FAQ

Page Discussion Edit History

RuHttpSslModule

(Redirected from NginxRuHttpSslModule)

Contents

[edit] ngx_http_ssl_module

袦芯写褍谢褜 ngx_http_ssl_module 芯斜械褋锌械褔懈胁邪械褌 褉邪斜芯褌褍 锌芯 锌褉芯褌芯泻芯谢褍 HTTPS. 袩芯写写械褉卸懈胁邪械褌褋褟 锌褉芯胁械褉泻邪 褋械褉褌懈褎懈泻邪褌芯胁 泻谢懈械薪褌芯胁 褋 写胁褍屑褟 芯谐褉邪薪懈褔械薪懈褟屑懈:

  • 薪械谢褜蟹褟 蟹邪写邪褌褜 褋锌懈褋芯泻 芯褌屑械薪褢薪薪褘褏 褋械褉褌懈褎懈泻邪褌芯胁 (revocation lists);
  • 械褋谢懈 胁 褎邪泄谢械, 蟹邪写邪薪薪芯屑 写懈褉械泻褌懈胁芯泄 ssl_certificate, 褍泻邪蟹邪薪邪 褑械锌芯褔泻邪 褋械褉褌懈褎懈泻邪褌芯胁, 褌芯 锌褉懈 锌褉芯胁械褉泻械 泻谢懈械薪褌褋泻懈褏 褋械褉褌懈褎懈泻邪褌芯胁 nginx 褌邪泻卸械 斜褍写械褌 懈褋锌芯谢褜蟹芯胁邪褌褜 懈 褋械褉褌懈褎懈泻邪褌褘 褝褌懈褏 锌褉芯屑械卸褍褌芯褔薪褘褏 CA.

袩芯 褍屑芯谢褔邪薪懈褞 屑芯写褍谢褜 薪械 褋芯斜懈褉邪械褌褋褟, 薪褍卸薪芯 褉邪蟹褉械褕懈褌褜 械谐芯 褋斜芯褉泻褍 锌褉懈 泻芯薪褎懈谐褍褉懈褉芯胁邪薪懈懈 锌邪褉邪屑械褌褉芯屑 --with-http_ssl_module. 袛谢褟 褋斜芯褉泻懈 懈 褉邪斜芯褌褘 褝褌芯谐芯 屑芯写褍谢褟 薪褍卸薪邪 斜懈斜谢懈芯褌械泻邪 OpenSSL. 小芯写械褉卸邪薪懈械 袩褉懈屑械褉 泻芯薪褎懈谐褍褉邪褑懈懈


[edit] 袛懈褉械泻褌懈胁褘

  • [#ssl ssl]
  • [#ssl_certificate ssl_certificate]
  • [#ssl_certificate_key ssl_certificate_key]
  • [#ssl_client_certificate ssl_client_certificate]
  • [#ssl_ciphers ssl_ciphers]
  • [#ssl_prefer_server_ciphers ssl_prefer_server_ciphers]
  • [#ssl_protocols ssl_protocols]
  • [#ssl_verify_client ssl_verify_client]
  • [#ssl_verify_depth ssl_verify_depth]
  • [#ssl_session_timeout ssl_session_timeout]

袨斜褉邪斜芯褌泻邪 芯褕懈斜芯泻 袙褋褌褉芯械薪薪褘械 锌械褉械屑械薪薪褘械 袩褉懈屑械褉 泻芯薪褎懈谐褍褉邪褑懈懈

袛谢褟 褍屑械薪褜褕械薪懈褟 蟹邪谐褉褍蟹泻懈 锌褉芯褑械褋褋芯褉邪 褉械泻芯屑械薪写褍械褌褋褟 懈褋锌芯谢褜蟹芯胁邪褌褜 褌芯谢褜泻芯 芯写懈薪 褉邪斜芯褔懈泄 锌褉芯褑械褋褋 懈 褉邪蟹褉械褕邪褌褜 keep-alive 褋芯械写懈薪械薪懈褟: 

: worker_processes  1;

: http {

: ...

: server {
: listen               443;
: ssl                  on;
: ssl_certificate      /usr/local/nginx/conf/cert.pem;
: ssl_certificate_key  /usr/local/nginx/conf/cert.key;
: keepalive_timeout    70;

: ...
: }

Template:Anchor

[edit] ssl

syntax: ssl [on|off]

default: ssl off

context: main, server

袛懈褉械泻褌懈胁邪 褉邪蟹褉械褕邪械褌 锌褉芯褌芯泻芯谢 HTTPS 写谢褟 写邪薪薪芯谐芯 胁懈褉褌褍邪谢褜薪芯谐芯 褋械褉胁械褉邪.

Template:Anchor

[edit] ssl_certificate

syntax: ssl_certificate 褎邪泄谢

default: ssl_certificate cert.pem

context: main, server

袛懈褉械泻褌懈胁邪 褍泻邪蟹褘胁邪械褌 褎邪泄谢 褋 褋械褉褌懈褎懈泻邪褌芯屑 胁 褎芯褉屑邪褌械 PEM 写谢褟 写邪薪薪芯谐芯 胁懈褉褌褍邪谢褜薪芯谐芯 褋械褉胁械褉邪. 袙 褝褌芯屑 卸械 褎邪泄谢械 屑芯谐褍褌 薪邪褏芯写懈褌褜褋褟 写褉褍谐懈械 褋械褉褌懈褎懈泻邪褌褘, 邪 褌邪泻卸械 褋械泻褉械褌薪褘泄 泻谢褞褔 胁 褎芯褉屑邪褌械 PEM.

Template:Anchor

[edit] ssl_certificate_key

syntax: ssl_certificate_key 褎邪泄谢

default: ssl_certificate_key cert.pem

context: main, server

袛懈褉械泻褌懈胁邪 褍泻邪蟹褘胁邪械褌 褎邪泄谢 褋 褋械泻褉械褌薪褘屑 泻谢褞褔芯屑 胁 褎芯褉屑邪褌械 PEM 写谢褟 写邪薪薪芯谐芯 胁懈褉褌褍邪谢褜薪芯谐芯 褋械褉胁械褉邪.

Template:Anchor

[edit] ssl_client_certificate

syntax: ssl_client_certificate 褎邪泄谢

default: 薪械褌

context: main, server

袛懈褉械泻褌懈胁邪 褍泻邪蟹褘胁邪械褌 褎邪泄谢 褋 褋械褉褌懈褎懈泻邪褌邪屑懈 CA 胁 褎芯褉屑邪褌械 PEM, 懈褋锌芯谢褜蟹褍械屑褘屑懈 写谢褟 写谢褟 锌褉芯胁械褉泻懈 泻谢懈械薪褌褋泻懈褏 褋械褉褌懈褎懈泻邪褌芯胁.

Template:Anchor

[edit] ssl_ciphers

syntax: ssl_ciphers 褕懈褎褉褘

default: ssl_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

context: main, server

袛懈褉械泻褌懈胁邪 芯锌懈褋褘胁邪械褌 褉邪蟹褉械褕褢薪薪褘械 褕懈褎褉褘. 楔懈褎褉褘 蟹邪写邪褞褌褋褟 胁 褎芯褉屑邪褌械, 锌芯写写械褉卸懈胁邪械屑芯屑 斜懈斜谢懈芯褌械泻芯泄 OpenSSL, 薪邪锌褉懈屑械褉: 

: ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

袩芯谢薪褘泄 褋锌懈褋芯泻 屑芯卸薪芯 锌芯褋屑芯褌褉械褌褜 褋 锌芯屑芯褖褜褞 泻芯屑邪薪写褘 openssl ciphers.

Template:Anchor

[edit] ssl_prefer_server_ciphers

syntax: ssl_prefer_server_ciphers [on|off]

default: ssl_prefer_server_ciphers off

context: main, server

袛懈褉械泻褌懈胁邪 褍泻邪蟹褘胁邪械褌, 褔褌芯斜褘 锌褉懈 懈褋锌芯谢褜蟹芯胁邪薪懈懈 锌褉芯褌芯泻芯谢芯胁 SSLv3 懈 TLSv1 褋械褉胁械褉薪褘械 褕懈褎褉褘 斜褘谢懈 斜芯谢械械 锌褉懈芯褉懈褌械褌薪褘, 褔械屑 泻谢懈械薪褌褋泻懈械.

Template:Anchor

[edit] ssl_protocols

syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1]

default: ssl_protocols SSLv2 SSLv3 TLSv1

context: main, server

袛懈褉械泻褌懈胁邪 褉邪蟹褉械褕邪械褌 褍泻邪蟹邪薪薪褘械 锌褉芯褌芯泻芯谢褘.


Template:Anchor

[edit] ssl_verify_client

syntax: ssl_verify_client on|off

default: ssl_verify_client off

context: main, server

袛懈褉械泻褌懈胁邪 褉邪蟹褉械褕邪械褌 锌褉芯胁械褉泻褍 泻谢懈械薪褌褋泻懈褏 褋械褉褌懈褎懈泻邪褌芯胁.

Template:Anchor

[edit] ssl_verify_depth

syntax: ssl_verify_depth 褔懈褋谢芯

default: ssl_verify_depth 1

context: main, server

袛懈褉械泻褌懈胁邪 褍褋褌邪薪胁谢懈胁邪械褌 谐谢褍斜懈薪褍 锌褉芯胁械褉泻褍 胁 褑械锌芯褔泻械 泻谢懈械薪褌褋泻懈褏 褋械褉褌懈褎懈泻邪褌芯胁.


Template:Anchor

[edit] ssl_session_timeout

syntax: ssl_session_timeout 胁褉械屑褟

default: ssl_session_timeout 5m

context: main, server

袛懈褉械泻褌懈胁邪 蟹邪写邪褢褌 胁褉械屑褟, 胁 褌械褔械薪懈械 泻芯褌芯褉芯谐芯 泻谢懈械薪褌 屑芯卸械褌 锌芯胁褌芯褉薪芯 懈褋锌芯谢褜蟹芯胁邪褌褜 锌邪褉邪屑械褌褉褘 褋械褋褋懈懈, 褏褉邪薪褟褖械泄褋褟 胁 泻褝褕械. 袨斜褉邪斜芯褌泻邪 芯褕懈斜芯泻

袦芯写褍谢褜 ngx_http_ssl_module 锌芯写写械褉卸懈胁邪械褌 薪械褋泻芯谢褜泻芯 薪械褋褌邪薪写邪褉褌薪褘褏 泻芯写芯胁 芯褕懈斜芯泻, 泻芯褌芯褉褘械 屑芯卸薪芯 懈褋锌芯谢褜蟹芯胁邪褌褜 写谢褟 锌械褉械薪邪锌褉邪胁谢械薪懈褟 褋 锌芯屑芯褖褜褞 写懈褉械泻褌懈胁褘 error_page:

  • 495 鈥 锌褉懈 锌褉芯胁械褉泻械 泻谢懈械薪褌褋泻芯谐芯 褋械褉褌懈褎懈泻邪褌邪 锌褉芯懈蟹芯褕谢邪 芯褕懈斜泻邪;
  • 496 鈥 泻谢懈械薪褌 薪械 锌褉械写芯褋褌邪胁懈谢 褌褉械斜褍械屑褘泄 褋械褉褌懈褎懈泻邪褌;
  • 497 鈥 芯斜褘褔薪褘泄 蟹邪锌褉芯褋 斜褘谢 锌芯褋谢邪薪 薪邪 锌芯褉褌 HTTPS.

袩械褉械薪邪锌褉邪胁谢械薪懈械 写械谢邪械褌褋褟 锌芯褋谢械 褌芯谐芯, 泻邪泻 蟹邪锌褉芯褋 锌芯谢薪芯褋褌褜褞 褉邪蟹芯斜褉邪薪 懈 写芯褋褌褍锌薪褘 褌邪泻懈械 锌械褉械屑械薪薪褘械, 泻邪泻 $request_uri, $uri, $arg 懈 锌褉芯褔懈械. 袙褋褌褉芯械薪薪褘械 锌械褉械屑械薪薪褘械

袦芯写褍谢褜 ngx_http_ssl_module 锌芯写写械褉卸懈胁邪械褌 薪械褋泻芯谢褜泻芯 胁褋褌褉芯械薪薪褘褏 锌械褉械屑械薪薪褘褏:

  • $ssl_cipher 胁芯蟹胁褉邪褖邪械褌 褋褌褉芯泻褍 懈褋锌芯谢褜蟹褍械屑褘褏 褕懈褎褉芯胁 写谢褟 褍褋褌邪薪芯胁谢械薪薪芯谐芯 SSL-褋芯械写懈薪械薪懈褟;
  • $ssl_client_serial 胁芯蟹胁褉邪褖邪械褌 褋械褉懈泄薪褘泄 薪芯屑械褉 泻谢懈械薪褌褋泻芯谐芯 褋械褉褌懈褎懈泻邪褌邪 写谢褟 褍褋褌邪薪芯胁谢械薪薪芯谐芯 SSL-褋芯械写懈薪械薪懈褟;
  • $ssl_client_s_dn 胁芯蟹胁褉邪褖邪械褌 褋褌褉芯泻褍 subject DN 泻谢懈械薪褌褋泻芯谐芯 褋械褉褌懈褎懈泻邪褌邪 写谢褟 褍褋褌邪薪芯胁谢械薪薪芯谐芯 SSL-褋芯械写懈薪械薪懈褟;
  • $ssl_client_i_dn 胁芯蟹胁褉邪褖邪械褌 褋褌褉芯泻褍 issuer DN 泻谢懈械薪褌褋泻芯谐芯 褋械褉褌懈褎懈泻邪褌邪 写谢褟 褍褋褌邪薪芯胁谢械薪薪芯谐芯 SSL-褋芯械写懈薪械薪懈褟.
  • $ssl_protocol 胁芯蟹胁褉邪褖邪械褌 锌褉芯褌芯泻芯谢 褍褋褌邪薪芯胁谢械薪薪芯谐芯 SSL-褋芯械写懈薪械薪懈褟;
Retrieved from "http://wiki.nginx.org/index.php?title=RuHttpSslModule&oldid=95"