网上比较好的一份SSL优化参数,记录下:
ssl on;
ssl_certificate /data/www/ssl/ssl.crt;
ssl_certificate_key /data/www/ssl/ssl.key;
ssl_trusted_certificate /data/www/ssl/trustchain.crt;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000";
resolver 223.5.5.5 223.6.6.6 valid=300s;
resolver_timeout 10s;
error_page 497 https://$host$request_uri;
我们需要生成一个更强壮的 DHE 参数:
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096
然后告诉 nginx 将其用作 DHE 密钥交换:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
参数详解:
ssl on 开启SSL
ssl_certificate 对应单张证书
ssl_certificate_key 对应私钥
ssl_trusted_certificate 对应信任链(即Startcom SSL或者Positive SSL中需要附加到单张证书后面的那两张证书,可以独立出来)
ssl_protocols 支持的SSL协议标准(nginx默认参数为:ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;)
ssl_ciphers (nginx默认参数为:ssl_ciphers HIGH:!aNULL:!MD5;)error_page 497 https://$host$request_uri; 通过497错误将http转跳到https
参考了这两个链接:
《Optimizing HTTPS on Nginx - {bjørn:johansen}》
《Nginx Performance Tuning for SSL - Tech Samurais》
《增强 nginx 的 SSL 安全性》
Mozilla SSL Configuration Generator
另外,当你配置好SSL之后,可以去这个站点进行测试,看看还有没有什么的地方可以优化的
文章评论