Created
April 8, 2015 04:56
-
-
Save Wind4/832b9d6b6354a10636c5 to your computer and use it in GitHub Desktop.
Nginx ssl config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 只支持新的TLS协议,旧的SSLv2、SSLv3协议有漏洞都不应该再使用 | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_session_cache shared:SSL:10m; | |
# 使用服务器握手密匙,密匙生成用以下命令 | |
# openssl dhparam -out dhparam.pem 4096 | |
# 生成4096位的密匙需要很长时间(数小时),但建议至少2048位 | |
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem; | |
# 如果是最新的Nginx就可以取消下面两行注释 | |
# ssl_stapling on; | |
# ssl_stapling_verify on; | |
# 使服务器支持HSTS(HTTP Strict Transport Security),并缓存一个很长的时间 | |
# 同时禁止其它网站用框架包含你的网站 | |
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; | |
add_header X-Frame-Options SAMEORIGIN; | |
add_header X-Content-Type-Options nosniff; | |
# 只支持主流现代浏览器 | |
# ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL'; | |
# 支持更多浏览器,包括老IE6之类的 | |
# ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'; | |
# 支持主流浏览器 | |
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment