocols里面建议不要启用SSLv3(IE6 默认只支持 SSLv2 和 SSLv3),启用SSLv3使用ssllabs检测,评级最高只能到C评级

生成/usr/local/nginx/conf/dhparams.pem :

执行命令

[sourcecode language="plain"]cd /usr/local/nginx/conf

openssl dhparam -out dhparam2048.pem 2048[/sourcecode]

生成session_ticket.key :

执行命令

[sourcecode language="plain"]cd /usr/local/nginx/conf

openssl rand 48 > session_ticket.key[/sourcecode]

修改完配置,reload下nginx,执行命令

[sourcecode language="plain"]/usr/local/nginx/sbin/nginx -s reload[/sourcecode]

测试看下,你的网站是否已经A评级

· · ·
免责声明:本文来自 @admin, 原创发布在简趣网网站。