nginx-http之ssl(九)

Example configuration

http {
    ...
    server {
        listen              443 ssl;
        keepalive_timeout   70;

        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
        ssl_certificate     /usr/local/nginx/conf/cert.pem;
        ssl_certificate_key /usr/local/nginx/conf/cert.key;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        ...
    }

directives

ssl 已过时

Syntax:	ssl on | off;
Default:	
ssl off;
Context:	http, server

• 最新版本的配置方式

 listen              443 ssl;

ssl_buffer_size

• 默认16k； 如果响应内容数据较小且内容不包含图片数据时，可相应减小配置

Syntax:	ssl_buffer_size size;
Default:	
ssl_buffer_size 16k;
Context:	http, server
This directive appeared in version 1.5.9.

ssl certificate, ssl_certificate_key

• 1.11.0 版本之后可以加载不同类型的证书
• ssl_certificate example.com.rsa.crt;
• ssl_certificate_key example.com.rsa.key;

Syntax:	ssl_certificate file;
Default:  —
Context: http, server

Syntax:	ssl_certificate_key file;
Default:	—
Context:	http, servers

ssl_ciphers

Syntax:	ssl_ciphers ciphers;
Default:	
ssl_ciphers HIGH:!aNULL:!MD5;
Context:	http, server

ssl_verify_client, ssl_client_certificate , ssl_verify_depth

• 客户端证书验证

Syntax:	ssl_client_certificate file;
Default:	—
Context:	http, server

Syntax:	ssl_verify_client on | off | optional | optional_no_ca;
Default:	
ssl_verify_client off;
Context:	http, server

Syntax:	ssl_verify_depth number;
Default:	
ssl_verify_depth 1;
Context:	http, server

error

495 客户端证书校验错误

496 客户端未提供证书

497 常规的http请求发送到了一个https的端口

variables

$ssl_cipher 返回建立连接所使用的cipher方式
$ssl_ciphers 返回配置的所有cipher方式
$ssl_client_v_end returns the end date of the client certificate (1.11.7);
$ssl_client_v_remain returns the number of days until the client certificate expires (1.11.7);
$ssl_client_v_start returns the start date of the client certificate (1.11.7);
$ssl_early_data	returns “1” if TLS 1.3 early data is used and the handshake is not complete, otherwise “” (1.15.3).
$ssl_protocol	returns the protocol of an established SSL connection;
$ssl_server_name	returns the server name requested through SNI (1.7.0);
$ssl_session_id	returns the session identifier of an established SSL connection;
$ssl_session_reused 	returns “r” if an SSL session was reused, or “.” otherwise (1.5.11).