13.1 Client-Side Encryption 客户端加密
Problem
You need to encrypt traffic between your NGINX server and the cli‐
ent.
问题
客户端与 NGINX 服务器之间的请求数据需要加密处理。
Solution
Utilize one of the SSL modules, such as the ngx_http_ssl_module
or ngx_stream_ssl_module to encrypt traffic:
http {
\# All directives used below are also valid in stream
server {
listen 8433 ssl;
ssl\_protocols TLSv1.2;
ssl\_ciphers HIGH:!aNULL:!MD5;
ssl\_certificate /usr/local/nginx/conf/cert.pem;
ssl\_certificate\_key /usr/local/nginx/conf/cert.key;
ssl\_session\_cache shared:SSL:10m;
ssl\_session\_timeout 10m;
}
}
This configuration sets up a server to listen on a port encrypted with
SSL, 8443. The server accepts the SSL protocol version TLSv1.2. The
SSL certificate and key locations are disclosed to the server for use.
The server is instructed to use the highest strength offered by the
client while restricting a few that are insecure. The SSL session cache
and timeout allow for workers to cache and store session parameters
for a given amount of time. There are many other session cache
options that can help with performance or security of all types of use
cases. Session cache options can be used in conjunction. However,
specifying one without the default will turn off that default, built-in
session cache.
解决方案
启用 ngx_http_ssl_module 或 ngx_stream_ssl_module 其中之一的 NGINX SSL
模块对数据进行加密:
http {
\# All directives used below are also valid in stream
server {
listen 8433 ssl;
ssl\_protocols TLSv1.2;
ssl\_ciphers HIGH:!aNULL:!MD5;
ssl\_certificate /usr/local/nginx/conf/cert.pem;
ssl\_certificate\_key /usr/local/nginx/conf/cert.key;
ssl\_session\_cache shared:SSL:10m;
ssl\_session\_timeout 10m;
}
}
实例在 server 块级指令中设置监听启用 ssl 加密的 8843 端口。使用的 ssl 协议
为 TLS1.2 版本。服务器有访问 SSL 证书及密钥目录的权限。另外,服务器和客户端
交互采用最高强度加密数据。ssl_sesson_cache 和 ssl_session_timeout 指令用于
设置会话存储内存空间和时间,除这两个指令外,还有一些与会员有关的指令,可以
用于提升性能和安全性。However,specifying one without the default will turn
off that default, built-in session cache.
Discussion
Secure transport layers are the most common way of encrypting
information in transit. At the time of writing, the Transport Layer
Security protocol (TLS) is the default over the Secure Socket Layer
(SSL) protocol. That’s because versions 1 through 3 of SSL are now
considered insecure. While the protocol name may be different, TLS
still establishes a secure socket layer. NGINX enables your service to
protect information between you and your clients, which in turn
protects the client and your business. When using a signed certifi‐
cate, you need to concatenate the certificate with the certificate
authority chain. When you concatenate your certificate and the
chain, your certificate should be above the chain in the file. If your
certificate authority has provided many files in the chain, it is also
able to provide the order in which they are layered. The SSL session
cache enhances performance by not having to negotiate for SSL/TLS
versions and ciphers.
结论
安全传输层是加密传输数据的常用手段。在写作本书时,传输层安全协议(TSL)是
安全套接字层协议(SSL)的默认协议,因为,现在认为 1.0 到 3.0 版本的 SSL 协
议都是不安全的。尽管安全协议的名称有所不同,但无论 TSL 协议还是 SSL 协议
它们的最终目的都是构建一个安全的套接层。NGINX 服务器让你能在服务与客户端
之间构建加密的数据传输,保证业务与用户数据安全。使用签名证书时,需要将证
书与证书颁发机构链连接起来。证书和颁发机构通信时时,你的证书应该在文件链
中。如果您的证书颁发机构在链中提供了许多文件,它也能够提供它们分层的顺序。
SSL 会话缓存性能通过不带版本信息和数据加密方式的 SSL / TLS 协议实现。
Also See
Mozilla Server Side TLS Page
Mozilla SSL Configuration Generator
Test your SSL Configuration with SSL Labs SSL Test