如何将Nginx配置为仅使用TLS 1.2/1.3
时间:2020-01-09 10:37:46 来源:igfitidea点击:
如何仅在Nginx Web服务器中启用和配置TLS 1.2和1.3?
TLS是传输层安全性的首字母缩写。
它是旨在提供网络通信安全性的加密协议。
网站和其他应用程序(例如IM(即时消息),电子邮件,Web浏览器,VoIP等)使用的TLS用于保护服务器和客户端之间所有通信的安全。
本教程说明如何启用和配置Nginx以仅使用TLS 1.2和1.3版本。
如何配置和启用Nginx以使用TLS 1.2和1.3
- 打开终端应用程序
- 使用ssh命令登录到Nginx服务器
- 编辑nginx.conf文件或虚拟域配置文件
- 通过编辑ssl_protocols TLSv1.2;来设置TLS版本。
- 对于TLS版本1.3,添加
ssl_protocols TLSv1.3;
。 - 我们可以通过设置:ssl_protocols TLSv1.2 TLSv1.3来合并并仅允许Nginx中使用TLS 1.2和1.3;保存并关闭文件
- 重新启动或重新加载Nginx服务器。
- 测试一下。
关于我们仅在Nginx Web服务器中为TLS 1.2或1.3进行设置的说明
我使用以下组件测试了服务器配置:
- Nginx版本1.14.2
- OpenSSL版本1.1.0
因此,此配置选项仅适用于以下客户端:
- 支持Firefox 27+
- Android 4.4.2以上
- 铬31+
- Edge,Windows 7或更高版本上的IE 11
- Java 8u31
- OpenSSL 1.0.1
- 歌剧20+
- Safari 9+
换句话说,Windows XP的旧客户端或Android/Java的旧版本将无法工作。
关于TLS 1.3的说明
TLS 1.3仅支持Firefox 63 +,Android 10.0 +,Chrome 70 +,Edge 75,Java 11,OpenSSL 1.1.1,Opera 57和Safari 12.1。
因此,我建议在Nginx中同时启用1.2和1.3支持。
如何检查Nginx版本
类型:
$ nginx -V $ nginx -v
nginx version: nginx/1.16.1
如何检查OpenSSL版本
跑:
$ openssl version
OpenSSL 1.1.1d 10 Sep 2019
如何仅在Nginx Web服务器中启用TLS 1.2
编辑nginx.conf:
$ sudo vi /etc/nginx/nginx.conf
或编辑虚拟主机:
$ sudo vi /etc/nginx/vhosts.d/theitroad.local
更新/追加如下:
请注意,仅当使用OpenSSL 1.0.1或更高版本时,TLSv1.1和TLSv1.2参数(1.1.13、1.0.12)才起作用。
TLSv1.3参数(1.13.0)仅在使用通过TLSv1.3支持构建的OpenSSL 1.1.1时有效。
server { listen 443 ssl http2; server_name www.theitroad.local theitroad.local # Path to certs ssl_certificate /etc/nginx/ssl/theitroad.local.csr; ssl_certificate_key /etc/nginx/ssl/theitroad.local.key; ssl_session_timeout 1d; ssl_session_cache shared:MySSL:10m; ssl_session_tickets off; ssl_dhparam /etc/nginx/ssl/theitroad.local.dhparam.pem; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # HSTS add_header Strict-Transport-Security "max-age=63072000" always; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem; # replace with the IP address of your resolver resolver 1.1.1.1; ## rest of config ## }
保存并关闭文件。
如何在Nginx中启用TLS 1.3
对于TLS 1.2和1.3版本,请在nginx配置文件中使用以下内容:
ssl_protocols TLSv1.2 TLSv1.3;
只需在nginx中启用TLS版本1.3:
ssl_protocols TLSv1.3;
这是仅适用于TLS 1.3的示例配置:
server { listen 443 ssl http2; listen [::]:443 ssl http2; server www.theitroad.local; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/key.pem; ssl_session_timeout 1d; ssl_session_cache shared:SharedtheitroadSSL:10m; ssl_session_tickets off; # TLS 1.3 only ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem; # replace with the IP address of your resolver resolver 8.8.8.8; }
重新加载或重启Nginx
现在该服务器已配置。
现在该测试我们的Nginx配置服务器是否存在语法错误:
$ nginx -t
输出示例:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
重新加载或重启nginx服务器:
$ sudo systemctl restart nginx ## OR ## $ sudo service nginx restart
测试Nginx TLS 1.2支持
按如下所示运行curl命令(将www.theitroad.local域替换为您的实际域名):
$ curl -I -v --tlsv1.2 --tls-max 1.2 https://www.theitroad.local/
测试Nginx TLS 1.3支持
$ curl -I -v --tlsv1.3 --tls-max 1.3 https://www.theitroad.local/
* Trying 104.20.187.5:443... * TCP_NODELAY set * Connected to www.theitroad.local (104.20.187.5) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use h2 * Server certificate: * subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=theitroad.local * start date: Nov 28 00:00:00 2019 GMT * expire date: Oct 9 12:00:00 2020 GMT * subjectAltName: host "www.theitroad.local" matched cert's "*.theitroad.local" * issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2 * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x558d280211d0) > HEAD / HTTP/2 > Host: www.theitroad.local > User-Agent: curl/7.65.3 > Accept: */* > * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * Connection state changed (MAX_CONCURRENT_STREAMS == 256)! < HTTP/2 200 HTTP/2 200 < date: Sun, 01 Dec 2019 19:51:39 GMT date: Sun, 01 Dec 2019 19:51:39 GMT < content-type: text/html; charset=UTF-8 content-type: text/html; charset=UTF-8 < set-cookie: __cfduid=d0754cfef8441ee725af158ad808a62211575229899; expires=Tue, 31-Dec-19 19:51:39 GMT; path=/; domain=.theitroad.local; HttpOnly; Secure set-cookie: __cfduid=d0754cfef8441ee725af158ad808a62211575229899; expires=Tue, 31-Dec-19 19:51:39 GMT; path=/; domain=.theitroad.local; HttpOnly; Secure < strict-transport-security: max-age=15552000 strict-transport-security: max-age=15552000 < x-whome: l-cbz04 x-whome: l-cbz04 < cf-cache-status: HIT cf-cache-status: HIT < age: 126265 age: 126265 < x-content-type-options: nosniff x-content-type-options: nosniff < alt-svc: h3-23=":443"; ma=86400 alt-svc: h3-23=":443"; ma=86400 < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" < server: cloudflare server: cloudflare < cf-ray: 53e798d6081edc89-MAA cf-ray: 53e798d6081edc89-MAA < * Connection #0 to host www.theitroad.local left intact
测试Nginx TLS 1.1/1.0支持(必须失败)
在这个最后的示例中,检查并使用Nginx使用TLS 1.0/1.1:
$ curl -I -v --tlsv1 --tls-max 1.0 https://www.theitroad.local/ $ curl -I -v --tlsv1.1 --tls-max 1.1 https://www.theitroad.local/
了解curl命令选项
- -I:仅显示文档标题信息
- -v:详细输出
- --tlsv1,--tlsv1.0,--tlsv1.1,--tlsv1.2,--tlsv1.3:使用给定的TLS版本
- --tls-max VERSION:设置允许的最大TLS版本