Tenormis's Blog

Appearance

Nginx 配置 SSL

关于 Nginx SSL 的各配置参数说明参考:ngx_http_ssl_module

关于证书的签发可以参考:使用 acme.sh 自动签发证书

配置参考示例:

Nginx
worker_processes  auto;

events {
    worker_connections  1024;
}

http {
    include             mime.types;
    default_type        application/octet-stream;

    server {
        listen       80;
        server_name  www.example.com;
        rewrite      ^(.*) https://$server_name$1 permanent;
    }

    server {
        listen       443 ssl;
        server_name  www.example.com;

        ssl_certificate             /usr/local/nginx/ssl/www.example.com.pem;
        ssl_certificate_key         /usr/local/nginx/ssl/www.example.com.key;
        ssl_ciphers                 HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;
        ssl_protocols               TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_session_cache           shared:SSL:10m;
        ssl_session_timeout         10m;

        sendfile            on;
        keepalive_timeout   65;
        gzip                on;

        location / {
            root   /var/webroot/yoursitename;
            index  index.html index.htm;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}

Note

关于 ssl_ciphers HIGH:!aNULL:!MD5; 的配置项说明:

HIGHLOWEXPORT 等是一种宏,其中包含一定范围的密码算法。要获取实际的密码算法,请使用 openssl ciphers 命令,即:

Bash
$ openssl ciphers -V 'HIGH:!aNULL:!MD5'
    0x13,0x02 - TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
    0x13,0x03 - TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    0x13,0x01 - TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
    0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
    0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
    0x00,0xA3 - DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
    0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
    0xCC,0xA9 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
    0xCC,0xA8 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
    ...

由于这些宏的内容在 OpenSSL 版本之间有所不同,因此你应该在服务器系统上使用 OpenSSL 运行此命令。有关密码和宏的更多详细信息,请参见 ciphers 命令的手册页

参考链接

转载请注明作者和出处

Copyright © 2025-至今 Tenormis