我想请你帮忙将我的 apache ssl 配置更改为 nginx 样式。实际上,我已经尝试过谷歌搜索,但
SSLEngine on
SSLCertificateKeyFile /etc/apache2/ssl/key/netlime_tk.key
SSLCertificateFile /etc/apache2/ssl/crt/www_netlime_tk.crt
SSLCertificateChainFile /etc/apache2/ssl/crt/www_netlime_tk.cer
SSLCACertificateFile /etc/apache2/ssl/crt/www_netlime_tk.cer
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!SSLv2:!SSLv3
实际上我已经这样做了,但是在 ssl_protools 中缺少版本的排除,而且每次我用证书做“连接”链时,ssl 测试网站都会报告这些都是错误的,所以我真的不想将证书连接在一起。
ssl_protocols TLSv1 TLSv1.1;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!SSLv2:!SSLv3;
ssl_certificate /etc/nginx/ssl/crt/www_netlime_tk.crt;
ssl_certificate_key /etc/nginx/ssl/key/netlime_tk.key;
#ssl_certificate_chain /etc/nginx/ssl/crt/www_netlime_tk.cer;
#ssl_ca_certificate /etc/nginx/ssl/crt/www_netlime_tk.cer;
谢谢:-*如果你能提供一些技术解释,可以教我一些东西,那么请这样做。
编辑
感谢大家的帮助和时间,ssllabs 上“A 级”的最终配置是
# SSL Configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/crt/www_netlime_tk.crt.bundle;
ssl_certificate_key /etc/nginx/ssl/key/netlime_tk.key;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384.....very long string'
ssl_prefer_server_ciphers on;
ssl_dhparam /root/dhparams.pem;
答案1
server_name yourhostname; #rename your hostname
ssl_certificate /usr/local/nginx/cert/server.crt;
ssl_certificate_key /usr/local/nginx/cert/server.key;
ssl_buffer_size 4K;
ssl_session_timeout 10m; ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
add_header Strict-Transport-Security "max-age=31536000";
location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
try_files $script_name = 404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param PATH_INFO $path_info;
fastcgi_param SCRIPT_FILENAME document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_param HTTPS on; #for https
}
答案2
解决方案是:
- 使用 cat 命令创建 *.crt 和 *.cer 文件的连接(感谢用户 Gmck)
- 仅指定我的情况下允许的协议 TLS v1 v1.1 和 v1.2(感谢用户 Froggiz)
- 添加更多特定密码(感谢 ssllabs 网站)
- 添加 dhparams 以获得更安全的连接(感谢 ssllabs 网站)
最终 SSL 配置
# SSL Configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/crt/www_netlime_tk.crt.bundle;
ssl_certificate_key /etc/nginx/ssl/key/netlime_tk.key;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDH.....very long string (google for full string)';
ssl_prefer_server_ciphers on;
ssl_dhparam /root/dhparams.pem;