0条评论
还没有人评论过~
1 [root@nginx01 ~]# openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/C=CN/ST=ZheJiang/L=HangZhou/O=Xianghy/OU=Web Security/CN=tls.linuxds.com"
1 server { 2 listen 443 ssl; #SSL 访问端口号为 443 3 server_name www.xxx.com; #填写绑定证书的域名 4 ssl_certificate tls.crt; #证书文件 5 ssl_certificate_key tls.key; #私钥文件 6 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #请按照以下协议配置 7 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; #配置加密套件 8 ssl_prefer_server_ciphers on; #依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码; 9 ssl_session_timeout 5m; #会话过期时间; 10 ssl_session_cache shared:SSL:1m; #储存SSL会话的缓存类型和大小; 11 location / { 12 root /web/www/website/dist; #定义首页索引文件的名称 13 index index.html; 14 }
1 [root@nginx01 ~]# mkdir /usr/share/nginx/tls/ 2 [root@nginx01 ~]# echo '<h1>WebTLS</h1>' > /usr/share/nginx/tls/index.html
1 [root@nginx01 ~]# mkdir -p /etc/nginx/tls 2 [root@nginx01 ~]# ll /etc/nginx/tls/ 3 total 8.0K 4 -rw-r--r-- 1 root root 3.7K Jul 5 22:07 linuxds.crt 5 -rw-r--r-- 1 root root 1.7K Jul 5 22:07 linuxds.key
1 [root@nginx01 ~]# vi /etc/nginx/conf.d/tls.conf 2 server { 3 listen 443 ssl; 4 server_name tls.linuxds.com; 5 root /usr/share/nginx/tls/; 6 access_log /var/log/nginx/tls.access.log main; 7 error_log /var/log/nginx/tls.error.log warn; 8 ssl_certificate /etc/nginx/tls/linuxds.crt; 9 ssl_certificate_key /etc/nginx/tls/linuxds.key; 10 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 11 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; 12 ssl_prefer_server_ciphers on; 13 ssl_session_timeout 5m; 14 ssl_session_cache shared:SSL:1m; 15 location / { 16 index index.html index.htm; 17 } 18 } 19 server 20 { 21 listen 80; 22 server_name tls.linuxds.com; 23 rewrite ^(.*) https://$host$1 permanent; 24 }
1 server { 2 listen 80; 3 server_name tls.linuxds.com; #填写绑定证书的域名 4 return 301 https://$host$request_uri; #把http的域名请求转成https 5 }
1 [root@nginx01 ~]# nginx -t -c /etc/nginx/nginx.conf #检查配置文件 2 [root@nginx01 ~]# nginx -s reload #重载配置文件
1 server 2 { 3 …… 4 ssl_session_timeout 10m; #配置会话超时时间 5 ssl_session_cache shared:SSL:10m; #配置共享会话缓存大小,视站点访问情况设定 6 keepalive_timeout 70; #设置长连接 7 …… 8 }
1 server 2 { 3 …… 4 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; 5 …… 6 }
1 [root@nginx01 ~]# cd /etc/nginx/tls 2 [root@nginx01 tls]# openssl dhparam -out dhparam.pem 2048
1 [root@nginx01 tls~]# server 2 { 3 …… 4 ssl_prefer_server_ciphers on; #优先采取服务器算法 5 ssl_dhparam /etc/nginx/tls/dhparam.pem; #使用DH文件 6 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 7 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; #定义算法 8 …… 9 }
1 { 2 …… 3 add_header X-Frame-Options DENY; #减少点击劫持 4 add_header X-Content-Type-Options nosniff; #禁止服务器自动解析资源类型 5 add_header X-Xss-Protection 1; #防止XSS攻击 6 …… 7 }
1 [root@nginx01 ~]# cd /etc/nginx/tls 2 [root@nginx01 tls]# openssl dhparam -out dhparam.pem 2048
1 [root@nginx01 tls]# vi /etc/nginx/conf.d/tls.conf 2 server { 3 listen 443 ssl; 4 server_name tls.linuxds.com; 5 root /usr/share/nginx/tls/; 6 access_log /var/log/nginx/tls.access.log main; 7 error_log /var/log/nginx/tls.error.log warn; 8 ssl_certificate /etc/nginx/tls/linuxds.crt; 9 ssl_certificate_key /etc/nginx/tls/linuxds.key; 10 ssl_session_timeout 10m; #配置会话超时时间 11 ssl_session_cache shared:SSL:10m; #配置共享会话缓存大小 12 keepalive_timeout 70; #配置长连接 13 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #HSTS策略 14 add_header X-Frame-Options DENY; #减少点击劫持 15 add_header X-Content-Type-Options nosniff; #禁止服务器自动解析资源类型 16 add_header X-Xss-Protection 1; #防止XSS攻击 17 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 18 ssl_prefer_server_ciphers on; #优先采取服务器算法 19 ssl_dhparam /etc/nginx/tls/dhparam.pem; #使用DH文件 20 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; #定义算法 21 location / { 22 index index.html index.htm; 23 } 24 } 25 server 26 { 27 listen 80; 28 server_name tls.linuxds.com; 29 rewrite ^(.*) https://$host$1 permanent; 30 }
1 [root@nginx01 ~]# nginx -t -c /etc/nginx/nginx.conf #检查配置文件 2 [root@nginx01 ~]# nginx -s reload #重载配置文件