折腾:
【未解决】使用已购买的阿里云免费SSL证书即去服务器中配置nginx的https证书
期间,看了很多帖子,但是关于ssl部分的配置,略有不同,有些参数不太一样:
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_protocols SSLv3 TLSv1; ssl_ciphers HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
所以还是先去找找nginx官网中关于ssl的配置是什么意思,再去添加。
nginx ssl
SSL测试工具:
SSL Certificate Checker – Diagnostic Tool | DigiCert.com
现在需要搞清楚:
- ssl_protocols:我怎么知道当前协议支持哪些?
- ssl_ciphers:到底应该写什么值
- 把80用301跳转到443的https,好像又不同写法,哪种更加专业和完美?
官网模板:
server { listen 443 ssl; server_name www.example.com; ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ... }
然后再去把crt和key改名为更加清晰易识别的:
放到服务器的合适的位置:
[root@xxx cert]# ll total 8 -rwxr-xr-x 1 root root 3675 Nov 21 14:39 www.xxx_aliyun_symantec_free_ov_ssl.crt -rwxr-xr-x 1 root root 1679 Nov 21 14:39 www.xxx_aliyun_symantec_free_ov_ssl.key [root@xxx cert]# pwd /www/server/nginx/conf/cert
然后再去研究配置:
去试试:
[root@xxx cert]# nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2l 25 May 2017 TLS SNI support enabled configure arguments: --user=www --group=www --prefix=/www/server/nginx --with-openssl=/www/server/nginx/src/openssl --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/lua_nginx_module --add-module=/www/server/nginx/src/ngx_cache_purge --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_gunzip_module --with-stream --with-stream_ssl_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E
其中的:
TLS SNI support enabled
->说明是支持:TLS SNI的
“Server Name Indication (SNI) is an extension to the TLS computer networking protocol[1] by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. ”
目前的理解是:
- 为了让单个服务器支持多种SSL协议
- 所以出现了个统一的SNI
- 大部分浏览器都支持SNI
- 极个别特殊的,旧版本的浏览器才不支持,所以可以忽略
- 需要Nginx支持
- Nginx内置的OpenSSL库是否支持SNI
- nginx在build时传递了–enable-tlsext参数即可实现支持此功能
- OpenSSL 0.9.8j版本之后就支持SNI
- 通过上面的nginx -t输出的“TLS SNI support enabled” 说明支持的
后来看了:
才知道此处的SNI是用于解决:
单个服务器中,多个子域名用SSL证书:
- 之前会出问题
- 在支持了SNI的0.9.8f+版本的OpenSSL就支持了SNI,就不会出现此问题了。
nginx的更新的版本,支持更多更高级,更安全,更复杂的SSL加密?
- <= 0.7.64, 0.8.18:默认协议:SSLv2, SSLv3, and TLSv1
- >= 0.7.65, 0.8.19:默认协议:SSLv3, TLSv1, TLSv1.1, and TLSv1.2
- TLSv1.2:需要OpenSSL库的支持
- >= 1.9.1:默认协议是TLSv1, TLSv1.1, and TLSv1.2
- TLSv1.2:需要OpenSSL库的支持
去看看此处的nginx的版本:
[root@xxx cert]# nginx -v nginx version: nginx/1.12.2
才注意到:
nginx -V
也输出了:
nginx version: nginx/1.12.2
然后再去确认:
【已解决】确认nginx是否已支持TLSv1.3以及是否要一定要支持TLSv1.3
nginx.conf
已经配置了:
worker_processes auto; http { ...
去看看:
[root@xxx cert]# openssl ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5
关于:
ssl_prefer_server_ciphers on; #优先采取服务器算法
Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols.
再去看看:
【未解决】nginx中如何强制所有的80的http都强制转发到443的https
目前来说,大概清楚了一些常见的参数的含义了。
【总结】
目前https的ssl部分,用了如下一些配置:
server { listen 443 ssl; server_name www.xxx; ### Https Related Config keepalive_timeout 70; # 设置长连接 ssl_certificate /www/server/nginx/conf/cert/www.xxx_aliyun_symantec_free_ov_ssl.crt; # 证书文件 ssl_certificate_key /www/server/nginx/conf/cert/www.xxx_aliyun_symantec_free_ov_ssl.key; # 私钥文件 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; # ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_session_timeout 10m; # 配置会话超时时间 ssl_session_cache shared:SSL:10m; # 配置共享会话缓存大小,视站点访问情况设定 ssl_prefer_server_ciphers on; #优先采取服务器算法 # 如果是全站 HTTPS 并且不考虑 HTTP 的话,可以加入 HSTS(HTTP Strict Transport Security) ,使用 HSTS 策略强制浏览器使用 HTTPS 连接 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;preload" always; add_header X-Frame-Options DENY; #减少点击劫持 add_header X-Content-Type-Options nosniff; #禁止服务器自动解析资源类型 add_header X-Xss-Protection 1; #防XSS攻击 }
转载请注明:在路上 » 【已解决】nginx中关于ssl配置的逻辑和常见参数含义