nginx-http之ssl(九)

Example configuration

http {
    ...
    server {
        listen              443 ssl;
        keepalive_timeout   70;

        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
        ssl_certificate     /usr/local/nginx/conf/cert.pem;
        ssl_certificate_key /usr/local/nginx/conf/cert.key;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        ...
    }

directives

ssl 已过时

Syntax:	ssl on | off;
Default:	
ssl off;
Context:	http, server
  • 最新版本的配置方式
 listen              443 ssl;

ssl_buffer_size

  • 默认16k; 如果响应内容数据较小且内容不包含图片数据时,可相应减小配置
Syntax:	ssl_buffer_size size;
Default:	
ssl_buffer_size 16k;
Context:	http, server
This directive appeared in version 1.5.9.

ssl certificate, ssl_certificate_key

  • 1.11.0 版本之后可以加载不同类型的证书
  • ssl_certificate example.com.rsa.crt;
  • ssl_certificate_key example.com.rsa.key;
Syntax:	ssl_certificate file;
Default:  —
Context: http, server

Syntax:	ssl_certificate_key file;
Default:	—
Context:	http, servers

ssl_ciphers

Syntax:	ssl_ciphers ciphers;
Default:	
ssl_ciphers HIGH:!aNULL:!MD5;
Context:	http, server

ssl_verify_client, ssl_client_certificate , ssl_verify_depth

  • 客户端证书验证
Syntax:	ssl_client_certificate file;
Default:	—
Context:	http, server

Syntax:	ssl_verify_client on | off | optional | optional_no_ca;
Default:	
ssl_verify_client off;
Context:	http, server

Syntax:	ssl_verify_depth number;
Default:	
ssl_verify_depth 1;
Context:	http, server

error

495 客户端证书校验错误

496 客户端未提供证书

497 常规的http请求发送到了一个https的端口

variables

$ssl_cipher 返回建立连接所使用的cipher方式
$ssl_ciphers 返回配置的所有cipher方式
$ssl_client_v_end returns the end date of the client certificate (1.11.7);
$ssl_client_v_remain returns the number of days until the client certificate expires (1.11.7);
$ssl_client_v_start returns the start date of the client certificate (1.11.7);
$ssl_early_data	returns “1” if TLS 1.3 early data is used and the handshake is not complete, otherwise “” (1.15.3).
$ssl_protocol	returns the protocol of an established SSL connection;
$ssl_server_name	returns the server name requested through SNI (1.7.0);
$ssl_session_id	returns the session identifier of an established SSL connection;
$ssl_session_reused 	returns “r” if an SSL session was reused, or “.” otherwise (1.5.11).
posted @ 2020-09-23 09:16  pengsn  阅读(459)  评论(0编辑  收藏  举报