最新消息:20210816 当前crifan.com域名已被污染,为防止失联,请关注(页面右下角的)公众号

【已解决】nginx中关于ssl配置的逻辑和常见参数含义

配置 crifan 1677浏览 0评论
折腾:
【未解决】使用已购买的阿里云免费SSL证书即去服务器中配置nginx的https证书
期间,看了很多帖子,但是关于ssl部分的配置,略有不同,有些参数不太一样:
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers HIGH:!aNULL:!MD5;

       ssl_protocols  SSLv3 TLSv1; 
       ssl_ciphers  HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM; 

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
所以还是先去找找nginx官网中关于ssl的配置是什么意思,再去添加。
nginx ssl
Configuring HTTPS servers
Nginx 配置 HTTPS 服务器 | Aotu.io「凹凸实验室」
Nginx 配置 SSL 证书 + 搭建 HTTPS 网站教程 – Chen Jian – 博客园
Nginx+Https配置 – 倚楼听风雨 – SegmentFault 思否
Getting Started with NGINX – Part 3: Enable TLS for HTTPS Connections
开发环境Nginx配置SSL证书启用HTTPS – 知乎
SSL测试工具:
SSL Certificate Checker – Diagnostic Tool | DigiCert.com
https://www.digicert.com/help/
现在需要搞清楚:
  • ssl_protocols:我怎么知道当前协议支持哪些?
  • ssl_ciphers:到底应该写什么值
  • 把80用301跳转到443的https,好像又不同写法,哪种更加专业和完美?
官网模板:
server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}
然后再去把crt和key改名为更加清晰易识别的:
放到服务器的合适的位置:
[root@xxx cert]# ll
total 8
-rwxr-xr-x 1 root root 3675 Nov 21 14:39 www.xxx_aliyun_symantec_free_ov_ssl.crt
-rwxr-xr-x 1 root root 1679 Nov 21 14:39 www.xxx_aliyun_symantec_free_ov_ssl.key
[root@xxx cert]# pwd
/www/server/nginx/conf/cert
然后再去研究配置:
Configuring HTTPS servers
去试试:
[root@xxx cert]# nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
built with OpenSSL 1.0.2l  25 May 2017
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/www/server/nginx --with-openssl=/www/server/nginx/src/openssl --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/lua_nginx_module --add-module=/www/server/nginx/src/ngx_cache_purge --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_gunzip_module --with-stream --with-stream_ssl_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E
其中的:
TLS SNI support enabled
->说明是支持:TLS SNI的
Server Name Indication – Wikipedia
“Server Name Indication (SNI) is an extension to the TLS computer networking protocol[1] by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. ”
目前的理解是:
  • 为了让单个服务器支持多种SSL协议
  • 所以出现了个统一的SNI
  • 大部分浏览器都支持SNI
    • 极个别特殊的,旧版本的浏览器才不支持,所以可以忽略
  • 需要Nginx支持
    • Nginx内置的OpenSSL库是否支持SNI
      • nginx在build时传递了–enable-tlsext参数即可实现支持此功能
      • OpenSSL 0.9.8j版本之后就支持SNI
    • 通过上面的nginx -t输出的“TLS SNI support enabled” 说明支持的
后来看了:
Nginx 配置 HTTPS 服务器 | Aotu.io「凹凸实验室」
才知道此处的SNI是用于解决:
单个服务器中,多个子域名用SSL证书:
  • 之前会出问题
  • 在支持了SNI的0.9.8f+版本的OpenSSL就支持了SNI,就不会出现此问题了。
nginx的更新的版本,支持更多更高级,更安全,更复杂的SSL加密?
  • <= 0.7.64, 0.8.18:默认协议:SSLv2, SSLv3, and TLSv1
  • >= 0.7.65, 0.8.19:默认协议:SSLv3, TLSv1, TLSv1.1, and TLSv1.2
    • TLSv1.2:需要OpenSSL库的支持
  • >= 1.9.1:默认协议是TLSv1, TLSv1.1, and TLSv1.2
    • TLSv1.2:需要OpenSSL库的支持
去看看此处的nginx的版本:
[root@xxx cert]# nginx -v
nginx version: nginx/1.12.2
才注意到:
nginx -V
也输出了:
nginx version: nginx/1.12.2
然后再去确认:
【已解决】确认nginx是否已支持TLSv1.3以及是否要一定要支持TLSv1.3
Module ngx_http_ssl_module
nginx.conf
已经配置了:
worker_processes auto;

http
    {
    ...
关于:ssl_ciphers
去看看:
[root@xxx cert]# openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5
关于:
ssl_prefer_server_ciphers on; #优先采取服务器算法
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols.
再去看看:
【未解决】nginx中如何强制所有的80的http都强制转发到443的https
目前来说,大概清楚了一些常见的参数的含义了。
【总结】
目前https的ssl部分,用了如下一些配置:
server
{
    listen              443 ssl;
    server_name         www.xxx;

    ### Https Related Config
    keepalive_timeout   70; # 设置长连接

    ssl_certificate     /www/server/nginx/conf/cert/www.xxx_aliyun_symantec_free_ov_ssl.crt; # 证书文件
    ssl_certificate_key /www/server/nginx/conf/cert/www.xxx_aliyun_symantec_free_ov_ssl.key; # 私钥文件

    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    # ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

    ssl_session_timeout 10m; # 配置会话超时时间
    ssl_session_cache   shared:SSL:10m; # 配置共享会话缓存大小,视站点访问情况设定

    ssl_prefer_server_ciphers   on; #优先采取服务器算法

    # 如果是全站 HTTPS 并且不考虑 HTTP 的话,可以加入 HSTS(HTTP Strict Transport Security) ,使用 HSTS 策略强制浏览器使用 HTTPS 连接
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;preload" always;
    add_header X-Frame-Options DENY; #减少点击劫持
    add_header X-Content-Type-Options nosniff; #禁止服务器自动解析资源类型
    add_header X-Xss-Protection 1; #防XSS攻击
}

转载请注明:在路上 » 【已解决】nginx中关于ssl配置的逻辑和常见参数含义

发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
80 queries in 0.196 seconds, using 22.16MB memory