nginx / Web Service

15.9 nginx:HTTPS模块(ngx_http_ssl_module)

luciferLeave a comment

 

ssl:

Syntax:		ssl on | off;
Default:	ssl off;
Context:	http, server

ssl_certificate:

Syntax:		ssl_certificate file;
Default:	—
Context:	http, server

当前虚拟主机的pem格式的证书文件;

ssl_certificate_key:

Syntax:		ssl_certificate_key file;
Default:	—
Context:	http, server

当前虚拟主机上与其证书相匹配的私钥文件;

举例:

server {
    listen              443 ssl;
    server_name         example.com;

    ssl_certificate     example.com.rsa.crt;
    ssl_certificate_key example.com.rsa.key;

    ssl_certificate     example.com.ecdsa.crt;
    ssl_certificate_key example.com.ecdsa.key;

    ...
}

ssl_protocols:

Syntax:		ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2] [TLSv1.3];
Default:	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Context:	http, server

ssl_session_cache:

Syntax:		ssl_session_cache off | none | [builtin[:size]] [shared:name:size];
Default:	ssl_session_cache none;
Context:	http, server

参数值说明:

off:     the use of a session cache is strictly prohibited: nginx explicitly tells a client that sessions may not be reused.

none:    the use of a session cache is gently disallowed: nginx tells a client that sessions may be reused, 
          but does not actually store session parameters in the cache.

builtin: a cache built in OpenSSL; used by one worker process only. The cache size is specified in sessions. 
         If size is not given, it is equal to 20480 sessions. Use of the built-in cache can cause memory fragmentation.

          在OpenSSL中构建的缓存;仅由一个worker进程使用;缓存大小在会话中指定;如果没有给出大小,则等于20480个会话;
          使用内置缓存可能导致内存碎片;

shared:   a cache shared between all worker processes. The cache size is specified in bytes; one megabyte can store about 4000 sessions. 
          Each shared cache should have an arbitrary name. A cache with the same name can be used in several virtual servers.
          Both cache types can be used simultaneously, for example:

          所有worker进程之间共享的session cache;缓存大小以字节为单位指定;一个兆字节可以存储4000个session会话;
          每个共享缓存都应该有一个任意的名称;具有相同名称的缓存可以在多个虚拟服务器中使用;
          "builtin"、 "shared"这两种缓存类型可以同时使用;

举例: ssl_session_cache   builtin:1000   shared:SSL:10m;

ssl_session_timeout:

Syntax:		ssl_session_timeout time;
Default:	ssl_session_timeout 5m;
Context:	http, server

客户端侧的连接可以复用”ssl_session_cache”中缓存的ssl参数的有效时长;

举例:

server {
    listen              443 ssl;
    keepalive_timeout   65;

    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    #ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
    ssl_certificate     /usr/local/nginx/conf/cert.pem;
    ssl_certificate_key /usr/local/nginx/conf/cert.key;
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    ...
}

 

Leave a Reply

Your email address will not be published. Required fields are marked *