如何将Nginx配置为仅使用TLS 1.2/1.3

时间:2020-01-09 10:37:46  来源:igfitidea点击:

如何仅在Nginx Web服务器中启用和配置TLS 1.2和1.3?

TLS是传输层安全性的首字母缩写。
它是旨在提供网络通信安全性的加密协议。
网站和其他应用程序(例如IM(即时消息),电子邮件,Web浏览器,VoIP等)使用的TLS用于保护服务器和客户端之间所有通信的安全。
本教程说明如何启用和配置Nginx以仅使用TLS 1.2和1.3版本。

如何配置和启用Nginx以使用TLS 1.2和1.3

  • 打开终端应用程序
  • 使用ssh命令登录到Nginx服务器
  • 编辑nginx.conf文件或虚拟域配置文件
  • 通过编辑ssl_protocols TLSv1.2;来设置TLS版本。
  • 对于TLS版本1.3,添加ssl_protocols TLSv1.3;
  • 我们可以通过设置:ssl_protocols TLSv1.2 TLSv1.3来合并并仅允许Nginx中使用TLS 1.2和1.3;保存并关闭文件
  • 重新启动或重新加载Nginx服务器。
  • 测试一下。

关于我们仅在Nginx Web服务器中为TLS 1.2或1.3进行设置的说明

我使用以下组件测试了服务器配置:

  • Nginx版本1.14.2
  • OpenSSL版本1.1.0

因此,此配置选项仅适用于以下客户端:

  • 支持Firefox 27+
  • Android 4.4.2以上
  • 铬31+
  • Edge,Windows 7或更高版本上的IE 11
  • Java 8u31
  • OpenSSL 1.0.1
  • 歌剧20+
  • Safari 9+

换句话说,Windows XP的旧客户端或Android/Java的旧版本将无法工作。

关于TLS 1.3的说明

TLS 1.3仅支持Firefox 63 +,Android 10.0 +,Chrome 70 +,Edge 75,Java 11,OpenSSL 1.1.1,Opera 57和Safari 12.1。
因此,我建议在Nginx中同时启用1.2和1.3支持。

如何检查Nginx版本

类型:

$ nginx -V
$ nginx -v
nginx version: nginx/1.16.1

如何检查OpenSSL版本

跑:

$ openssl version
OpenSSL 1.1.1d  10 Sep 2019

如何仅在Nginx Web服务器中启用TLS 1.2

编辑nginx.conf:

$ sudo vi /etc/nginx/nginx.conf

或编辑虚拟主机:

$ sudo vi /etc/nginx/vhosts.d/theitroad.local

更新/追加如下:

请注意,仅当使用OpenSSL 1.0.1或更高版本时,TLSv1.1和TLSv1.2参数(1.1.13、1.0.12)才起作用。

TLSv1.3参数(1.13.0)仅在使用通过TLSv1.3支持构建的OpenSSL 1.1.1时有效。

server {
    listen 443 ssl http2;
    server_name www.theitroad.local theitroad.local
 
    # Path to certs
    ssl_certificate /etc/nginx/ssl/theitroad.local.csr;
    ssl_certificate_key /etc/nginx/ssl/theitroad.local.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MySSL:10m;
    ssl_session_tickets off;
    ssl_dhparam /etc/nginx/ssl/theitroad.local.dhparam.pem;
 
 
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
 
    # HSTS 
    add_header Strict-Transport-Security "max-age=63072000" always;
 
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
 
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
 
    # replace with the IP address of your resolver
    resolver 1.1.1.1;
 
    ## rest of config ##
}

保存并关闭文件。

如何在Nginx中启用TLS 1.3

对于TLS 1.2和1.3版本,请在nginx配置文件中使用以下内容:

ssl_protocols TLSv1.2 TLSv1.3;

只需在nginx中启用TLS版本1.3:

ssl_protocols TLSv1.3;

这是仅适用于TLS 1.3的示例配置:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server www.theitroad.local;
 
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SharedtheitroadSSL:10m; 
    ssl_session_tickets off;
 
    # TLS 1.3 only
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;
 
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
 
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
 
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
 
    # replace with the IP address of your resolver
    resolver 8.8.8.8;
}

重新加载或重启Nginx

现在该服务器已配置。
现在该测试我们的Nginx配置服务器是否存在语法错误:

$ nginx -t

输出示例:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

重新加载或重启nginx服务器:

$ sudo systemctl restart nginx
## OR ##
$ sudo service nginx restart

测试Nginx TLS 1.2支持

按如下所示运行curl命令(将www.theitroad.local域替换为您的实际域名):

$ curl -I -v --tlsv1.2 --tls-max 1.2 https://www.theitroad.local/

测试Nginx TLS 1.3支持

$ curl -I -v --tlsv1.3 --tls-max 1.3 https://www.theitroad.local/
*   Trying 104.20.187.5:443...
* TCP_NODELAY set
* Connected to www.theitroad.local (104.20.187.5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=theitroad.local
*  start date: Nov 28 00:00:00 2019 GMT
*  expire date: Oct  9 12:00:00 2020 GMT
*  subjectAltName: host "www.theitroad.local" matched cert's "*.theitroad.local"
*  issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x558d280211d0)
> HEAD / HTTP/2
> Host: www.theitroad.local
> User-Agent: curl/7.65.3
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200 
HTTP/2 200 
< date: Sun, 01 Dec 2019 19:51:39 GMT
date: Sun, 01 Dec 2019 19:51:39 GMT
< content-type: text/html; charset=UTF-8
content-type: text/html; charset=UTF-8
< set-cookie: __cfduid=d0754cfef8441ee725af158ad808a62211575229899; expires=Tue, 31-Dec-19 19:51:39 GMT; path=/; domain=.theitroad.local; HttpOnly; Secure
set-cookie: __cfduid=d0754cfef8441ee725af158ad808a62211575229899; expires=Tue, 31-Dec-19 19:51:39 GMT; path=/; domain=.theitroad.local; HttpOnly; Secure
< strict-transport-security: max-age=15552000
strict-transport-security: max-age=15552000
< x-whome: l-cbz04
x-whome: l-cbz04
< cf-cache-status: HIT
cf-cache-status: HIT
< age: 126265
age: 126265
< x-content-type-options: nosniff
x-content-type-options: nosniff
< alt-svc: h3-23=":443"; ma=86400
alt-svc: h3-23=":443"; ma=86400
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< server: cloudflare
server: cloudflare
< cf-ray: 53e798d6081edc89-MAA
cf-ray: 53e798d6081edc89-MAA
 
< 
* Connection #0 to host www.theitroad.local left intact

测试Nginx TLS 1.1/1.0支持(必须失败)

在这个最后的示例中,检查并使用Nginx使用TLS 1.0/1.1:

$ curl -I -v --tlsv1 --tls-max 1.0 https://www.theitroad.local/
$ curl -I -v --tlsv1.1 --tls-max 1.1 https://www.theitroad.local/

了解curl命令选项

  • -I:仅显示文档标题信息
  • -v:详细输出
  • --tlsv1,--tlsv1.0,--tlsv1.1,--tlsv1.2,--tlsv1.3:使用给定的TLS版本
  • --tls-max VERSION:设置允许的最大TLS版本