NGINX配置SSL双证书及单个Server段写法
in 笔记 with 0 comment

NGINX配置SSL双证书及单个Server段写法

in 笔记 with 0 comment

一般的写法可以分两段,就是80和443分开来写。

秉承简约的原则,这里的写法是合并一段:

server {
  listen 80;
  listen 443 ssl http2;
  #ECC
  ssl_certificate /home/www/ssl/eccdomainchain.cer;
  ssl_certificate_key /home/www/ssl/eccdomain.key;
  #RSA
  ssl_certificate /home/www/ssl/rsadomainchain.cer;
  ssl_certificate_key /home/www/ssl/rsadomain.key;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_session_timeout 1h;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_buffer_size 1400;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  #减少点击劫持,可以在相同域名页面的 frame 中展示
  add_header X-Frame-Options SAMEORIGIN;
  ##禁止服务器自动解析资源类型
  add_header X-Content-Type-Options nosniff;
  ##防XSS攻击
  add_header X-Xss-Protection 1;
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  re­solver_time­out 10s;
  ssl_stapling on;
  ssl_stapling_verify on;
  # openssl dhparam -out /home/www/ssl/dhparam.pem 2048
  ssl_dhparam /home/www/ssl/dhparam.pem;
  server_name www.domain.com domain.com;
  ssl_trusted_certificate /home/www/ssl/domainfullchain.cer;
  access_log off;
  index index.html index.htm index.php;
  root /home/www/domain.com;

  if ( $scheme = http ) {
    return 301 https://$server_name$request_uri;
   }

  include none.conf;
  #error_page 404 /404.html;
  #error_page 502 /502.html;
  location ~ .*\.(wma|wmv|asf|mp3|mmf|zip|rar|jpg|gif|png|swf|flv|mp4)$ {
    valid_referers none blocked *.domain.com domain.com;
  if ($invalid_referer) {
      return 403;
   }
}

  location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
     expires 30d;
     access_log off;
  }

  lo­ca­tion ~ .*\.(js|css)$ {
     ex­pires 10d;
  }
  
  location ~ /.well-known {
     allow all;
  }

  location ~ /\.
  {
     deny all;
  }
}
service nginx force-reload

几个小坑:

openssl ciphers -V

查看加密算法包含的Cipher Suites详细信息:

openssl ciphers -V 'EECDH+ECDSA+AES128' | column -t

0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)  Mac=AEAD
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)     Mac=SHA256
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)     Mac=SHA1

把想优先支持的算法放到ssl_ciphers靠前位置。

测试结果:
ssl

如果要加上CAA保护,👇是常见的几个CAA记录的写法:

0 issue comodoca.com
0 issue trustasia.com
0 issue letsencrypt.org
0 issuewild letsencrypt.org
0 issuewild globalsign.com

加到DNS解析里即可。

参考文章:

https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
https://mozilla.github.io/server-side-tls/ssl-config-generator/

Responses