zoukankan      html  css  js  c++  java
  • nginx-http之ssl(九)

    Example configuration

    http {
        ...
        server {
            listen              443 ssl;
            keepalive_timeout   70;
    
            ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
            ssl_certificate     /usr/local/nginx/conf/cert.pem;
            ssl_certificate_key /usr/local/nginx/conf/cert.key;
            ssl_session_cache   shared:SSL:10m;
            ssl_session_timeout 10m;
            ...
        }
    

    directives

    ssl 已过时

    Syntax:	ssl on | off;
    Default:	
    ssl off;
    Context:	http, server
    
    • 最新版本的配置方式
     listen              443 ssl;
    

    ssl_buffer_size

    • 默认16k; 如果响应内容数据较小且内容不包含图片数据时,可相应减小配置
    Syntax:	ssl_buffer_size size;
    Default:	
    ssl_buffer_size 16k;
    Context:	http, server
    This directive appeared in version 1.5.9.
    

    ssl certificate, ssl_certificate_key

    • 1.11.0 版本之后可以加载不同类型的证书
    • ssl_certificate example.com.rsa.crt;
    • ssl_certificate_key example.com.rsa.key;
    Syntax:	ssl_certificate file;
    Default:  —
    Context: http, server
    
    Syntax:	ssl_certificate_key file;
    Default:	—
    Context:	http, servers
    

    ssl_ciphers

    Syntax:	ssl_ciphers ciphers;
    Default:	
    ssl_ciphers HIGH:!aNULL:!MD5;
    Context:	http, server
    

    ssl_verify_client, ssl_client_certificate , ssl_verify_depth

    • 客户端证书验证
    Syntax:	ssl_client_certificate file;
    Default:	—
    Context:	http, server
    
    Syntax:	ssl_verify_client on | off | optional | optional_no_ca;
    Default:	
    ssl_verify_client off;
    Context:	http, server
    
    Syntax:	ssl_verify_depth number;
    Default:	
    ssl_verify_depth 1;
    Context:	http, server
    

    error

    495 客户端证书校验错误

    496 客户端未提供证书

    497 常规的http请求发送到了一个https的端口

    variables

    $ssl_cipher 返回建立连接所使用的cipher方式
    $ssl_ciphers 返回配置的所有cipher方式
    $ssl_client_v_end returns the end date of the client certificate (1.11.7);
    $ssl_client_v_remain returns the number of days until the client certificate expires (1.11.7);
    $ssl_client_v_start returns the start date of the client certificate (1.11.7);
    $ssl_early_data	returns “1” if TLS 1.3 early data is used and the handshake is not complete, otherwise “” (1.15.3).
    $ssl_protocol	returns the protocol of an established SSL connection;
    $ssl_server_name	returns the server name requested through SNI (1.7.0);
    $ssl_session_id	returns the session identifier of an established SSL connection;
    $ssl_session_reused 	returns “r” if an SSL session was reused, or “.” otherwise (1.5.11).
    
  • 相关阅读:
    夺冠概率蓝桥杯
    Memcache配置
    [置顶] 6个月:从小白到程序员,也许没你想的那么难
    Delphi Messagebox自动关闭
    最近读园内的几篇好的文章的摘录及感悟
    近期项目的两点教训
    win7网络连接优先顺序设置方法
    WebSerivce学习笔记
    Delphi 控制摄像头操作
    郁闷的一天
  • 原文地址:https://www.cnblogs.com/pengsn/p/13527174.html
Copyright © 2011-2022 走看看