xfy
6543422281
- config: 反向代理、缓存、负载均衡、安全、SSL 等配置模板 - lua: API 网关、认证、动态路由、限流、WebSocket 等脚本示例 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
64 lines
1.8 KiB
Plaintext
64 lines
1.8 KiB
Plaintext
# ============================================================
|
||
# Nginx OCSP Stapling 配置示例
|
||
# ============================================================
|
||
#
|
||
# 功能说明:
|
||
# - OCSP Stapling 提高证书验证效率
|
||
# - 减少客户端 OCSP 查询延迟
|
||
# - 提升 SSL 握手性能
|
||
#
|
||
# Lolly 对应配置:
|
||
# server:
|
||
# ssl:
|
||
# cert: "/path/to/cert.pem"
|
||
# key: "/path/to/key.pem"
|
||
# ocsp_stapling: true
|
||
# ============================================================
|
||
|
||
server {
|
||
listen 443 ssl http2;
|
||
server_name ocsp.example.com;
|
||
|
||
# SSL 证书配置
|
||
ssl_certificate /etc/nginx/ssl/server.crt;
|
||
ssl_certificate_key /etc/nginx/ssl/server.key;
|
||
ssl_protocols TLSv1.2 TLSv1.3;
|
||
|
||
# OCSP Stapling 配置
|
||
# Lolly 对应: ssl.ocsp_stapling: true
|
||
ssl_stapling on;
|
||
ssl_stapling_verify on; # 验证 OCSP 响应签名
|
||
|
||
# OCSP 响应解析器(用于获取 OCSP 响应)
|
||
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
||
resolver_timeout 5s;
|
||
|
||
# OCSP 响应缓存文件(可选)
|
||
# ssl_stapling_file /etc/nginx/ssl/ocsp-response.der;
|
||
|
||
# 证书链(OCSP Stapling 需要完整的证书链)
|
||
ssl_trusted_certificate /etc/nginx/ssl/ca.crt;
|
||
|
||
location / {
|
||
root /var/www/html;
|
||
}
|
||
}
|
||
|
||
# OCSP Stapling 说明:
|
||
#
|
||
# 1. 工作原理:
|
||
# - 传统方式: 客户端直接向 CA 查询证书状态
|
||
# - OCSP Stapling: 服务端预先获取 OCSP 响应并发给客户端
|
||
#
|
||
# 2. 优势:
|
||
# - 减少 SSL 握手时间
|
||
# - 保护客户端隐私(不直接向 CA 查询)
|
||
# - 提高可用性(即使 OCSP 服务器不可用)
|
||
#
|
||
# 3. 要求:
|
||
# - 证书必须包含 OCSP URL(Authority Information Access 扩展)
|
||
# - 必须配置完整的证书链
|
||
#
|
||
# 4. 测试 OCSP Stapling:
|
||
# openssl s_client -connect ocsp.example.com:443 -status
|
||
# # 查看 "OCSP response" 部分 |