linux

增强 nginx 的 SSL 安全性配置示例

发布时间:7年前热度: 3431 ℃评论数:

server { 
 listen [::]:443 default_server; 
 ssl on; 
 ssl_certificate_key /etc/ssl/cert/zhl123.pem; 
 ssl_certificate /etc/ssl/cert/zhl123.pem; 
 ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; 
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
 ssl_session_cache shared:SSL:10m; 
 ssl_stapling on; 
 ssl_stapling_verify on; 
 resolver 8.8.4.4 8.8.8.8 valid=300s; 
 resolver_timeout 10s; 
 ssl_prefer_server_ciphers on; 
 ssl_dhparam /etc/ssl/certs/dhparam.pem; 
 add_header Strict-Transport-Security max-age=63072000; 
 add_header X-Frame-Options DENY; 
 add_header X-Content-Type-Options nosniff; 
 root /var/www/; 
 index index.html index.htm; 
 server_name zhl123.com; 
} 

注:需要生成一个更强壮的 DHE 参数: 
     cd /etc/ssl/certs 
     openssl dhparam -out dhparam.pem 4096 
     然后告诉 nginx 将其用作 DHE 密钥交换: 
      ssl_dhparam /etc/ssl/certs/dhparam.pem; 

增强,安全性,配置

手机扫码访问