Nginx ssl 安全增强配置
myssl.com
Strong Ciphers for Apache, nginx and Lighttpd
nginx配置 ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2 ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; # Requires nginx >= 1.5.9 ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver $DNS-IP-1 $DNS-IP-2 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; haproxy 2.x global
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM tune.ssl.default-dh-param 2048
frontend http-in
mode http
option httplog
option forwardfor
option http-server-close
option httpclose
bind $YOUR_IP:80
redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
option httplog option forwardfor option http-server-close option httpclose http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload http-response add-header X-Frame-Options DENY bind $YOUR_IP:443 ssl crt /etc/haproxy/haproxy.pem curves X25519:secp521r1:secp384r1:prime256v1 ciphers EECDH+AESGCM:EDH+A
