我是用这个配置,现在评级为A
nginx参考配置
- server {
- listen 443 ssl;
- ssl on;
- server_name demo.com;
- root /data1/www/demo;
- access_log /var/log/nginx/demo-access.log main;
- error_log /var/log/nginx/demo-error.log warn;
- ssl_certificate /usr/local/nginx/conf/conf.d/ssl/demo.crt;
- ssl_certificate_key /usr/local/nginx/conf/conf.d/ssl/demo_nopass.key;
- resolver_timeout 1d;
- #ssl 会话缓存配置,参考:http://nginx.org/en/docs/http/configuring_https_servers.html
- ssl_session_cache shared:SSL:50m;
- ssl_session_tickets off;
- ssl_dhparam /usr/local/nginx/conf/conf.d/ssl/dhparam.pem;
- #不再使用旧的不安全的 SSLv2 和 SSLv3
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers
- 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
- ssl_prefer_server_ciphers on;
- resolver 202.106.0.20 8.8.8.8 valid=300s;
- }
复制代码
注意,只需添加一下这段,禁用不安全的协议就可以了
- #不再使用旧的不安全的 SSLv2 和 SSLv3
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers
- 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
- ssl_prefer_server_ciphers on;
- resolver 202.106.0.20 8.8.8.8 valid=300s;
复制代码 |