NginxÔõÑùʵÏÖSSL/TLSÉèÖÃ
£¬ÐèÒªÏêϸ´úÂëʾÀý

ÔÚÏÖÔÚÐÅÏ¢Çå¾²Ô½·¢Ö÷ÒªµÄʱ´ú
£¬ÍøÕ¾¼ÓÃÜÒѳÉΪ±
£»¤Óû§Òþ˽ºÍÊý¾ÝÍêÕûÐÔµÄÖ÷ÒªÊֶΡ£SSL/TLSЭÒé×÷ΪÏÖÔÚ×îΪÆÕ±éʹÓõļÓÃÜЭÒé
£¬¿ÉÒÔ°ü¹ÜÊý¾ÝÔÚ´«ÊäÀú³ÌÖеÄÇå¾²ÐÔ¡£Nginx×÷Ϊһ¸öÐÔÄÜÇ¿Ê¢µÄWebЧÀÍÆ÷
£¬Ò²¿ÉÒÔͨ¹ýSSL/TLSÉèÖÃÀ´ÊµÏÖÍøÕ¾µÄ¼ÓÃÜ´«Êä¡£±¾ÎĽ«ÏêϸÏÈÈÝNginxÔõÑùʵÏÖSSL/TLSÉèÖÃ
£¬²¢ÌṩÏêϸµÄ´úÂëʾÀý¡£

Ê×ÏÈ
£¬ÎÒÃÇÐèÒªÔÚЧÀÍÆ÷ÉÏ×°ÖÃNginxÈí¼þ
£¬È»ºóÔÚÉèÖÃÎļþÖоÙÐÐÏìÓ¦µÄSSL/TLSÉèÖá£ÒÔÏÂÊÇÒ»¸ö»ù±¾µÄNginxµÄSSL/TLSÉèÖÃʾÀý£º

server {
    listen 443 ssl;

    server_name yourdomain.com;

    ssl_certificate /path/to/your.ssl.crt;
    ssl_certificate_key /path/to/your.ssl.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:TLSv1.2:!ADH';

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    location / {
        # ÆäËûÏà¹ØÉèÖÃ
    }
}

µÇ¼ºó¸´ÖÆ

ÔÚÉÏÊöÉèÖÃÖÐ
£¬ÎÒÃÇÊ×ÏÈʹÓà listen 443 ssl; Ö¸Áî½ç˵Nginx¼àÌý443¶Ë¿Ú²¢ÆôÓÃSSL¡£È»ºóʹÓà ssl_certificate ºÍ ssl_certificate_key Ö¸Áî»®·ÖÖ¸¶¨SSLÖ¤ÊéºÍ˽ԿµÄ·¾¶¡£½Ó×ÅʹÓà ssl_protocols Ö¸ÁîÖ¸¶¨SSL/TLSЭÒéµÄ°æ±¾
£¬ssl_ciphers Ö¸ÁîÖ¸¶¨¼ÓÃÜËã·¨µÄÓÅÏȼ¶
£¬ssl_session_cache ºÍ ssl_session_timeout Ö¸ÁîÓÃÓÚÉèÖÃSSL»á»°»º´æ¡£

³ýÁË»ù±¾µÄSSL/TLSÉèÖÃ
£¬ÎÒÃÇ»¹¿ÉÒÔ½øÒ»²½ÉèÖÃSSLÖ¤ÊéµÄÓÅ»¯²ÎÊý¡¢HTTPSÖض¨ÏòµÈ¡£ÒÔÏÂÊÇÒ»¸öÍêÕûµÄNginxµÄSSL/TLSÉèÖÃʾÀý
£¬°üÀ¨ÁËÉÏÊöÌáµ½µÄÓÅ»¯²ÎÊýºÍHTTPSÖض¨Ïò£º

server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /path/to/your.ssl.crt;
    ssl_certificate_key /path/to/your.ssl.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:TLSv1.2:!ADH';

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # ¿ªÆôOCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 10s;

    location / {
        # ÆäËûÏà¹ØÉèÖÃ
    }
}

µÇ¼ºó¸´ÖÆ

ÔÚÍêÕûµÄSSL/TLSÉèÖÃʾÀýÖÐ
£¬ÎÒÃÇ»¹Ê¹ÓÃÁË return 301 https://$server_name$request_uri; ʵÏÖÁËHTTPÇëÇóµÄÖض¨Ïòµ½HTTPS
£¬²¢ÇÒ¼ÓÈëÁ˶ÔOCSP StaplingµÄÖ§³Ö¡£

ÐèҪעÖصÄÊÇ
£¬ÒÔÉÏʾÀýÖеÄSSLÖ¤Ê顢˽Կ·¾¶ÒÔ¼°ÓòÃû¶¼ÊÇÐèҪƾ֤ÏÖÕæÏàÐξÙÐÐÏìÓ¦µÄ¸ü¸ÄµÄ¡£ÁíÍâ
£¬ÉèÖÃSSL/TLSʱÐè×¢Öر
£»¤Ö¤ÊéºÍ˽ԿÎļþµÄÇå¾²
£¬×èֹ鶻òÕ߸Ķ¯¡£

×ÜÖ®
£¬Í¨¹ýÒÔÉÏʾÀý´úÂë
£¬¶ÁÕß¿ÉÒÔÏàʶµ½ÔõÑùÔÚNginxÖÐʵÏÖSSL/TLSÉèÖÃ
£¬²¢¿ÉÒÔƾ֤ÏÖÕæÏàÐξÙÐÐÏìÓ¦µÄ¶¨ÖÆ»¯ÉèÖÃ
£¬ÒÔÈ·±£ÍøÕ¾Êý¾ÝµÄÇå¾²´«Ê䡣ϣÍû±¾ÎÄÄܹ»×ÊÖúµ½¶ÔNginx SSL/TLSÉèÖøÐÐËȤµÄ¶ÁÕß
£¬Ò²Ï£Íû¸÷ÈËÄܹ»ÖØÊÓÍøÕ¾µÄ¼ÓÃÜÇå¾²
£¬±
£»¤Óû§µÄÒþ˽ºÍÊý¾ÝÇå¾²¡£

ÒÔÉϾÍÊÇNginxÔõÑùʵÏÖSSL/TLSÉèÖõÄÏêϸÄÚÈÝ
£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡