0°

NGINX TLS1.3

1150 个字符,0 张图片,大约需要 2 分钟阅读

首先安装依赖库和编译要用到的工具:

 sudo apt-get install build-essential libpcre3 libpcre3-dev zlib1g-dev unzip git

ngx_brotli

 git clone https://github.com/google/ngx_brotli.git
 cd ngx_brotli
 git submodule update --init
 cd ../

为了支持 TLS 1.3,需要使用 OpenSSL 1.1.1 的 draft-18 分支:

 git clone -b tls1.3-draft-18 --single-branch https://github.com/openssl/openssl.git openssl

编译并安装 Nginx

 wget -c https://nginx.org/download/nginx-1.13.4.tar.gz
 tar zxf nginx-1.13.4.tar.gz
 cd nginx-1.13.4/
 ./configure --add-module=../ngx_brotli --with-openssl=../openssl --with-openssl-opt='enable-tls1_3 enable-weak-ssl-ciphers' --with-http_v2_module --with-http_ssl_module --with-http_gzip_static_module
make
sudo make install

Nginx 的站点配置参数修改:

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # 增加 TLSv1.3
 ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;

参考:https://imququ.com/post/enable-tls-1-3.html

除非注明,否则均为喵喵喵博客原创文章,转载请以链接形式标明本文地址

本文链接:https://www.miaomiaomiao.org/124.html

0 条回复 A 作者 M 管理员
    当上帝赐给你荒野时,就意味着,他要你成为高飞的鹰
欢迎您,新朋友,感谢参与互动!欢迎您 {{author}},您在本站有{{commentsCount}}条评论