Skip to main content
 首页 » 编程设计

nginx之您如何使用 Let's Encrypt 和 Nginx 在 SSL 实验室测试的所有类别中获得 100 分的 A+

2024年12月31日23傻小

在 www.ssllabs.com 测试我的 SSL 证书时,我试图在所有类别中获得 100 分

但是,我很难在所有分数上都获得 A+ 和 100。

关于我应该使用什么 NGINX 配置的任何提示?或者我应该如何生成我的 Let's Encrypt 证书?谢谢

请您参考如下方法:

这些说明适用于所有证书(包括 Let's Encrypt 证书)。但是,给出了一两个 Let's Encrypt 的特定提示。

下面给出的 NGINX SSL 配置将为您提供以下 SSL Labs 分数。你选:

推荐

  • A+
  • 证书 100/100
  • 协议(protocol)支持 95/100
  • key 交换 90/100
  • 密码强度 90/100

  • 完美但有限制
  • A+
  • 证书 100/100
  • 协议(protocol)支持 100/100
  • key 交换 100/100
  • 密码强度 100/100

  • NGINX SSL 配置 - 提取你想要的位。注释阐明了给定的 NGINX 指令将如何影响您的 SSL Labs 分数:
    # Your listen directive should be .. listen 443 ssl http2; 
    # gzip off; # gzip over ssl? really? 
     
    ssl_certificate      /etc/letsencrypt/live/yourdomain.com/fullchain.pem; 
    ssl_certificate_key  /etc/letsencrypt/live/yourdomain.com/privkey.pem; 
     
    #################### ssllabs.com Protocol Support 
     
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Score=95 (recommended) 
    # ssl_protocols TLSv1.2; # Score=100 
     
    #################### ssllabs.com Key Exchange 
     
    # Score=90 (recommended) 
    ssl_dhparam          /etc/letsencrypt/live/yourdomain.com/dhparam2048.pem; # openssl dhparam -out dhparam2048.pem 2048 
    ssl_ecdh_curve       secp384r1; # optional 
     
    # Score=100 (must generate letsencrypt certs with flag --rsa-key-size 4096) 
    # ssl_dhparam        /etc/letsencrypt/live/yourdomain.com/dhparam4096.pem; # openssl dhparam -out dhparam4096.pem 4096 
    # ssl_ecdh_curve     secp384r1; # required 
     
    #################### ssllabs.com Cipher Strength - see https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations 
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:EC 
    DHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES25 
    6-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; # Score=90 (recommended) 
    # ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; # Score=100 
     
    #################### ssllabs.com A+ - Enable HSTS on all subdomains 
     
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; 
    # add_header Strict-Transport-Security "max-age=0; includeSubDomains"; # Delete browser cached HSTS policy (i.e. turn HSTS off) 
     
    # THE PRELOAD DIRECTIVE WILL HAVE SEMI-PERMANENT CONSEQUENCE AND IS IRREVERSIBLE - DO NOT USE UNTIL FULLY TESTED AND YOU UNDERSTAND WHAT YOU ARE DOING! 
    # add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; 
     
    #################### Other typical SSL settings that DO NOT effect the ssllabs.com score 
     
    ssl_session_cache shared:SSL:10m; 
    ssl_session_timeout 10m; 
    ssl_prefer_server_ciphers on; 
     
    ssl_stapling on; 
    ssl_stapling_verify on; 
    resolver 8.8.8.8 8.8.4.4 valid=300s; 
    resolver_timeout 10s; 
     
    add_header X-Frame-Options DENY; 
    add_header X-Content-Type-Options nosniff; 
    

    请注意,如果您满足以下条件,您只能在 Key Exchange 上获得 100:
  • 证书 RSA key 大小为 4096(对于 Let's Encrypt,在生成证书时使用 --rsa-key-size 4096 否则您会被 CA 为您生成证书时使用的 RSA key 大小所困扰)和
  • dhparam 是 4096 (openssl dhparam -out dhparam4096.pem 4096) - 这需要大约 1 小时来生成,对于自动化解决方案没用

  • 编辑
  • 2048 年足够保障 future 40 年。从来没有人破解过1024,更不用说2048了!
  • openssl dhparam -dsaparam -out dhparam4096.pem 4096 ...比一小时快得多(请参阅 -dsaparam 标志),但我不知道您是否应该使用它...因为没有在 SSL Labs 测试中对其进行测试我要去 2048