Security on nginx

2016-09-28 13:01:23

闲言少续,直接上配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
server {
 
  listen [::]:443 default_server;
 
  ssl on;
  ssl_certificate_key /etc/ssl/cert/abc.pem;
  ssl_certificate /etc/ssl/cert/abc.pem;
 
  ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  
  ssl_session_cache shared:SSL:50m;
 
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.4.4 8.8.8.8 valid=300s;
  resolver_timeout 10s;
 
  
  ssl_dhparam /etc/ssl/certs/dhparam.pem;
 
  add_header Strict-Transport-Security max-age=63072000;
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
 
  root /var/www/;
  index index.html index.htm;
  server_name abc.org;
 
}

解析:

ssl_dhparam /etc/ssl/certs/dhparam.pem; //nginx在DHE密钥交换的时候使用它
产生一个更强的DHE参数
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

参考

SSL 实验室测试(SSL Labs tes) ,赶紧去测试吧
Strong Ciphers
Nginx SSL/TLS configuration for “A+” Qualys SSL Labs rating
Mozilla SSL Configuration Generator

您的鼓励是我写作最大的动力

俗话说,投资效率是最好的投资。 如果您感觉我的文章质量不错,读后收获很大,预计能为您提高 10% 的工作效率,不妨小额捐助我一下,让我有动力继续写出更多好文章。