HTTPS A+在nginx下的配置方法

广告也精彩

要使用HTTPS,那么就必须要有HTTPS证书,现在互联网上有免费的证书,也有很多非常便宜的证书,这里就不详细介绍了,大家自行搜索~~~ 重要的是,有了 SSL 证书之后要怎么配置 nginx 服务器才能足够安全,QUALYS SSL Labs 提供了对服务器 https 安全级别的测试,在这个测试中达到 A 级以上基本就可以认为是足够安全的。

1、生成 dhparam.pem(生成时间比较长,要耐心等待)

openssl dhparam -out dhparam.pem 4096

2、协议和 ciphers 选择,ciphers 的选择比较关键,这个配置中的 ciphers 支持大多数浏览器,但不支持 XP/IE6

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;

3、ssl session 配置

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

4、HSTS 配置,这个对评分影响也比较大,但如果开启这个,需要全站开启 HTTPS

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

下面贴出我的完整配置文件

server {
  listen	  80;
  server_name    www.abc.com abc.com;
  return	  301 https://$server_name$request_uri;
}

server
	{
		listen       443;
		server_name abc.com www.abc.com;
                ssl on;
                ssl_certificate /home/ssl/abc_com.crt;
                ssl_certificate_key /home/ssl/abc_com.key;
                ssl_dhparam /home/ssl/dhparam.pem;
				ssl_session_cache shared:SSL:10m;
				ssl_session_timeout 10m;
				ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
				ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
				ssl_prefer_server_ciphers on;
				add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
		if ($host != 'www.jiasu.cloud' ) {
		rewrite ^/(.*)$ https://www.abc.com/$1 permanent;
		}

		index index.html index.htm index.php default.html default.htm default.php;
		root  /home/wwwroot/abccom;

		include none.conf;
                location ~ [^/]\.php(/|$)
                        {
                                # comment try_files $uri =404; to enable pathinfo
                                try_files $uri =404;
                                fastcgi_pass  unix:/tmp/php-cgi.sock;
                                fastcgi_index index.php;
                                include fastcgi.conf;
                                #include pathinfo.conf;
                        }

                location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
                        {
                                expires      30d;
                        }

                location ~ .*\.(js|css)?$
                        {
                                expires      12h;
                        }

                access_log off;
}

配置完成后,可以在这里测试:https://www.ssllabs.com/ssltest/

HTTPS A+在nginx下的配置方法

您可以选择一种方式赞助本站

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: