标签：tls certificate ssl header server nginx client proxy configuration

Module ngx_http_ssl_module (nginx.org)

    server {
      listen 80 http2 defualt_server;
      listen [::]:80 http2 default_server;
      server_name ~^.*\.aeon\.io$;
      access_log /var/log/nginx/aeon.io.log combined;
      index index.html;
      root /aeon.io;
      #rewrite ^(.*)$ https://$http_host$1;
      location /{
        return 301 https://$http_host$request_uri;
        # return 301 https://$server_name$request_uri;
      }
    }
    server {
      listen                                443 ssl http2 default_server;
      listen                                [::]:443 ssl http2 default_server;
      server_name                           localhost;
      ssl_protocols                         TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers             on;
      ssl_certificate                       ssl/server.pem;
      ssl_certificate_key                   ssl/server.key;
      ssl_password_file                     ssl/password;
      # openssl dhparam -out /etc/nginx/ssl/dhparam.pem -rand /dev/urandom 2048
      ssl_dhparam                           ssl/dhparam.pem;
      ssl_stapling                          on;
      ssl_stapling_verify                   on;
      ssl_session_cache                     shared:SSL:20m;
      ssl_session_timeout                   10m;
      ssl_session_tickets                   off;
      ssl_ciphers                           HIGH:!aNULL:!MD5;
      ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
      add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
      add_header X-Frame-Options DENY;  # 禁止被嵌入框架
      add_header X-Content-Type-Options nosniff;  # MIME类型混淆攻击
      # client
      ssl_verify_client                     off;
      ssl_ocsp                              on;
      ssl_ocsp_cache                        shared:SSL:20m;
      ssl_ocsp_responder                    http://ocsp.example.com/;
      resolver                              8.8.8.8 8.8.4.4;
      ssl_verify_depth                      2;
      ssl_client_certificate                ssl/client.crt;
      ssl_trusted_certificate               ssl/client-ca.crt;

      location /upstream {
        proxy_pass https://backend;
        proxy_ssl_certificate ssl/proxy-client.crt;
        proxy_ssl_certificate_key ssl/proxy-client.key;
        proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        proxy_ssl_ciphers HIGH:!aNULL:!MD5;
        proxy_ssl_trusted_certificate ssl/proxied-backend-ca.crt;
        proxy_ssl_verify on;
        proxy_ssl_verify_depth 2;
        porxy_ssl_session_reuse on;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_http_version 2.0;
        proxy_connection_timeout 30s;
        proxy_read_timeout 10m;
        proxy_send_timeout 1m;

      }
    }

标签：tls,certificate,ssl,header,server,nginx,client,proxy,configuration
来源： https://www.cnblogs.com/dissipate/p/15407233.html

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。