# https ``` http { ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; server { listen 443 ssl; server_name www.example.com; keepalive_timeout 30; ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-Xss-Protection 1; #... } ``` 配置项 | 含义 ---|--- ssl_session_timeout | 客户端可以重用会话缓存中ssl参数的过期时间 ssl_session_cache | 设置ssl/tls会话缓存的类型和大小，nginx工作进程共享ssl会话缓存。 ssl_certificate | 证书其实是个公钥，它会被发送到连接服务器的每个客户端，ssl_certificate_key私钥是用来解密的，所以它的权限要得到保护但nginx的主进程能够读取。 add_header Strict-Transport-Security | 使用 HSTS 策略强制浏览器使用 HTTPS 连接 max-age：设置单位时间内強制使用 HTTPS 连接 includeSubDomains：可选，所有子域同时生效 preload：可选，非规范值，用于定义使用『HSTS 预加载列表』 always：可选，保证所有响应都发送此响应头，包括各种內置错误响应 # HTTP/HTTPS混合配置 ``` http { ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; server { listen 80; listen 443 ssl; server_name www.example.com; keepalive_timeout 30; ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-Xss-Protection 1; #... } ```