nginx + SSL优化配置

nginx + SSL优化配置：

#http段添加如下配置项：

http {
        
    ssl_prefer_server_ciphers on;                                      #设置协商加密算法时,优先使用我们服务端的加密套件,而不是客户端浏览器的加密套件。
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;                               #协议安全设置
    ssl_ciphers ALL:!kEDH!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;  #加密套件 ssl_ciphers选择加密套件，不同的浏览器所支持的套件（和顺序）可能会不同

#server段添加如下配置项：
server {
        listen       80;
        listen       443  ssl;
        server_name  www.papapa.com;
        
        #跳转实现的几种写法:
        #rewrite ^/$  https://$host permanent;
        #rewrite   ^  https://$server_name$request_uri? permanent;   
        ### 使用return的效率会更高 
        #return 301 https://$server_name$request_uri;
        #return 301 https://www.papapa.com$request_uri;   //强制301跳转....
        

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;            //ssl_protocols指令用于启动特定的加密协议
        ssl_certificate      9888cn/server.crt; 
        ssl_certificate_key  9888cn/server.key;
        add_header Strict-Transport-Security "max-age=31536000";
        ssl_session_timeout 12m;
        ssl_session_cache shared:SSL:16m;
        ssl_buffer_size 8k;
        ssl_session_tickets on;
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.4.4 8.8.8.8 valid=300s;
        resolver_timeout 10s;
        

    }
}    
   

Nginx一个server主机上80、433http、https共存

?

1 2 3 4 5 6 7 8 9 10 11

server {   listen 80; listen 443 ssl; server_name www.xxx.com; index index.html index.htm index.php; root /home/wwwroot/www.xxx.com/; #ssl on; 这里要注释掉 ssl_certificate /usr/local/nginx/conf/ssl/www_xxx_com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/www_xxx_com.key;

各参数的含义请参见参考文档信息：

 

https://www.embbnux.com/2015/12/29/letsencrypt_with_nginx_config_for_wordpress/

http://www.tuicool.com/articles/yyMFRfI

http://tchuairen.blog.51cto.com/3848118/1657926

http://seanlook.com/2015/05/28/nginx-ssl/

http://blog.csdn.net/na_tion/article/details/17334669