网上比较好的一份SSL优化参数,记录下:

[successbox title="Nginx SSL优化代码"]

ssl on;
ssl_certificate /data/www/ssl/ssl.crt;
ssl_certificate_key /data/www/ssl/ssl.key;
ssl_trusted_certificate /data/www/ssl/trustchain.crt;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000";
resolver 223.5.5.5 223.6.6.6 valid=300s;
resolver_timeout 10s;

error_page 497 https://$host$request_uri;

[/successbox]

[successbox title="生成dhparam.pem"]

我们需要生成一个更强壮的 DHE 参数:

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

然后告诉 nginx 将其用作 DHE 密钥交换:

ssl_dhparam /etc/ssl/certs/dhparam.pem;

[/successbox]

参数详解:

ssl on  开启SSL
ssl_certificate  对应单张证书
ssl_certificate_key  对应私钥
ssl_trusted_certificate  对应信任链(即Startcom SSL或者Positive SSL中需要附加到单张证书后面的那两张证书,可以独立出来)
ssl_protocols  支持的SSL协议标准(nginx默认参数为:ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;)
ssl_ciphers  (nginx默认参数为:ssl_ciphers HIGH:!aNULL:!MD5;)

error_page 497 https://$host$request_uri;  通过497错误将http转跳到https

参考了这两个链接:

Optimizing HTTPS on Nginx - {bjørn:johansen}
Nginx Performance Tuning for SSL - Tech Samurais
增强 nginx 的 SSL 安全性

Mozilla SSL Configuration Generator

另外,当你配置好SSL之后,可以去这个站点进行测试,看看还有没有什么的地方可以优化的

SSL 配置检查工具-配置SSL变得容易

SSL Labs 测试

标签: none

添加新评论