Nginx安全优化HTTPS站点,通过SSL测试,验证结果A+,配置如下:
ssl on;
ssl_certificate ssl.crt;
ssl_certificate_key ssl.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ;
ssl_stapling on;
resolver 114.114.114.114;
ssl_prefer_server_ciphers on;
ssl_stapling_verify on;
ssl_dhparam wst2048.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
其中ssl.key ssl.cst为域名的SSL证书 wst2048.pem在linux通过命令
openssl gendh -out wst2048.pem 2048生成
这样通过https://www.ssllabs.com/ssltest/analyze.html 来测试分析https站点 就可以得分A+
ssl on;
ssl_certificate ssl.crt;
ssl_certificate_key ssl.key;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ;
ssl_stapling on;
resolver 114.114.114.114;
ssl_prefer_server_ciphers on;
ssl_stapling_verify on;
ssl_dhparam wst2048.pem;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
其中ssl.key ssl.cst为域名的SSL证书 wst2048.pem在linux通过命令
openssl gendh -out wst2048.pem 2048生成
这样通过https://www.ssllabs.com/ssltest/analyze.html 来测试分析https站点 就可以得分A+