nginx + SSL优化配置:
1 #http段添加如下配置项: 2 3 http { 4 5 ssl_prefer_server_ciphers on; #设置协商加密算法时,优先使用我们服务端的加密套件,而不是客户端浏览器的加密套件。 6 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #协议安全设置 7 ssl_ciphers ALL:!kEDH!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; #加密套件 ssl_ciphers选择加密套件,不同的浏览器所支持的套件(和顺序)可能会不同 8 9 #server段添加如下配置项: 10 server { 11 listen 80; 12 listen 443 ssl; 13 server_name www.papapa.com; 14 15 #跳转实现的几种写法: 16 #rewrite ^/$ https://$host permanent; 17 #rewrite ^ https://$server_name$request_uri? permanent; 18 ### 使用return的效率会更高 19 #return 301 https://$server_name$request_uri; 20 #return 301 https://www.papapa.com$request_uri; //强制301跳转.... 21 22 23 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; //ssl_protocols指令用于启动特定的加密协议 24 ssl_certificate 9888cn/server.crt; 25 ssl_certificate_key 9888cn/server.key; 26 add_header Strict-Transport-Security "max-age=31536000"; 27 ssl_session_timeout 12m; 28 ssl_session_cache shared:SSL:16m; 29 ssl_buffer_size 8k; 30 ssl_session_tickets on; 31 ssl_stapling on; 32 ssl_stapling_verify on; 33 resolver 8.8.4.4 8.8.8.8 valid=300s; 34 resolver_timeout 10s; 35 36 37 } 38 } 39
Nginx一个server主机上80、433http、https共存
server
{
listen 80;
listen 443 ssl;
server_name www.xxx.com;
index index.html index.htm index.php;
root /home/wwwroot/www.xxx.com/;
#ssl on; 这里要注释掉
ssl_certificate /usr/local/nginx/conf/ssl/www_xxx_com.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/www_xxx_com.key;
各参数的含义请参见参考文档信息:
https://www.embbnux.com/2015/12/29/letsencrypt_with_nginx_config_for_wordpress/
http://www.tuicool.com/articles/yyMFRfI
http://tchuairen.blog.51cto.com/3848118/1657926
http://seanlook.com/2015/05/28/nginx-ssl/
http://blog.csdn.net/na_tion/article/details/17334669