将 apache ssl 配置更改为 nginx 配置

将 apache ssl 配置更改为 nginx 配置

我想请你帮忙将我的 apache ssl 配置更改为 nginx 样式。实际上,我已经尝试过谷歌搜索,但

SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/key/netlime_tk.key
SSLCertificateFile /etc/apache2/ssl/crt/www_netlime_tk.crt
SSLCertificateChainFile /etc/apache2/ssl/crt/www_netlime_tk.cer
SSLCACertificateFile /etc/apache2/ssl/crt/www_netlime_tk.cer
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!SSLv2:!SSLv3

实际上我已经这样做了,但是在 ssl_protools 中缺少版本的排除,而且每次我用证书做“连接”链时,ssl 测试网站都会报告这些都是错误的,所以我真的不想将证书连接在一起。

ssl_protocols TLSv1 TLSv1.1;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!SSLv2:!SSLv3;
ssl_certificate /etc/nginx/ssl/crt/www_netlime_tk.crt;
ssl_certificate_key /etc/nginx/ssl/key/netlime_tk.key;
#ssl_certificate_chain /etc/nginx/ssl/crt/www_netlime_tk.cer;
#ssl_ca_certificate /etc/nginx/ssl/crt/www_netlime_tk.cer;

谢谢:-*如果你能提供一些技术解释,可以教我一些东西,那么请这样做。

编辑

感谢大家的帮助和时间,ssllabs 上“A 级”的最终配置是

# SSL Configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/crt/www_netlime_tk.crt.bundle;
ssl_certificate_key /etc/nginx/ssl/key/netlime_tk.key;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384.....very long string'
ssl_prefer_server_ciphers on;
ssl_dhparam /root/dhparams.pem;

答案1

    server_name  yourhostname;    #rename your hostname
    ssl_certificate /usr/local/nginx/cert/server.crt;
    ssl_certificate_key /usr/local/nginx/cert/server.key;
    ssl_buffer_size 4K;
    ssl_session_timeout 10m; ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    add_header Strict-Transport-Security "max-age=31536000";

    location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
            try_files $script_name = 404;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_param PATH_INFO $path_info;
            fastcgi_param SCRIPT_FILENAME document_root$fastcgi_script_name;
            include fastcgi_params;
            fastcgi_param HTTPS on;         #for https
    }

答案2

解决方案是:

  1. 使用 cat 命令创建 *.crt 和 *.cer 文件的连接(感谢用户 Gmck)
  2. 仅指定我的情况下允许的协议 TLS v1 v1.1 和 v1.2(感谢用户 Froggiz)
  3. 添加更多特定密码(感谢 ssllabs 网站)
  4. 添加 dhparams 以获得更安全的连接(感谢 ssllabs 网站)

最终 SSL 配置

# SSL Configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/crt/www_netlime_tk.crt.bundle;
ssl_certificate_key /etc/nginx/ssl/key/netlime_tk.key;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDH.....very long string (google for full string)';
ssl_prefer_server_ciphers on;
ssl_dhparam /root/dhparams.pem;

相关内容