Nginx最佳实践

ssl_reject_handshake 指令

绑定在ip或未配置域名，在直接ip或不正确域名访问时拒绝握手，避免漏证书

server {
        listen 443 ssl default;
        server_name _;
        ssl_reject_handshake on;
    }

https最佳配置

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name www.abc.com;
    ssl_certificate /abc.crt;
    ssl_certificate_key /abc.key;
    #只支持TLS 1.2和TLS 1.3
    ssl_protocols TLSv1.2 TLSv1.3;
    #接受的加密套件
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    #优先使用服务器端定义的加密套件
    ssl_prefer_server_ciphers on;
    #超时时间
    ssl_session_timeout 10m;
    #会话缓存的大小和类型
    ssl_session_cache builtin:1000 shared:SSL:10m;
}

Nginx最佳实践 ​

ssl_reject_handshake 指令 ​

https最佳配置 ​

Nginx最佳实践

ssl_reject_handshake 指令

https最佳配置