我的 nginx 安装有问题。在主 default.conf 文件中,我启用了带有 X25519 ecdhe 曲线的 TLSv1.3,但我有一个子域不必使用该曲线。在子域配置中,我仅启用了 secp381r1,但当我在支持的命名组中使用 ssllabs 测试子域时,我看到了 default.conf 文件中启用的三条曲线。不久前也发生过同样的事情,但使用的是启用的协议!我该如何解决这个问题。我试过切换文件名,并重启了 nginx 无数次,但都没有用。我在 Ubuntu 17.04 上运行 nginx 1.13.2 和 Openssl 1.1.1-Dev。
下面是针对我的主要域进行的 ssllabs 测试: https://www.ssllabs.com/ssltest/analyze.html?d=alessandroz.pro
以下是对子域名的测试:https://www.ssllabs.com/ssltest/analyze.html?d=ssl.alessandroz.pro
以下是主要配置:
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_tokens off;
ssl_certificate /etc/nginxssl/rsa/chain2rsa.pem;
ssl_certificate_key /etc/nginxssl/rsa/rsa4096.key;
ssl_certificate /etc/nginxssl/ec/echain2.pem;
ssl_certificate_key /etc/nginxssl/ec/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dh8192.pem;
ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:AES256+EECDH:AES256+EDH:!aNULL;
ssl_ecdh_curve X25519:secp521r1:secp384r1;
ssl_session_cache shared:SSL:5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginxssl/rsa/rsachain.pem;
resolver 8.8.8.8;
resolver_timeout 15s;
expires $expires;
#add_header Public-Key-Pins 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg=""; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/enforce"';
#add_header Public-Key-Pins-Report-Only 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg=""; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/reportOnly"';
add_header Cache-Control "max-age=0; no-cache";
add_header Content-Security-Policy "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/enforce";
add_header Content-Security-Policy-Report-Only "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/reportOnly";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header P3P 'CP=This is not a P3P Security Policy. Privacy Info At: https://alessandroz.pro/privacypolicy.html';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Expect-CT "enforce; max-age=30; report-uri https://azreport.report-uri.io/r/default/ct/enforce";
add_header Accept-Ranges bytes;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
root /usr/share/nginx/www;
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt {log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires 365d;
log_not_found off;
}
index index.php index.html index.htm index.nginx-debian.html;
server_name alessandroz.pro;
error_page 405 =200 $uri;
location ~ /.well-known {
allow all;
}
location ^~ / {
try_files $uri $uri/ /index.php$is_args$args;
include /etc/nginx/mime.types;
location ~ \.php$ {
include /etc/nginx/snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
#location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
#gzip off;
#root /usr/share/nginx/tripwire;
#autoindex on;
#fastcgi_pass unix:/var/run/fcgiwrap.socket;
#nclude /etc/nginx/fastcgi_params;
#fastcgi_param DOCUMENT_ROOT /usr/share/nginx/tripwire;
#fastcgi_param SCRIPT_FILENAME /usr/share/nginx/tripwire$fastcgi_script_name;
#}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
deny all;
}
}
}
server {
listen 80;
server_name alessandroz.pro;
return 301 https://alessandroz.pro$request_uri;
gzip off;
}
这是子域名配置文件:
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
application/javascript max;
~image/ max;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_tokens off;
ssl_certificate /etc/nginxssl/rsa/chain2rsa.pem;
ssl_certificate_key /etc/nginxssl/rsa/rsa4096.key;
ssl_certificate /etc/nginxssl/ec/echain2.pem;
ssl_certificate_key /etc/nginxssl/ec/privkey.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dh4096.pem;
#ssl_ciphers TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-D:ECDHE-RSA-CHACHA20-POLY1305-D:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:AES256+EECDH:AES256+EDH:!aNULL;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:5m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginxssl/rsa/rsachain.pem;
resolver 8.8.8.8;
resolver_timeout 15s;
expires $expires;
add_header Public-Key-Pins 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/enforce"';
add_header Public-Key-Pins-Report-Only 'pin-sha256="f6Rrjx1PVBHit0A3FRptkrBgow9EvmViNhd3tqz5RCg="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; pin-sha256="W64HXITqFK9CWicSLnRNMbaDL3kUwx3GKzlkJ3IVKRM="; max-age=2592000; report-uri="https://azreport.report-uri.io/r/default/hpkp/reportOnly"';
add_header Cache-Control "max-age=0; no-cache";
add_header Content-Security-Policy "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/enforce";
add_header Content-Security-Policy-Report-Only "default-src 'none'; upgrade-insecure-requests; block-all-mixed-content; script-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' 'strict-dynamic'; style-src 'nonce-qdHVoB7kz1TPDbuu2FhkGmUbYTCh3tzY' alessandroz.pro a.disquscdn.com; child-src fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com alessandroz.pro platform.twitter.com; frame-src fusiontables.googleusercontent.com alessandroz.pro fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com; connect-src 'self' alessandroz.pro links.services.disqus.com; font-src cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self'; report-uri https://azreport.report-uri.io/r/default/csp/reportOnly";
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header P3P 'CP=This is not a P3P Security Policy. Privacy Info At: https://alessandroz.pro/privacypolicy.html';
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header Expect-CT "enforce; max-age=30; report-uri https://azreport.report-uri.io/r/default/ct/enforce";
add_header Accept-Ranges bytes;
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
root /usr/share/nginx/www/ssl;
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt {log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires 365d;
log_not_found off;
}
index index.php index.html index.htm index.nginx-debian.html;
server_name ssl.alessandroz.pro;
error_page 405 =200 $uri;
location ~ /.well-known {
allow all;
}
location ^~ / {
try_files $uri $uri/ /index.php$is_args$args;
include /etc/nginx/mime.types;
location ~ \.php$ {
include /etc/nginx/snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
}
location ~ /\.ht {
deny all;
}
#location ~ (\.cgi|\.py|\.sh|\.pl|\.lua)$ {
#gzip off;
#root /usr/share/nginx/tripwire;
#autoindex on;
#fastcgi_pass unix:/var/run/fcgiwrap.socket;
#nclude /etc/nginx/fastcgi_params;
#fastcgi_param DOCUMENT_ROOT /usr/share/nginx/tripwire;
#fastcgi_param SCRIPT_FILENAME /usr/share/nginx/tripwire$fastcgi_script_name;
#}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
deny all;
}
}
}
server {
listen 80;
server_name ssl.alessandroz.pro;
return 301 https://ssl.alessandroz.pro$request_uri;
gzip off;
}