server {
listen 443;
server_name debug.*.cn;
ssl on;
ssl_certificate /apps/nginx/conf/cert/debug.pem;
ssl_certificate_key /apps/nginx/conf/cert/debug.key;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
location /stop/ {
root html;
index stop.html;
}
支持哪个协议版本协议就写上哪个,如上图支持TLSv1.1 TLSv1.2,不支持TLSv1.0,如果也禁止TLSv1.1就写成ssl_protocols TLSv1.2;
密码套件:如果支持TLSv1.2及以上,则使用
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
参数解析:
ssl_prefer_server_ciphers on; 密码套件开启
ssl_ciphers 密码套件
一个ssl检测网址
https://www.getssl.cn/sslchecker
或者https://myssl.com