# https ``` http { ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; server { listen 443 ssl; server_name www.example.com; keepalive_timeout 30; ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-Xss-Protection 1; #... } ``` 配置項 | 含義 ---|--- ssl_session_timeout | 客戶端可以重用會話緩存中ssl參數的過期時間 ssl_session_cache | 設置ssl/tls會話緩存的類型和大小，nginx工作進程共享ssl會話緩存。 ssl_certificate | 證書其實是個公鑰，它會被發送到連接服務器的每個客戶端，ssl_certificate_key私鑰是用來解密的，所以它的權限要得到保護但nginx的主進程能夠讀取。 add_header Strict-Transport-Security | 使用 HSTS 策略強制瀏覽器使用 HTTPS 連接 max-age：設置單位時間內強制使用 HTTPS 連接 includeSubDomains：可選，所有子域同時生效 preload：可選，非規范值，用于定義使用『HSTS 預加載列表』 always：可選，保證所有響應都發送此響應頭，包括各種內置錯誤響應 # HTTP/HTTPS混合配置 ``` http { ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; server { listen 80; listen 443 ssl; server_name www.example.com; keepalive_timeout 30; ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-Xss-Protection 1; #... } ```