nginx配置ssl 屏蔽tlsv1.0 tlsv1.1

需要升级nginx版本：

 

 openssl pce和zlib也要使用新一点的版本。

编译安装省略。。。。

先备份原来的nginx文件配置。

然后编译 ./configure xxx然后make && make install

然后重启下nginx

nginx配置如下：

server {
        listen       18081 ssl;
        server_name  LJHX2;
        #ssl on;
        ssl_certificate /usr/local/ssl/server.cer;
        ssl_certificate_key /usr/local/ssl/server.key;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kE
DH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';        ssl_prefer_server_ciphers on;
        ssl_protocols  TLSv1.2;
        ssl_dhparam /usr/local/ssl/dhparam.pem;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout 10m;
        access_log logs/access_18081.log;
             location / {

        #设置主机头和客户端真实地址，以便服务器获取客户端真实IP
             proxy_set_header Host $host:18081;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto  $scheme;
             proxy_connect_timeout 1800;
             proxy_read_timeout 1800;
             proxy_send_timeout 1800;
             #禁用缓存             
             proxy_buffering off;
             #反向代理的地址
             proxy_pass http://173.160.201.101:7070;
            proxy_redirect default;
        }

    }

 配置完，可以把域名放到https://myssl.com/上进行检测。