SSL Nginx下高端玩法


Net-X的SSL评级目前为A+,现在详解如何在nginx中配置安全ssl

Nginx的配置文件更改如下,更改后重启nginx

server
{
listen 80 default_server;
listen 443 ssl http2 default_server;
server_name 39.108.165.187 NetX.xin www.netx.xin;
index index.php index.html index.htm default.php default.htm default.html;
root /www/wwwroot/netx.xin;
if (-f $request_filename/index.html){
rewrite (.*) $1/index.html break;
}

if (-f $request_filename/index.php){
rewrite (.*) $1/index.php;
}

if (!-f $request_filename){
rewrite (.*) /index.php;
}

#error_page 404/404.html;
ssl_certificate /etc/letsencrypt/live/netx.xin/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/netx.xin/privkey.pem;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host$1 permanent;
}
error_page 497 https://$host$request_uri;

 

error_page 404 /404.html;
error_page 502 /502.html;

include enable-php-71.conf;
include /www/server/panel/vhost/rewrite/netx.xin.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
access_log off;
}
location ~ .*\.(js|css)?$
{
expires 12h;
access_log off;
}
access_log /www/wwwlogs/netx.xin.log;
}

这样配置nginx不仅能支持WordPress固定连接,还可以支持优先PFS,SNI,http2,HPKP,HSTS

名词解释:HTTPS 安全最佳实践(二)之安全加固

注意:将ssl_certificate改为自己的值

检测地址:http://myssl.com

声明:Net-X|版权所有,违者必究|如未注明,均为原创|本网站采用BY-NC-SA协议进行授权

转载:转载请注明原文链接 - SSL Nginx下高端玩法


Carpe Diem and Do what I like