Home >Operation and Maintenance >Nginx >HTTPS deployment and security performance optimization of Nginx
Nginx, as a high-performance web server and reverse proxy server, is widely used for application deployment and load balancing. With the gradual improvement of security and environmental protection awareness, HTTPS has also become an indispensable part of modern web applications. This article will focus on Nginx’s HTTPS deployment and security performance optimization.
1. HTTPS deployment of Nginx
First you need to go to the Certificate Authority (CA) to apply for an SSL certificate. After the application is successful, you will get a certificate file (.crt) and a private key file (.key).
The HTTPS configuration of Nginx needs to involve three aspects: HTTP forwarding to HTTPS, Nginx certificate configuration and HTTPS configuration.
(1) Forward HTTP to HTTPS
In the Nginx configuration file, you need to add a section of HTTP configuration so that when users access the HTTP default port 80, they can automatically jump to the default HTTPS on port 443.
server { listen 80; server_name example.com; return 301 https://$server_name$request_uri; }
(2) Nginx certificate configuration
In the Nginx configuration file, you need to add the SSL certificate and private key file you just applied for to the configuration file.
server { listen 443 ssl; server_name example.com; ssl_certificate /path/to/cert.crt; ssl_certificate_key /path/to/cert.key; ... }
(3) HTTPS configuration
You need to configure specific options of the HTTPS protocol, such as enabling the HTTP/2 protocol, disabling SSLv3, etc.
http2_push_preload on; #启用HTTP/2协议的推送预加载 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #指定启用的TLS协议版本 ssl_ciphers EECDH+AESGCM:EDH+AESGCM:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM; #指定加密套件 ssl_prefer_server_ciphers on; #常用加密套件优先顺序为服务端指定的值 ssl_session_cache shared:SSL:10m; #指定SSL session缓存 ssl_session_timeout 10m; #指定SSL session超时时间
2. Nginx security performance optimization
After deploying the HTTPS service, you also need to pay attention to the following security performance optimization issues to ensure the stability and security of the service:
OCSP (Online Certificate Status Protocol) is used to detect whether the certificate has been revoked. In Nginx's HTTPS configuration, OCSP response detection can be performed through the following program:
ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /path/to/fullchain.pem; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 10s;
The key points are interpreted as follows:
HSTS (HTTP Strict Transport Security) prevents users from being hijacked to HTTP pages, thereby increasing the security level. In Nginx's HTTPS configuration, you can enable HSTS as follows:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
The key points are interpreted as follows:
By default, Nginx only enables TLSv1 and TLSv1.2, if you need to enable others The encryption protocol can be configured in the following way:
ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
The key points are interpreted as follows:
Data transmitted through HTTPS requires a key to encrypt the data. Using HMAC (Hash-based message authentication code) can improve the security of data transmission. The method to enable HMAC in the Nginx configuration file is as follows:
ssl_ciphers ... !aNULL !eNULL !EXPORT !CAMELLIA !DES !MD5 !PSK !RC4 !SEED +AES256 !kEDH +SHA256 +HMAC;
The key points are interpreted as follows:
Conclusion
This article introduces the main knowledge points of Nginx HTTPS deployment and security performance optimization. In the context of the increasingly complex modern web applications, the security and performance requirements of HTTPS are also getting higher and higher. As a system manager, it is important to constantly update your knowledge reserves and maintain a professional vision of new technologies and new environments. Very necessary and important.
The above is the detailed content of HTTPS deployment and security performance optimization of Nginx. For more information, please follow other related articles on the PHP Chinese website!