Appearance
SSL模块
SSL模块用于配置HTTPS,保护数据传输安全。
基本配置
基本SSL配置
nginx
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
root /var/www/html;
}完整配置
生产环境配置
nginx
server {
listen 80;
server_name www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# SSL协议和加密套件
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL会话缓存
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# 安全头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
root /var/www/html;
index index.html;
}常用指令
ssl_certificate
nginx
ssl_certificate /etc/nginx/ssl/example.com.crt;说明:
- SSL证书路径
- 必须配置
ssl_certificate_key
nginx
ssl_certificate_key /etc/nginx/ssl/example.com.key;说明:
- SSL私钥路径
- 必须配置
ssl_protocols
nginx
ssl_protocols TLSv1.2 TLSv1.3;说明:
- 支持的SSL/TLS协议
- 推荐TLSv1.2和TLSv1.3
ssl_ciphers
nginx
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';说明:
- 支持的加密套件
- 推荐使用ECDHE
ssl_session_cache
nginx
ssl_session_cache shared:SSL:10m;说明:
- SSL会话缓存
- 减少SSL握手时间
ssl_session_timeout
nginx
ssl_session_timeout 10m;说明:
- SSL会话超时时间
- 默认值:5m
完整示例
生产环境配置
nginx
server {
listen 80;
server_name www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name www.example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
# SSL协议和加密套件
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL会话缓存
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
root /var/www/html;
index index.html;
access_log /var/log/nginx/https.access.log;
error_log /var/log/nginx/https.error.log;
}测试SSL
SSL测试
bash
openssl s_client -connect example.com:443 -tls1_2检查证书
bash
curl -I https://example.comSSL评分
访问 https://www.ssllabs.com/ssltest/ 进行SSL评分
常见问题
证书错误
原因: 证书配置错误
解决: 检查证书路径和权限
bash
ls -l /etc/nginx/ssl/SSL握手失败
原因: SSL协议或加密套件不兼容
解决: 更新SSL配置
nginx
ssl_protocols TLSv1.2 TLSv1.3;总结
SSL模块的关键点:
- ssl_certificate:SSL证书路径
- ssl_certificate_key:SSL私钥路径
- ssl_protocols:支持的SSL/TLS协议
- ssl_ciphers:支持的加密套件
- ssl_session_cache:SSL会话缓存
- ssl_stapling:OCSP Stapling
合理配置SSL模块,保护数据传输安全。