Shulou(Shulou.com)05/31 Report--

Nginx SSL configuration optimization is what, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

SSL configuration Optimization of Nginx

Generally speaking, the SSL certificate used by websites is a RSA certificate, which is basically a 2048-bit key, but the certificate key exchange key must be longer than the certificate key to be secure, while the default is only 1024 bits, so we need to generate a stronger key manually. So before configuration, if there is no DH-key, you need to do the following steps

Skip if you have screen, or install if you don't.

Yum-y install screen11

Generate a 4096-bit DH-Key (certificate key exchange key)

Screen-S DHopenssl dhparam-out dhparam.pem 40961212

After execution, you need to wait a long time. In short, wait slowly. If the network is interrupted, you can reconnect the installation window by executing the following command

Screen-r DH11

After a long waiting time, it is recommended that the generated dhparam.pem file should be put together with the SSL certificate for easy management.

With the certificate key exchange key, we continue to configure and open the conf configuration file of the Nginx corresponding to the website.

Suppose my configuration file is in the / usr/local/nginx/conf/vhost directory

Vim / usr/local/nginx/conf/vhost/www.linpx.com.conf11

The configuration is as follows, including only the part of ssl, but not other important configurations, such as caching, hopping, hotlink protection, mandatory HTTPS, etc.

Server {listen 443 ssl http2;add_header Strict-Transport-Security "max-age=6307200; includeSubdomains; preload"; add_header X-Frame-Options DENY;add_header X-Content-Type-Options nosniff;ssl_certificate / usr/local/nginx/conf/vhost/sslkey/www.linpx.com.crt;ssl_certificate_key / usr/local/nginx/conf/vhost/sslkey/www.linpx.com.key;ssl_trusted_certificate / usr/local/nginx/conf/vhost/sslkey/chaine.pem Ssl_dhparam / usr/local/nginx/conf/vhost/sslkey/dhparam.pem;ssl_session_timeout 10m sectionsslopes TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers EECDHparts CHACHA20Relay EECDHangAES128RSABE128VEREECDHtoothAES256RSABE256RSABE256VEREECDHPLONES 3DESPLONICS MD5DESPLONES serverables ciphers on;ssl_session_cache builtin:1000 shared:SSL:10m;ssl_session_tickets on;ssl_stapling on;ssl_stapling _ verify on;resolver 8.8.8.4.4 valid=300s;resolver_timeout 5s;} 12345678910111113141617181920223252627283031324567891011121314151712131416171829319303132

Each line parses:

Server {listen 443 ssl http2;# uses HTTP/2, which requires Nginx1.9.7 or above add_header Strict-Transport-Security "max-age=6307200; includeSubdomains; preload"; # enable HSTS and set the validity period to "6307200 seconds" (6 months), including sub-domain names (which can be deleted as appropriate), preloaded into browser cache (deleted as appropriate) add_header X-Frame-Options DENY;# forbids embedding frame add_header X-Content-Type-Options nosniff # prevent MIME type confusion in IE9, Chrome and Safari attack ssl_certificate / usr/local/nginx/conf/vhost/sslkey/www.linpx.com.crt;ssl_certificate_key / usr/local/nginx/conf/vhost/sslkey/www.linpx.com.key;#SSL certificate file location ssl_trusted_certificate / usr/local/nginx/conf/vhost/sslkey/chaine.pem;#OCSP Stapling certificate location ssl_dhparam / usr/local/nginx/conf/vhost/sslkey/dhparam.pem # DH-Key exchange key file location # SSL optimized configuration ssl_protocols TLSv1 TLSv1.1 TLSv1.2;# only allows the TLS protocol ssl_ciphers EECDHregions CHACHA20Partition EECDHA20VIECDHA20VIECDHAES128VRSABHAES256RSANE256DECDHAE3DESRECDHA3DESDECDHA3DESREDECDHA3DESDECDHA3DESDECDHA3DESERMIDEMD5here CloudFlare's Internet facing SSL cipher configurationssl_prefer_server_ciphers on;# is used to negotiate the best encryption algorithm by the server # Session Cache, cache Session to the server, which may take up more server resources ssl_session_tickets on;# open browser Session Ticket cache ssl_session_timeout 10m; # SSL session expiration time ssl_stapling on;# OCSP Stapling enabled, OCSP is used to query certificate revocation online service, use OCSP Stapling to cache the valid status of the certificate to the server, improve the TLS handshake speed ssl_stapling_verify on # OCSP Stapling verify that resolver 8.8.8.8.8.4.4 valid=300s;# is used to query the OCSP server's DNSresolver_timeout 5sscape # query domain name timeout} 1234567891011121314151718192022324252627282930313233343536383940414244647484950515355555758591234567891011131415161720223242627293031333435353638404142445464748495051535455575859

Please remember to restart Nginx after configuration!

CentOS 6.x:

Service nginx restart11

CentOS 7.x:

Systemctl restart nginx after reading the above, have you mastered the method of SSL configuration optimization of Nginx? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.