【已解决】nginx中关于ssl配置的逻辑和常见参数含义

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers HIGH:!aNULL:!MD5;

       ssl_protocols  SSLv3 TLSv1; 
       ssl_ciphers  HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM; 

ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

• ssl_protocols：我怎么知道当前协议支持哪些？
• ssl_ciphers：到底应该写什么值
• 把80用301跳转到443的https，好像又不同写法，哪种更加专业和完美？

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}

• www.xxx_aliyun_symantec_free_ov_ssl.crt
• www.xxx_aliyun_symantec_free_ov_ssl.key

[root@xxx cert]# ll
total 8
-rwxr-xr-x 1 root root 3675 Nov 21 14:39 www.xxx_aliyun_symantec_free_ov_ssl.crt
-rwxr-xr-x 1 root root 1679 Nov 21 14:39 www.xxx_aliyun_symantec_free_ov_ssl.key
[root@xxx cert]# pwd
/www/server/nginx/conf/cert

[root@xxx cert]# nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
built with OpenSSL 1.0.2l  25 May 2017
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/www/server/nginx --with-openssl=/www/server/nginx/src/openssl --add-module=/www/server/nginx/src/ngx_devel_kit --add-module=/www/server/nginx/src/lua_nginx_module --add-module=/www/server/nginx/src/ngx_cache_purge --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_gunzip_module --with-stream --with-stream_ssl_module --with-ipv6 --with-http_sub_module --with-http_flv_module --with-http_addition_module --with-http_realip_module --with-http_mp4_module --with-ld-opt=-Wl,-E

• 为了让单个服务器支持多种SSL协议
• 所以出现了个统一的SNI
• 大部分浏览器都支持SNI
• 极个别特殊的，旧版本的浏览器才不支持，所以可以忽略
• 需要Nginx支持
• Nginx内置的OpenSSL库是否支持SNI
• nginx在build时传递了–enable-tlsext参数即可实现支持此功能
• OpenSSL 0.9.8j版本之后就支持SNI
• 通过上面的nginx -t输出的“TLS SNI support enabled” 说明支持的

• 之前会出问题
• 在支持了SNI的0.9.8f+版本的OpenSSL就支持了SNI，就不会出现此问题了。

• <= 0.7.64, 0.8.18：默认协议：SSLv2, SSLv3, and TLSv1
• >= 0.7.65, 0.8.19：默认协议：SSLv3, TLSv1, TLSv1.1, and TLSv1.2
• TLSv1.2：需要OpenSSL库的支持
• >= 1.9.1：默认协议是TLSv1, TLSv1.1, and TLSv1.2
• TLSv1.2：需要OpenSSL库的支持

[root@xxx cert]# nginx -v
nginx version: nginx/1.12.2

worker_processes auto;

http
    {
    ...

[root@xxx cert]# openssl ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5

ssl_prefer_server_ciphers on; #优先采取服务器算法

server
{
    listen              443 ssl;
    server_name         www.xxx;

    ### Https Related Config
    keepalive_timeout   70; # 设置长连接

    ssl_certificate     /www/server/nginx/conf/cert/www.xxx_aliyun_symantec_free_ov_ssl.crt; # 证书文件
    ssl_certificate_key /www/server/nginx/conf/cert/www.xxx_aliyun_symantec_free_ov_ssl.key; # 私钥文件

    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    # ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

    ssl_session_timeout 10m; # 配置会话超时时间
    ssl_session_cache   shared:SSL:10m; # 配置共享会话缓存大小，视站点访问情况设定

    ssl_prefer_server_ciphers   on; #优先采取服务器算法

    # 如果是全站 HTTPS 并且不考虑 HTTP 的话，可以加入 HSTS(HTTP Strict Transport Security) ,使用 HSTS 策略强制浏览器使用 HTTPS 连接
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;preload" always;
    add_header X-Frame-Options DENY; #减少点击劫持
    add_header X-Content-Type-Options nosniff; #禁止服务器自动解析资源类型
    add_header X-Xss-Protection 1; #防XSS攻击
}

转载请注明：在路上 » 【已解决】nginx中关于ssl配置的逻辑和常见参数含义