Nginx安装及支持https代理配置和禁用TSLv1.0、TSLv1.1配置

时间:2024-03-12 16:14:17

Linux安装Nginx

Nginx安装及支持https代理配置和禁用TSLv1.0、TSLv1.1配置。

下载安装包

[root@localhost ~]# wget http://nginx.org/download/nginx-1.18.0.tar.gz

解压下载的安装包

[root@localhost ~]# tar -zxvf nginx-1.18.0.tar.gz # 解压后会生成nginx-1.18.0目录

进入解压目录

[root@localhost ~]# cd nginx-1.18.0

配置安装

[root@localhost ~]# ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
  • --prefix=/usr/local/nginx为nginx的安装路径,路径可以自定义
  • --with-http_stub_status_module与--with-http_ssl_module 为https代理所必需的模块

编译并且安装

[root@localhost ~]# make && make install

配置https代理设置

更换安装路径的下的nginx的启动文件为nginx-1.18.0/objs下的nginx

[root@localhost ~]# cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak	# 安装路径为/usr/local/nginx
[root@localhost ~]# rm -f /usr/local/nginx/sbin/nginx
[root@localhost ~]# cp ./nginx-1.18.0/objs/nginx /usr/local/nginx/sbin/nginx # 基于解压目录

设置nginx的配置文件

    	listen ip:port ssl;
        #listen 8097;	1.18版本会有一个警告,提示改为 listen ip:port ssl
        server_name  cwdd.westaport.com;
        charset utf-8;
        index index.html;
        #ssl证书的pem文件路径
        ssl_certificate  /root/card/server.pem;
        #ssl证书的key文件路径
        ssl_certificate_key /root/card/server.key;

nginx默认会支持TSLv1.0与TSLv1.1,因此两种方式存安全方面的漏洞,需屏蔽掉

配置nginx禁用TSLv1.0、TSLv1.1

	ssl_ciphers \'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA\';
        ssl_prefer_server_ciphers on;
        ssl_protocols  TLSv1.2;

配置完成后启动Nginx即可。

[root@localhost ~]#./nginx #启动	
[root@localhost ~]#./nginx -s reload # 重启
[root@localhost ~]#./nginx -s stop	# 停止
[root@localhost ~]#./nginx -v	# 查看版本
  • 在安装目录的sbin目录下执行以上命令。