完整 SSL 站点:Nginx 中的 SSL 协商时间和密码套件

完整 SSL 站点:Nginx 中的 SSL 协商时间和密码套件

这是我的瀑布http://www.webpagetest.org/result/140417_42_H0D/1/details/

SSL 协商花费的时间太长。

我尝试应用以下文章:http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/#comment-36539

我在 SSH 中尝试了第一个命令:

openssl ciphers -v ‘ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP’

但我收到错误:

-bash: !ADH: event not found

这是我的 Nginx.conf:

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user              nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  100;

    #gzip  on;
    # enable gzip compression
gzip on;
gzip_http_version 1.1;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length  1100;
gzip_buffers  4 32k;
gzip_types    text/plain application/x-javascript text/xml text/css;
gzip_vary on;
 fastcgi_cache_path /var/cache/nginx2 levels=1:2 keys_zone=microcache:5m max_size=1000m;
    log_format cache '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $upstream_cache_status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';

# end gzip configuration    
    # Load config files from the /etc/nginx/conf.d directory
    # The default server is in conf.d/default.conf
#    include /etc/nginx/conf.d/*.conf;
map $scheme $fastcgi_https {
    default off;
        https on;
    }

    server {
            listen 80;
            server_name blah.com;
            return 301 https://blah.com;
    }
    server {
        listen 443 default ssl;
        ssl on;
                ssl_certificate /etc/nginx/conf.d/blah.crt;
                ssl_certificate_key /etc/nginx/conf.d/blah.key;
                ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!ADH:!EXP:!LOW:!RC2:!3DES:!SEED:!RC4:+HIGH:+MEDIUM;
                #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-RC4-SHA:
                 #           ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:RC4:HIGH:
                  #          !MD5:!aNULL:!EDH:!CAMELLIA;
                ssl_prefer_server_ciphers on;
        ssl_session_cache    shared:SSL:20m;
        ssl_session_timeout  10m;
        #ssl_protocols SSLv3 TLSv1;
         root      /blah/blah;
         index     blah;
        server_name blah;
  #server_name  _;
  location / {
#   fastcgi_param HTTPS $fastcgi_https;
    index index.html index.php;
    try_files $uri $uri/ @handler;
    expires 30d;
#   fastcgi_param HTTPS $fastcgi_https;
  }
# location ~* \.html$ {
#  expires -1;
#}

location ~* \.(css|js|gif|jpe?g|png)$ {
  expires 168h;
  add_header Pragma public;
  add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
  location ~ ^/(app|includes|lib|media/downloadable|pkginfo|report/config.xml|var)/ { internal; }
  location /var/export/ { internal; }
  location /. { return 404; }
  location @handler { rewrite / /index.php; }
  location ~* .php/ { rewrite ^(.*.php)/ $1 last; }
  location ~* .php$ {
    fastcgi_param HTTPS $fastcgi_https;
    if (!-e $request_filename) { rewrite / /index.php last; }
    expires off;
#    fastcgi_pass unix:/tmp/php5-fpm.sock;
fastcgi_pass   127.0.0.1:9000;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#    fastcgi_param MAGE_RUN_CODE default;
    fastcgi_param MAGE_RUN_TYPE store;
    include fastcgi_params;
  }
}
}

相关内容