Example configuration
http {
...
server {
listen 443 ssl;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate /usr/local/nginx/conf/cert.pem;
ssl_certificate_key /usr/local/nginx/conf/cert.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
...
}
directives
ssl 已过时
Syntax: ssl on | off;
Default:
ssl off;
Context: http, server
listen 443 ssl;
ssl_buffer_size
- 默认16k; 如果响应内容数据较小且内容不包含图片数据时,可相应减小配置
Syntax: ssl_buffer_size size;
Default:
ssl_buffer_size 16k;
Context: http, server
This directive appeared in version 1.5.9.
ssl certificate, ssl_certificate_key
- 1.11.0 版本之后可以加载不同类型的证书
- ssl_certificate example.com.rsa.crt;
- ssl_certificate_key example.com.rsa.key;
Syntax: ssl_certificate file;
Default: —
Context: http, server
Syntax: ssl_certificate_key file;
Default: —
Context: http, servers
ssl_ciphers
Syntax: ssl_ciphers ciphers;
Default:
ssl_ciphers HIGH:!aNULL:!MD5;
Context: http, server
ssl_verify_client, ssl_client_certificate , ssl_verify_depth
Syntax: ssl_client_certificate file;
Default: —
Context: http, server
Syntax: ssl_verify_client on | off | optional | optional_no_ca;
Default:
ssl_verify_client off;
Context: http, server
Syntax: ssl_verify_depth number;
Default:
ssl_verify_depth 1;
Context: http, server
error
495 客户端证书校验错误
496 客户端未提供证书
497 常规的http请求发送到了一个https的端口
variables
$ssl_cipher 返回建立连接所使用的cipher方式
$ssl_ciphers 返回配置的所有cipher方式
$ssl_client_v_end returns the end date of the client certificate (1.11.7);
$ssl_client_v_remain returns the number of days until the client certificate expires (1.11.7);
$ssl_client_v_start returns the start date of the client certificate (1.11.7);
$ssl_early_data returns “1” if TLS 1.3 early data is used and the handshake is not complete, otherwise “” (1.15.3).
$ssl_protocol returns the protocol of an established SSL connection;
$ssl_server_name returns the server name requested through SNI (1.7.0);
$ssl_session_id returns the session identifier of an established SSL connection;
$ssl_session_reused returns “r” if an SSL session was reused, or “.” otherwise (1.5.11).