nginx禁用3DES和DES弱加密算法
yum install -y nmap nmap -sV -p 443 --script ssl-enum-ciphers 127.0.0.1
#注释下面的语句(用这个即可) #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_ciphers HIGH:!ADH:!MD5;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
正常情况下应该是这样 不安全协议和加密算法都禁止 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!3DES; ssl_protocols TLSv1.1 TLSv1.2 LSv1.3;
server {
listen 443 ssl;
server_name www.cookie.com;
ssl_certificate cert/2022_www.cookie.com.pem;
ssl_certificate_key cert/2022_www.cookie.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!3DES;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
/usr/local/nginx/sbin/nginx -s reload
在tomcat/conf/server.xml中找到https端口配置,添加Ciphers="......",此处添加支持的算法,不支持的算法请勿加入其中!
<Connector port="10004" protocol="org.apache.coyote.http11.Http11NioProtocol" maxHttpHeaderSize="8192" minSpareThreads="250" maxSpareThreads="1000" enableLookups="false" acceptCount="1000" connectionTimeout="8000" maxProcessors="2000" maxThreads="2000" SSLEnabled="true" scheme="https" secure="true" keystoreFile="cert/XXXXXXXXXXXX.pfx" keystoreType="xxxxx" keystorePass="xxxxxxxx" sslEnabledProtocols="TLSv1" clientAuth="false" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" Ciphers="TLS_DHE_RSA_WITH_AES_128_CBC_SHA ,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" />
SSL绑定
server {
listen 80;
listen 443 ssl;
server_name www.demo.com demo.com;
ssl_certificate /usr/local/ssl/demo.crt;
ssl_certificate_key /usr/local/ssl/demo.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
if ($server_port = 80 ) {
return 301 https://$host$request_uri;
}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#让http请求重定向到https请求
error_page 497 https://$host$request_uri;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}