ngx_http_ssl_module模块基本指令整理1

原创文章,转载请指明出处并保留原文url地址

本文主要针对nginx的ngx_http_ssl_module模块做简单介绍,本文具体包括如下指令:ssl,ssl_certificate,ssl_certificate_key,ssl_ciphers,ssl_client_certificate,ssl_crl,ssl_dhparam,ssl_prefer_server_ciphers,ssl_protocols,ssl_session_cache

ngx_http_ssl_module模块提供对HTTPS必要的支持。

这个模块不是系统默认的内建模块, 需要采用--with-http_ssl_module指令开启相关的配置。

这个模块需要OpenSSL库的支持

配置示例:

为了减低服务器的负载建议进行如下:

To reduce the processor load it is recommended to

设置工作处理器数等于cpu处理器数(具体应该是cpu核心数)

set the number of worker processes equal to the number of processors,

将keep-alive连接选项打开

enable keep-alive connections,

打开session共享缓存

enable shared session cache,

禁止内建的session缓存

disable built-in session cache,

尽可能提高session的寿命(默认情况下,5分钟)

and possibly increase the session lifetime (by default, 5 minutes):

设置下面选项

worker_processes auto;

http {

...

server {

listen              443 ssl;

keepalive_timeout   70;

ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;

ssl_certificate     /usr/local/nginx/conf/cert.pem;

ssl_certificate_key /usr/local/nginx/conf/cert.key;

ssl_session_cache   shared:SSL:10m;

ssl_session_timeout 10m;

...

}

Nginx原文:

The ngx_http_ssl_module module provides the necessary support for HTTPS.

This module is not built by default, it should be enabled with the --with-http_ssl_module configuration parameter.

This module requires the OpenSSL library.

Example Configuration

To reduce the processor load it is recommended to

set the number of worker processes equal to the number of processors,

enable keep-alive connections,

enable shared session cache,

disable built-in session cache,

and possibly increase the session lifetime (by default, 5 minutes):

worker_processes auto;

http {

...

server {

listen              443 ssl;

keepalive_timeout   70;

ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;

ssl_certificate     /usr/local/nginx/conf/cert.pem;

ssl_certificate_key /usr/local/nginx/conf/cert.key;

ssl_session_cache   shared:SSL:10m;

ssl_session_timeout 10m;

...

}

1. ssl

syntax:ssl  on | off;
default:ssl off;
context:http, server

对于给定的虚拟服务器启用HTTPS协议支持

推荐采用ssl的监听参数替换这个指令

Nginx原文:

Enables the HTTPS protocol for the given virtual server.

It is recommended to use the ssl parameter of the listen directive instead of this directive.

2. ssl_certificate

syntax:ssl_certificate   file;
default:
context:http, server

为虚拟服务器指定PEM格式的证书文件。如果文件除了制定基础证书证书外还制定了中级证书,则他们应该制定到相同文件中, 并且基础证书应该放到前面, 然后后是中级证书。如果一个PEM格式的秘钥文件也被制定了, 也应该放到相同文件中。

要注意的是,HTTPS协议限制虚拟服务器应该监听不同的IP地址:

server {

listen          192.168.1.1:443;

server_name     one.example.com;

ssl_certificate /usr/local/nginx/conf/one.example.com.cert;

...

}

server {

listen          192.168.1.2:443;

server_name     two.example.com;

ssl_certificate /usr/local/nginx/conf/two.example.com.cert;

...

}

否则,第一服务器的证书将被发布给第二个站点。

Nginx原文:

Specifies a file with a certificate in the PEM format for the given virtual server. If intermediate certificates should be specified in addition to a primary certificate, they should be specified in the same file in the following order: the primary certificate comes first, then the intermediate certificates. A secret key in the PEM format may be placed in the same file.

It should be kept in mind that due to the HTTPS protocol limitations virtual servers should listen on different IP addresses:

server {

listen          192.168.1.1:443;

server_name     one.example.com;

ssl_certificate /usr/local/nginx/conf/one.example.com.cert;

...

}

server {

listen          192.168.1.2:443;

server_name     two.example.com;

ssl_certificate /usr/local/nginx/conf/two.example.com.cert;

...

}

otherwise the first server’s certificate will be issued for the second site.

3. ssl_certificate_key

syntax:ssl_certificate_key  file;
default:
context:http, server

为虚拟服务器制定一个PEM格式的秘钥文件

Nginx原文:

Specifies a file with a secret key in the PEM format for the given virtual server.

4. ssl_ciphers

syntax:ssl_ciphers  ciphers;
default:ssl_ciphers HIGH:!aNULL:!MD5;
context:http, server

启用密码。密码用OpenSSL库能了解格式,例如:

ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

完整的列表可以使用openssl ciphers命令获得

Nginx原文:

Specifies the enabled ciphers. The ciphers are specified in the format understood by the OpenSSL library, for example:

ssl_ciphers ALL:!aNULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

The full list can be viewed using the “openssl ciphers” command.

The previous versions of nginx used different ciphers by default.

5. ssl_client_certificate

syntax:ssl_client_certificate      file;
default:
context:http, server

指定一个PEM格式的可信任的CA证书,这个证书用于验证客户端证书和在ssl_stapling被使能情况下验证OCSP相应的状态。

证书的列表将被发往客户端。如果不需要这样可以使用ssl_trusted_certificate指令

Nginx原文:

Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.

The list of certificates will be sent to clients. If this is not desired, the ssl_trusted_certificate directive can be used.

6. ssl_crl

syntax:ssl_crl  file;
default:
context:http, server

制定一个用于客户端验证,吊销的PEM格式证书文件

Nginx原文:

Specifies a file with revoked certificates (CRL) in the PEM format, used to client certificate verification.

7. ssl_dhparam

syntax:ssl_dhparam    file;
default:
context:http, server

This directive appeared in version 0.7.2.

指定一个具有dh参数的文件为了EDH密码

(RSA一种不对称加密算法。首先server把自己的RSA公共密钥送给client,client于是用这个key加密一个随机产生的值(这个随机产生的值就是sharedsecret),再把结果送给server.

EDH也是一种不对称加密算法,但它与RSA不同的是,它好象没有自己固定的公共密钥和私有密钥,都是在程序跑起来的时候产生的,用完就K掉。其他的步骤俩者就差不多了。

RSA,DSA,DH三种不对称加密算法的区别也就在这里。RSA的密钥固定,后俩个需要一个参数来临时生成key.DH甚至要求双方使用同样的参数,这个参数要事先指定。如果SSL库没有load进这个参数,DH算法就没办法用。DSA没研究过。 )

Nginx原文:

Specifies a file with DH parameters for EDH ciphers.

8. ssl_prefer_server_ciphers

syntax:ssl_prefer_server_ciphers  on | off;
default:ssl_prefer_server_ciphers off;
context:http, server

规划当使用SSLv3和TLS协议时server端密码由于客户端密码

Nginx原文:

Specifies that server ciphers should be preferred over client ciphers when using the SSLv3 and TLS protocols.

9. ssl_protocols

syntax:ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];
default:ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
context:http, server

使用指定的协议。仅当使用OpenSSL库版本1.0.1或者更高版本时tlsv1.1和tlsv1.2才工作。

tlsv1.1和tlsv1.2协议从nginx版本1.1.13和1.0.12版本开始之初,并且在OpenSSL 1.0.1或者更高的版本下被支持, 更老的nginx版本这些协议将不能被禁用。

Nginx原文:

Enables the specified protocols. The parameters TLSv1.1 and TLSv1.2 work only when using the OpenSSL library version 1.0.1 and higher.

The parameters TLSv1.1 and TLSv1.2 are supported starting from versions 1.1.13 and 1.0.12 so when using OpenSSL version 1.0.1 and higher on older nginx versions these protocols will work but could not be disabled.

10. ssl_session_cache

syntax:ssl_session_cache  off | none | [builtin[:size]] [shared:name:size];
default:ssl_session_cache none;
context:http, server

设置缓存session参数的缓存的类型和大小。缓存可以是下面的任何一种类型

Off

会话(session)缓存是被禁止的,nginx会明确的通知客户端这个会话是不会被重用。

None

会话缓存是不被允许的,nginx告诉客户端会话可以重用,但是没有这么做

builtin

在OpenSSL中建立一个缓存, 这个缓存仅仅被一个工作者进程使用。缓存大小被session制定。如果缓存大小没有被制定,他大小等好20280。使用内置的缓存可以导致内存碎片。

所有工作进程之间共享。高速缓存的大小是以字节为单位指定;1M字节可以存储4000个session。每个共享缓存应该有一个专用的名字,具有相同名称的缓存可以用在多个虚拟服务器。

这两个缓存类型可以同时使用,例如:

ssl_session_cache builtin:1000 shared:SSL:10m;

但仅使用共享缓存没有内置的缓存应该更有效。

Nginx原文:

Sets types and sizes of caches that store session parameters. A cache can be any of the following types:

off

the use of session cache is strictly prohibited: nginx explicitly tells a client that sessions may not be reused.

none

the use of session cache is gently disallowed: nginx tells a client that sessions may be reused, but does not actually do that.

Builtin

a cache built in OpenSSL; used by one worker process only. The cache size is specified in sessions. If size is not given, it is equal to 20480 sessions. Use of the built-in cache can cause memory fragmentation.

Shared

shared between all worker processes. The cache size is specified in bytes; one megabyte can store about 4000 sessions. Each shared cache should have an arbitrary name. A cache with the same name can be used in several virtual servers.

Both cache types can be used simultaneously, for example:

ssl_session_cache builtin:1000 shared:SSL:10m;

but using only shared cache without the built-in cache should be more efficient.

发表评论