使用最新版本的openssl
禁用 SSLv2 和 SSLv3
这两个协议都是不安全的, 我们应该在服务器上禁用这两个协议。添加一下代码到网站的配置文件, lnmp的网站配置文件位于 /usr/local/nginx/conf/vhost 目录
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
使用安全的Cipher Suite
将以下代码放在网站的配置文件里面
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
以上设置不支持Winxp/IE6 ,如果你想网站同时Winxp/IE6的话可以使用使用以下的Cipher Suite
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
额外的安全设置,请添加如下代码
ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;
cd /etc/ssl/certsopenssl dhparam -out dhparam.pem 4096
ssl_dhparam /etc/ssl/certs/dhparam.pem;
添加以上代码后的网址配置文件大致如下
server{listen 443 ssl spdy;server_name www.topssl.net topssl.net;index index.html index.htm index.php default.html default.htm default.php;root /home/wwwroot/www.topssl.net;ssl on;ssl_certificate topssl.crt;ssl_certificate_key topssl.key;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;ssl_dhparam /etc/ssl/certs/dhparam.pem;......}
via。https://www.topssl.net/nginx_SSL_Security
