Nginx的SSL安全配置

0

本文是针对Nginx的SSL安全配置建议。

SSL安全测试链接

SSL评分指导链接

SSL Server Rating Guide

参考文章链接

本站SSL评级

Certificate

这一项基本都是满分,只要SSL证书没有问题。 建议将SSL证书存放在/usr/local/nginx/conf/cert目录下,便于管理。

Protocol Support

如果想要这一项满分,最好只支持TLS 1.2。不管怎么说,SSL 2.0,SSL 3.0和TLS 1.0目前都已经不再安全。

ssl_protocols TLSv1.2;

Key Exchange

By default, Nginx will use the default DHE (Ephemeral Diffie-Hellman) paramaters provided by openssl. This uses a weak key that gets lower scores. The best thing to do is build your own. You can create a 2048 bit key, but let's go ahead and toss 4096 at it. 先用openssl生成:

$ openssl dhparam -out /usr/local/nginx/conf/cert/dhparam.pem 4096

然后在配置文件里加上:

ssl_dhparam cert/dhparam.pem;

Cipher Strength

根据SSL Labs官方给的指导,cipher strength需要大于等于256才会得到满分。

ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
ssl_prefer_server_ciphers on;

conf

最后是完整的conf配置文件,我的路径是/usr/local/nginx/conf/vhost/[hostname].conf

server {
    listen 80;
    server_name www.d4rk7r4c3r.cn d4rk7r4c3r.cn;
    return 301 https://$server_name$request_uri;
}
 
server {
    listen 443 ssl;
    ssl on;
# gzip should not be used with ssl
    gzip off;
# Certificate
    ssl_certificate cert/214013896060387.pem;
    ssl_certificate_key cert/214013896060387.key;
# Protocol Support
    ssl_protocols TLSv1.2;
# Key Exchange
    ssl_dhparam cert/dhparam.pem;
# Cipher Strength
    ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
    ssl_prefer_server_ciphers on;
# SSL Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
# SSL Sessions
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
# Extra: ssl_ecdh_curve
    ssl_ecdh_curve secp384r1;
# HTTP Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
 
    server_name www.d4rk7r4c3r.cn d4rk7r4c3r.cn;
    index index.html index.htm index.php default.html default.htm default.php;
    root  /home/wwwroot/www.d4rk7r4c3r.cn;
 
    include wordpress.conf;
    #error_page   404   /404.html;
    include enable-php.conf;
 
    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
        expires 30d;
    }
 
    location ~ .*\.(js|css)?$
    {
        expires 12h;
    }
 
    location ~ /\.
    {
        deny all;
    }
 
    access_log off;
}

Leave A Reply

苏ICP备16066660号-1

苏公网安备 32011502010432号