1. 生成一个4096位的Diffie-Hellman参数文件,需要比较长的时间,看机器而定

[howard@localhost ssl]$ pwd

/home/howard/ssl

  [howard@localhost ssl]$ openssl dhparam -out dhparam.pem 4096

   2.在配置test.example.com.conf文件中增加以下内容:

listen 443 ssl;    

ssl_certificate /home/howard/ssl/ssl.cer;

    ssl_certificate_key /home/howard/ssl/ssl.key;

    ssl_dhparam /home/howard/ssl/dhparam.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_prefer_server_ciphers on;

ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !MEDIUM";

 

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    add_header X-Frame-Options DENY;

    add_header X-Content-Type-Options nosniff;


[howard@localhost ~]/usr/local/nginx/sbin/nginx -t

没有报错即可

[root@localhost ~]/usr/local/nginx/sbin/nginx -s reload

3. 在安全测试网站验证

打开网站https://www.ssllabs.com/ssltest/index.html,输入要测试的域名进行测试,等一会之后就可以看到绿色的A+


注意:安装nginx之前一定要先升级openssl,否则容易存在安全漏洞


本文参考以下博客:

  https://www.howtoforge.com/ssl-perfect-forward-secrecy-in-nginx-webserver