-
-
Save fotock/9cf9afc2fd0f813828992ebc4fdaad6f to your computer and use it in GitHub Desktop.
Nginx SSL 安全配置最佳实践.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 生成 dhparam.pem 文件, 在命令行执行任一方法: | |
| # 方法1: 很慢 | |
| openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 | |
| # 方法2: 较快 | |
| # 与方法1无明显区别. 2048位也足够用, 4096更强 | |
| openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 4096 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 阅读更多 http://tautt.com/best-nginx-configuration-for-security/ | |
| # 不发送Nginx版本号 | |
| server_tokens off; | |
| # 不允许浏览器在frame或iframe中显示页面 | |
| # 避免 点击劫持(clickjacking) http://en.wikipedia.org/wiki/Clickjacking | |
| # 如果需要允许 [i]frames, 你可以用 SAMEORIGIN 或者用ALLOW-FROM uri 设置单个uri | |
| # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
| add_header X-Frame-Options SAMEORIGIN; | |
| # 服务用户提供的内容时, 包含 X-Content-Type-Options: nosniff 头选项,配合 Content-Type: 头选项, | |
| # 来禁用某些浏览器的 content-type 探测. | |
| # https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
| # 当前支持 IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx | |
| # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx | |
| # 火狐 '不久'支持 https://bugzilla.mozilla.org/show_bug.cgi?id=471020 | |
| add_header X-Content-Type-Options nosniff; | |
| # 启用大部分现代浏览器内置的 the Cross-site scripting (XSS) 过滤. | |
| # 通常缺省情况下已经启用, 所以本选项为为本网站重启过滤器,以防其被用户禁用. | |
| # https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
| add_header X-XSS-Protection "1; mode=block"; | |
| # 启用 Content Security Policy (CSP) (和支持它的浏览器(http://caniuse.com/#feat=contentsecuritypolicy)后, | |
| # 你可以告诉浏览器它仅能从你明确允许的域名下载内容 | |
| # http://www.html5rocks.com/en/tutorials/security/content-security-policy/ | |
| # https://www.owasp.org/index.php/Content_Security_Policy | |
| # 修改应用代码, 通过禁用css和js的 'unsafe-inline' 'unsafe-eval' 指标提高安全性 | |
| # (对内联css和js同样适用). | |
| # 更多: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful | |
| add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; | |
| # 将所有 http 跳转至 https | |
| server { | |
| listen 80 default_server; | |
| listen [::]:80 default_server; | |
| server_name .forgott.com; | |
| return 301 https://$host$request_uri; | |
| } | |
| server { | |
| listen 443 ssl http2; | |
| listen [::]:443 ssl http2; | |
| server_name .forgott.com; | |
| ssl_certificate /etc/nginx/ssl/star_forgott_com.crt; | |
| ssl_certificate_key /etc/nginx/ssl/star_forgott_com.key; | |
| # 启用 session resumption 提高HTTPS性能 | |
| # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html | |
| ssl_session_cache shared:SSL:50m; | |
| ssl_session_timeout 1d; | |
| ssl_session_tickets off; | |
| # DHE密码器的Diffie-Hellman参数, 推荐 2048 位 | |
| ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
| # 启用服务器端保护, 防止 BEAST 攻击 | |
| # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html | |
| ssl_prefer_server_ciphers on; | |
| # 禁用 SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| # ciphers chosen for forward secrecy and compatibility | |
| # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html | |
| ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; | |
| # 启用 ocsp stapling (网站可以以隐私保护、可扩展的方式向访客传达证书吊销信息的机制) | |
| # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ | |
| resolver 8.8.8.8 8.8.4.4; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt; | |
| # 启用 HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
| # 避免 ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping | |
| # 或 https://hstspreload.org/ | |
| add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; | |
| # ... 其他配置 | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
我设置了这个以后,chrome和火狐就报错(而且没有强行不安全连接的选项),nginx日志输出bad cipher
关了就没事,还没找到为啥