# ============================================================ # Nginx 基础 HTTPS/SSL 配置示例 # ============================================================ # # 功能说明: # - SSL/TLS 证书配置 # - TLS 协议和加密套件设置 # - SSL 会话缓存和会话恢复 # - HTTP/2 支持 # # Lolly 对应配置: # server: # ssl: # cert: "/path/to/cert.pem" # key: "/path/to/key.pem" # cert_chain: "/path/to/chain.pem" # protocols: ["TLSv1.2", "TLSv1.3"] # ciphers: # - ECDHE-ECDSA-AES128-GCM-SHA256 # - ECDHE-RSA-AES128-GCM-SHA256 # - ECDHE-ECDSA-CHACHA20-POLY1305 # - ECDHE-RSA-CHACHA20-POLY1305 # http2: # enabled: true # max_concurrent_streams: 128 # ============================================================ server { listen 443 ssl http2; server_name secure.example.com; # SSL 证书配置 # Lolly 对应: ssl.cert, ssl.key, ssl.cert_chain ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; ssl_trusted_certificate /etc/nginx/ssl/ca.crt; # 证书链 # TLS 协议版本 # Lolly 对应: ssl.protocols # 注意: TLSv1.0 和 TLSv1.1 已被弃用,不安全 ssl_protocols TLSv1.2 TLSv1.3; # 加密套件(仅 TLS 1.2 有效,TLS 1.3 使用内置套件) # Lolly 对应: ssl.ciphers # 推荐: 使用 AEAD 加密套件,禁用 CBC 模式 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers on; # SSL 会话缓存 # Lolly 对应: ssl.session_tickets 配置 ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; # 约 400k 会话 ssl_session_tickets off; # 禁用 Session Tickets(更安全) # SSL 缓冲区大小 ssl_buffer_size 4k; # DH 参数(增强密钥交换安全性) # 生成: openssl dhparam -out dhparam.pem 2048 ssl_dhparam /etc/nginx/ssl/dhparam.pem; # ECDH 曲线 ssl_ecdh_curve secp384r1; # 禁用 SSL 压缩(防止 CRIME 攻击) gzip off; # 应用配置 root /var/www/html; index index.html; location / { try_files $uri $uri/ =404; } } # HTTP to HTTPS 重定向 server { listen 80; server_name secure.example.com; # 301 永久重定向到 HTTPS return 301 https://$host$request_uri; }