Kích hoạt Forward Secrecy cho Nginx

Before you configure your Nginx server for Forward Secrecy, your web server and SSL/TLS library should support Elliptic Curve cryptography (ECC).

Minimum Required Versions

  • OpenSSL 1.0.1c+

  • Nginx 1.0.6+ and 1.1.0+

Note:    Because of the Heartbleed bug and OpenSSL vulnerabilities, you should update to the most recent versions (i.e. OpenSSL version 1.0.1h).

How to Configure Nginx for Forward Secrecy

To configure Nginx for Forward Secrecy, you configure the server to actively choose cipher suites and then activate the right OpenSSL cipher suite configuration string.

  1. Locate your SSL Protocol Configuration on your Nginx server.

    For example,

    1. Type the following command:

       

      grep -r ssl_protocol /etc/nginx

       

      In this example, /etc/nginx is the base directory for the Nginx installation.

    2. The command will out put the available Server Blocks.

    3. Open the Server Block for which you are enabling Forward Secrecy.

  2. Add the following lines to your configuration:

    1.  

      ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

       

    2.  

      ssl_prefer_server_ciphers on;

       

    3. For ssl_ciphers, use one of the following configurations:

      • Configure with RC4

        Use this configuration if you have a preference for GCM (Galois Counter Mode) suites (these suites are resistant to timing attacks) and RC4 (RC4 is resistant to BEAST). To improve performance, use the faster ECDHE suites whenever possible.

         

        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

         

      • Configure without RC4

        Use this configuration if you have a preference for GCM (Galois Counter Mode) suites (these suites are resistant to timing attacks) and you prefer not to use RC4. To improve performance, use the faster ECDHE suites whenever possible.

         

        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

         

      • Configure with RC4 as a last resort to support wide range and older browsers

        Use this configuration if you have a preference for GCM (Galois Counter Mode) suites (these suites are resistant to timing attacks) and you want to use RC4 only as a last resort in order to support a wide range of browsers and/or older browsers. To improve performance, use the faster ECDHE suites whenever possible.

         

        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4";

         

  3. Restart Nginx.

    For example, type the following command:

     

    sudo service nginx restart

     

  4. To verify that you have enabled Forward Secrecy, use the Qualys SSL Labs to test your configuration.

  5. You have successfully configured Nginx for Forward Secrecy.

  • SSL, Forward Secrecy, Forward Secrecy cho Nginx
  • 0 Користувачі, які знайшли це корисним
Ця відповідь Вам допомогла?

Схожі статті

Hướng dẫn cấu hình Exchange dùng tên miền chính thức (FQDN) thay cho tên miền nội bộ (Local name)

Gần đây CAB Forum, tổ chức quản lý các nhà cung cấp dịch vụ chứng thực (CA) đã công bố một số...

Tổng hợp cập nhật vá lỗi SSL trên Windows Server

Hướng dẫn cập nhật vá các lỗi và lổ hổng SSL trên Windows Server. Vô hiệu giao thức SSL v3...

Kích hoạt Forward Secrecy cho Apache

Before you configure your Apache server for Forward Secrecy, your web server and SSL/TLS library...

Kích hoạt Forward Secrecy cho IIS Windows

Để đơn giản hóa và thực thi nhanh chóng các thiết lập này, có 1 file PowerShell script giúp bạn...

Vô hiệu hoá SSLv3 trong Apache

1. Mở file config SSL của Apache sudo nano /etc/apache2/mods-enabled/ssl.conf 2) Tìm dòng :...