Nginx的SSL证书安全与兼容性设置

禁用 SSLv2 和 SSLv3

这两个协议都是不安全的, 我们应该在服务器上禁用这两个协议。添加一下代码到网站的配置文件, lnmp的网站配置文件位于 /usr/local/nginx/conf/vhost 目录

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

使用安全的Cipher Suite

将以下代码放在网站的配置文件里面

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

以上设置不支持Winxp/IE6 ,如果你想网站同时Winxp/IE6的话可以使用使用以下的Cipher Suite

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

额外的安全设置,请添加如下代码

ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

 

Forward Secrecy & Diffie Hellman Ephemeral Parameters
运行以下代码,这段代码运行的时间会比较长,请耐心等待

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

然后在nginx的网站配置文件中加入如下代码

ssl_dhparam /etc/ssl/certs/dhparam.pem;

 

添加以上代码后的网址配置文件大致如下

server
    {
        listen 443 ssl http2;
        server_name www.sslaaa.com sslaaa.com;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /home/wwwroot/sslaaa.com;
 
        ssl on;
        ssl_certificate cheapssl.crt;
        ssl_certificate_key cheapssl.key;
 
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
 
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
 
......
 
}

 

 

 

 

nginx