ÏêϸÆÊÎöNginxµÄSSL/TLSÐÒéÖ§³ÖºÍÇå¾²¼ÓÃÜ·½·¨
nginxÊÇÒ»¿îÊ¢ÐеÄwebЧÀÍÆ÷ºÍ·´ÏòÊðÀíЧÀÍÆ÷£¬Ëü²»µ«ÌṩÁ˸ßÐÔÄܵÄhttpЧÀÍ£¬»¹Ö§³Össl/tlsÐÒéÒÔʵÏÖÇå¾²µÄ¼ÓÃÜͨѶ¡£±¾ÎĽ«ÏêϸÆÊÎönginxµÄssl/tlsÐÒéÖ§³ÖºÍÇå¾²µÄ¼ÓÃÜ·½·¨£¬²¢ÅäÒÔ´úÂëʾÀýÀ´ÑÝʾÆäʹÓ÷½·¨¡£
1. SSL/TLSÐÒé¼ò½é
SSL£¨Secure Sockets Layer£©ºÍTLS£¨Transport Layer Security£©ÊÇÒ»ÖÖ¼ÓÃÜÐÒ飬ÓÃÓÚÔÚÍøÂçÉϱ£»¤Êý¾ÝµÄÇå¾²ÐÔºÍÍêÕûÐÔ¡£SSL×î³õÓÉNetscape¿ª·¢£¬ØʺóÓÉTLSÈ¡´ú²¢³ÉΪÆä±ê×¼¡£
SSL/TLSÐÒéÊÂÇéÔÚÍøÂç²ãºÍ´«Êä²ãÖ®¼ä£¬ÌṩÁËÒ»Öֶ˵½¶ËµÄÇ徲ͨѶ»úÖÆ¡£ËüʹÓù«Ô¿¼ÓÃܺͶԳÆÃÜÔ¿¼ÓÃÜÏàÍŽáµÄ·½·¨À´ÊµÏÖÊý¾ÝµÄ¼Ó½âÃÜ£¬Í¬Ê±»¹Ê¹ÓÃÊý×ÖÖ¤ÊéÀ´Ñé֤ͨѶ˫·½µÄÉí·Ý¡£
2. NginxµÄSSL/TLSÖ§³Ö
Nginxͨ¹ýOpenSSL¿âÀ´Ö§³ÖSSL/TLSÐÒé¡£ÔÚÉèÖÃÎļþÖУ¬Ö»Ðè¼òÆÓµØÖ¸¶¨SSLÖ¤ÊéºÍ˽ԿµÄ·¾¶£¬Nginx¾ÍÄܹ»×Ô¶¯ÆôÓÃSSL/TLSÐÒé²¢¶Ô´«ÊäµÄÊý¾Ý¾ÙÐмÓÃÜ¡£
ÒÔÏÂÊÇÒ»¸ö¼òÆÓµÄNginxÉèÖÃÎļþʾÀý£¬Õ¹Ê¾ÁËÔõÑùÆôÓÃSSL/TLSÐÒ飺
server { listen 443 ssl; server_name example.com; ssl_certificate /path/to/certificate.crt; ssl_certificate_key /path/to/private.key; location / { # ÆäËûÉèÖÃÏî } }
µÇ¼ºó¸´ÖÆ
ÔÚ¸ÃÉèÖÃÎļþʾÀýÖУ¬Í¨¹ýlistenÖ¸ÁЧÀÍÆ÷µÄ¼àÌý¶Ë¿ÚÉèΪ443£¬²¢Í¨¹ýssl²ÎÊýÆôÓÃSSL/TLSÐÒé¡£ssl_certificateºÍssl_certificate_keyÖ¸Áî»®·ÖÖ¸¶¨ÁËSSLÖ¤ÊéºÍ˽ԿµÄ·¾¶¡£
3. SSL/TLS¼ÓÃÜ·½·¨
SSL/TLSÐÒéÖ§³Ö¶àÖÖ¼ÓÃÜ·½·¨£¬³£ÓõİüÀ¨¶Ô³Æ¼ÓÃܺͷǶԳƼÓÃÜ¡£ÏÂÃ潫ÏÈÈÝÕâÁ½ÖÖ¼ÓÃÜ·½·¨µÄÌصãºÍʹÓ÷½·¨¡£
3.1 ¶Ô³Æ¼ÓÃÜ
¶Ô³Æ¼ÓÃÜÊÇÒ»ÖÖʹÓÃÏàͬÃÜÔ¿¾ÙÐмÓÃÜÏ¢ÕùÃܵļÓÃÜ·½·¨¡£Ëü¾ßÓмÓÃÜÏ¢ÕùÃÜËÙÂÊ¿ìµÄÓŵ㣬µ«ÃÜÔ¿µÄÇå¾²ÐÔÐèÒª»ñµÃ°ü¹Ü¡£
NginxÖ§³Ö¶àÖֶԳƼÓÃÜËã·¨£¬ÈçAES£¨Advanced Encryption Standard£©£¬DES£¨Data Encryption Standard£©µÈ¡£¿ÉÒÔÔÚÉèÖÃÎļþÖÐʹÓÃssl_ciphersÖ¸ÁîÀ´É趨ËùʹÓõĶԳƼÓÃÜËã·¨ºÍÃÜÔ¿³¤¶È¡£
ÒÔÏÂÊÇÒ»¸öÉèÖÃÎļþʾÀý£¬ÉèÖöԳƼÓÃÜË㷨ΪAES£¬²¢Ö¸¶¨ÃÜÔ¿³¤¶ÈΪ128λ£º
server { listen 443 ssl; server_name example.com; ssl_certificate /path/to/certificate.crt; ssl_certificate_key /path/to/private.key; ssl_ciphers AES128-SHA; location / { # ÆäËûÉèÖÃÏî } }
µÇ¼ºó¸´ÖÆ
3.2 ·Ç¶Ô³Æ¼ÓÃÜ
·Ç¶Ô³Æ¼ÓÃÜʹÓÃÒ»¶ÔÃÜÔ¿£¬»®·ÖΪ¹«Ô¿ºÍ˽Կ¡£¹«Ô¿ÓÃÓÚ¼ÓÃÜÊý¾Ý£¬¶ø˽ԿÓÃÓÚ½âÃÜÊý¾Ý¡£Óë¶Ô³Æ¼ÓÃÜÏà±È£¬·Ç¶Ô³Æ¼ÓÃÜËã·¨Ô½·¢Çå¾²£¬µ«ËÙÂʽÏÂý¡£
³£¼ûµÄ·Ç¶Ô³Æ¼ÓÃÜËã·¨ÓÐRSAºÍECC£¨Elliptic Curve Cryptography£©¡£NginxÖ§³Öͨ¹ýssl_certificateºÍssl_certificate_keyÖ¸ÁîÀ´ÉèÖÃSSLÖ¤ÊéºÍ˽Կ£¬ÊµÏַǶԳƼÓÃÜ¡£
ÒÔÏÂÊÇÒ»¸öÉèÖÃÎļþʾÀý£¬ÉèÖ÷ǶԳƼÓÃÜË㷨ΪRSA£º
server { listen 443 ssl; server_name example.com; ssl_certificate /path/to/certificate.crt; ssl_certificate_key /path/to/private.key; ssl_ciphers RSA; location / { # ÆäËûÉèÖÃÏî } }
µÇ¼ºó¸´ÖÆ
4. NginxµÄSSL/TLS»á»°»º´æ
ΪÁËÌá¸ßSSL/TLSÐÒéµÄÐÔÄÜ£¬NginxÒýÈëÁËSSL»á»°»º´æ»úÖÆ¡£SSL»á»°»º´æ¿ÉÒÔ´æ´¢SSL/TLSÎÕÊÖÀú³ÌÖеÄÔÝʱ»á»°ÐÅÏ¢£¬ÒÔ±ã¼ÓËÙºóÐøµÄÅþÁ¬¡£
Nginxͨ¹ýssl_session_cacheÖ¸ÁîÀ´É趨SSL»á»°»º´æµÄ´æ´¢·½·¨ºÍ¾Þϸ¡£
ÒÔÏÂÊÇÒ»¸öÉèÖÃÎļþʾÀý£¬ÆôÓÃÄÚ´æ´æ´¢µÄSSL»á»°»º´æ£¬²¢ÉèÖûº´æ¾ÞϸΪ10M£º
server { listen 443 ssl; server_name example.com; ssl_certificate /path/to/certificate.crt; ssl_certificate_key /path/to/private.key; ssl_session_cache shared:SSL:10m; location / { # ÆäËûÉèÖÃÏî } }
µÇ¼ºó¸´ÖÆ
5. ×ܽá
±¾ÎÄÏêϸÆÊÎöÁËNginxµÄSSL/TLSÐÒéÖ§³ÖºÍÇå¾²¼ÓÃÜ·½·¨¡£Í¨¹ýÉèÖÃÎļþʾÀýºÍ´úÂëʾÀý£¬Õ¹Ê¾ÁËNginxÔõÑùÆôÓÃSSL/TLSÐÒ飬²¢ÅäÒԶԳƼÓÃܺͷǶԳƼÓÃܵÄʹÓ÷½·¨¡£±ðµÄ£¬»¹ÏÈÈÝÁËNginxµÄSSL»á»°»º´æ»úÖÆ£¬ÒÔÌá¸ßSSL/TLSÐÒéµÄÐÔÄÜ¡£
ͨ¹ý³ä·ÖʹÓÃNginxµÄSSL/TLSÐÒéÖ§³ÖºÍÇå¾²¼ÓÃÜ·½·¨£¬ÎÒÃÇ¿ÉÒÔΪÓû§ÌṩԽ·¢Çå¾²¡¢¿É¿¿µÄÍøÂçЧÀÍ¡£
ÒÔÉϾÍÊÇÏêϸÆÊÎöNginxµÄSSL/TLSÐÒéÖ§³ÖºÍÇå¾²¼ÓÃÜ·½·¨µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡