Nginx 配置 SSL证书 与 IPV6协议( 二 )


} location~.*\\.(js|css)?${
expires12h;
} location~/.well-known{
allowall;
} location~/\\.{
denyall;
} access_logoff;
}配置内容解说:添加add_header#减少点击劫持
add_headerX-Frame-OptionsDENY;
#禁止服务器自动解析资源类型
add_headerX-Content-Type-Optionsnosniff;
#防XSS攻击
add_headerX-Xss-Protection1;如果使用https加密检查提示下面内容,可对应修改;服务器支持弱Diffie-Hellman(DH)密钥交换参数,修改后后支持http/2
ssl_ciphers\"EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5\";修改为:
ssl_ciphers\"TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5\";开启 HSTS 功能,max-age建议是15768000,或者是63072000
add_headerStrict-Transport-Security\"max-age=15768000;includeSubdomains;preload\";配置ssl_session_cache,配置共享会话缓存大小,视站点访问情况设定ssl_session_cachebuiltin:1000shared:SSL:10m;关闭TLS 1.0,开启支持TLS 1.3ssl_protocolsTLSv1.2TLSv1.1TLSv1.3;OCSP Stapling开启【Nginx 配置 SSL证书 与 IPV6协议】ssl_staplingon;