Nginx开启TLSv1.3的配置参数

747次阅读
没有评论

主要配置参数参考:

listen 80;
listen 443 ssl http2;
listen 443 quic reuseport;
ssl_certificate /ssl/xx.pem; #证书路径
ssl_certificate_key /ssl/xx.key; #私钥路径
ssl_session_timeout 10m;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; #因TLSv1不规范和安全,取消TLSv1
ssl_prefer_server_ciphers on;
ssl_early_data on;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
ssl_ciphers [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;
if ($ssl_protocol = "") { return 301 https://$host$request_uri; }
Nginx开启TLSv1.3的配置参数

nginx

配置批量替换脚本参考:

#删除匹配行再指定行前加字符
sed '/listen/,/server_name/d' *.conf
sed -i '/server_name/i xxx' *.conf
sed -i '/location/i if ($ssl_protocol = "") { return 301 https://$host$request_uri; }'
#匹配行后替换内容
sed -i ':label; /server {/,/server_name/ { /server_name/! { $! {N; b label }; }; s/server {.*server_name/server {\n listen 80;\n
listen 443 ssl http2;\n
listen 443 quic reuseport;\n
ssl_certificate /usr/local/nginx/conf/ssl/moyoo.org.pem;\n
ssl_certificate_key /usr/local/nginx/conf/ssl/moyoo.org.key;\n
ssl_session_timeout 10m;\n
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;\n
ssl_prefer_server_ciphers on;\n
ssl_early_data on;\n
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;\n
ssl_ciphers [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA:RSA+AES128+SHA:RSA+AES256+SHA:RSA+3DES;\n \nserver_name/;}' *.conf

备用ciphers参数:

ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
#备用参数
ssl_ciphers  'ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384';
#加上等价组特性参数
ssl_ciphers  '[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] ECDHE-RSA-AES256-GCM-SHA384';

网站目录赋权参考:

chown -R www.www /datas/xxx/
find /datas/xxx/ -type d -exec chmod 755 {} \;
find /datas/xxx/ -type f -exec chmod 644 {} \;
正文完
 0
Ticifer
版权声明:本站原创文章,由 Ticifer 2023-12-21发表,共计2410字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
评论(没有评论)