xfy
6543422281
- config: 反向代理、缓存、负载均衡、安全、SSL 等配置模板 - lua: API 网关、认证、动态路由、限流、WebSocket 等脚本示例 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
84 lines
2.4 KiB
Plaintext
84 lines
2.4 KiB
Plaintext
# ============================================================
|
||
# Nginx 基础 HTTPS/SSL 配置示例
|
||
# ============================================================
|
||
#
|
||
# 功能说明:
|
||
# - SSL/TLS 证书配置
|
||
# - TLS 协议和加密套件设置
|
||
# - SSL 会话缓存和会话恢复
|
||
# - HTTP/2 支持
|
||
#
|
||
# Lolly 对应配置:
|
||
# server:
|
||
# ssl:
|
||
# cert: "/path/to/cert.pem"
|
||
# key: "/path/to/key.pem"
|
||
# cert_chain: "/path/to/chain.pem"
|
||
# protocols: ["TLSv1.2", "TLSv1.3"]
|
||
# ciphers:
|
||
# - ECDHE-ECDSA-AES128-GCM-SHA256
|
||
# - ECDHE-RSA-AES128-GCM-SHA256
|
||
# - ECDHE-ECDSA-CHACHA20-POLY1305
|
||
# - ECDHE-RSA-CHACHA20-POLY1305
|
||
# http2:
|
||
# enabled: true
|
||
# max_concurrent_streams: 128
|
||
# ============================================================
|
||
|
||
server {
|
||
listen 443 ssl http2;
|
||
server_name secure.example.com;
|
||
|
||
# SSL 证书配置
|
||
# Lolly 对应: ssl.cert, ssl.key, ssl.cert_chain
|
||
ssl_certificate /etc/nginx/ssl/server.crt;
|
||
ssl_certificate_key /etc/nginx/ssl/server.key;
|
||
ssl_trusted_certificate /etc/nginx/ssl/ca.crt; # 证书链
|
||
|
||
# TLS 协议版本
|
||
# Lolly 对应: ssl.protocols
|
||
# 注意: TLSv1.0 和 TLSv1.1 已被弃用,不安全
|
||
ssl_protocols TLSv1.2 TLSv1.3;
|
||
|
||
# 加密套件(仅 TLS 1.2 有效,TLS 1.3 使用内置套件)
|
||
# Lolly 对应: ssl.ciphers
|
||
# 推荐: 使用 AEAD 加密套件,禁用 CBC 模式
|
||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
|
||
ssl_prefer_server_ciphers on;
|
||
|
||
# SSL 会话缓存
|
||
# Lolly 对应: ssl.session_tickets 配置
|
||
ssl_session_timeout 1d;
|
||
ssl_session_cache shared:SSL:50m; # 约 400k 会话
|
||
ssl_session_tickets off; # 禁用 Session Tickets(更安全)
|
||
|
||
# SSL 缓冲区大小
|
||
ssl_buffer_size 4k;
|
||
|
||
# DH 参数(增强密钥交换安全性)
|
||
# 生成: openssl dhparam -out dhparam.pem 2048
|
||
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
||
|
||
# ECDH 曲线
|
||
ssl_ecdh_curve secp384r1;
|
||
|
||
# 禁用 SSL 压缩(防止 CRIME 攻击)
|
||
gzip off;
|
||
|
||
# 应用配置
|
||
root /var/www/html;
|
||
index index.html;
|
||
|
||
location / {
|
||
try_files $uri $uri/ =404;
|
||
}
|
||
}
|
||
|
||
# HTTP to HTTPS 重定向
|
||
server {
|
||
listen 80;
|
||
server_name secure.example.com;
|
||
|
||
# 301 永久重定向到 HTTPS
|
||
return 301 https://$host$request_uri;
|
||
} |