Nginx教程

nginx https ssl tls configuration

本文主要是介绍nginx https ssl tls configuration,对大家解决编程问题具有一定的参考价值,需要的程序猿们随着小编来一起学习吧!

 

 

Module ngx_http_ssl_module (nginx.org)

 

    server {
      listen 80 http2 defualt_server;
      listen [::]:80 http2 default_server;
      server_name ~^.*\.aeon\.io$;
      access_log /var/log/nginx/aeon.io.log combined;
      index index.html;
      root /aeon.io;
      #rewrite ^(.*)$ https://$http_host$1;
      location /{
        return 301 https://$http_host$request_uri;
        # return 301 https://$server_name$request_uri;
      }
    }
    server {
      listen                                443 ssl http2 default_server;
      listen                                [::]:443 ssl http2 default_server;
      server_name                           localhost;
      ssl_protocols                         TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers             on;
      ssl_certificate                       ssl/server.pem;
      ssl_certificate_key                   ssl/server.key;
      ssl_password_file                     ssl/password;
      # openssl dhparam -out /etc/nginx/ssl/dhparam.pem -rand /dev/urandom 2048
      ssl_dhparam                           ssl/dhparam.pem;
      ssl_stapling                          on;
      ssl_stapling_verify                   on;
      ssl_session_cache                     shared:SSL:20m;
      ssl_session_timeout                   10m;
      ssl_session_tickets                   off;
      ssl_ciphers                           HIGH:!aNULL:!MD5;
      ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
      add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
      add_header X-Frame-Options DENY;  # 禁止被嵌入框架
      add_header X-Content-Type-Options nosniff;  # MIME类型混淆攻击
      # client
      ssl_verify_client                     off;
      ssl_ocsp                              on;
      ssl_ocsp_cache                        shared:SSL:20m;
      ssl_ocsp_responder                    http://ocsp.example.com/;
      resolver                              8.8.8.8 8.8.4.4;
      ssl_verify_depth                      2;
      ssl_client_certificate                ssl/client.crt;
      ssl_trusted_certificate               ssl/client-ca.crt;

      location /upstream {
        proxy_pass https://backend;
        proxy_ssl_certificate ssl/proxy-client.crt;
        proxy_ssl_certificate_key ssl/proxy-client.key;
        proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        proxy_ssl_ciphers HIGH:!aNULL:!MD5;
        proxy_ssl_trusted_certificate ssl/proxied-backend-ca.crt;
        proxy_ssl_verify on;
        proxy_ssl_verify_depth 2;
        porxy_ssl_session_reuse on;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_http_version 2.0;
        proxy_connection_timeout 30s;
        proxy_read_timeout 10m;
        proxy_send_timeout 1m;

      }
    }

 

这篇关于nginx https ssl tls configuration的文章就介绍到这儿,希望我们推荐的文章对大家有所帮助,也希望大家多多支持为之网!
您可能喜欢
栏目导航