nginx 安全优化配置https站点

贴出SSL参数设置

           `ssl on;
            ssl_certificate ssl.crt;
            ssl_certificate_key ssl.key;
            add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; 
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ;
            ssl_stapling on;
            resolver 114.114.114.114;
            ssl_prefer_server_ciphers on;
            ssl_stapling_verify on;
            ssl_dhparam dh2048.pem;
            ssl_session_cache shared:SSL:10m;
            ssl_session_timeout 10m;
            ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;`  

其中ssl.key ssl.cst为域名的SSL证书 dh2048.pem在linux通过命令
openssl gendh -out dh2048.pem 2048 生成

这样通过https://www.ssllabs.com/ssltest/analyze.html 来测试分析https站点 就可以得分A+