13.1 Client-Side Encryption 客户端加密

Problem

You need to encrypt traffic between your NGINX server and the cli‐

ent.

问题

客户端与 NGINX 服务器之间的请求数据需要加密处理。


Solution

Utilize one of the SSL modules, such as the ngx_http_ssl_module

or ngx_stream_ssl_module to encrypt traffic:

http {
    \# All directives used below are also valid in stream
    server {
        listen 8433 ssl;
        ssl\_protocols TLSv1.2;
        ssl\_ciphers HIGH:!aNULL:!MD5;
        ssl\_certificate /usr/local/nginx/conf/cert.pem;
        ssl\_certificate\_key /usr/local/nginx/conf/cert.key;
        ssl\_session\_cache shared:SSL:10m;
        ssl\_session\_timeout 10m;
    }
}

This configuration sets up a server to listen on a port encrypted with

SSL, 8443. The server accepts the SSL protocol version TLSv1.2. The

SSL certificate and key locations are disclosed to the server for use.

The server is instructed to use the highest strength offered by the

client while restricting a few that are insecure. The SSL session cache

and timeout allow for workers to cache and store session parameters

for a given amount of time. There are many other session cache

options that can help with performance or security of all types of use

cases. Session cache options can be used in conjunction. However,

specifying one without the default will turn off that default, built-in

session cache.

解决方案

启用 ngx_http_ssl_module 或 ngx_stream_ssl_module 其中之一的 NGINX SSL

模块对数据进行加密:

http {
    \# All directives used below are also valid in stream
    server {
        listen 8433 ssl;
        ssl\_protocols TLSv1.2;
        ssl\_ciphers HIGH:!aNULL:!MD5;
        ssl\_certificate /usr/local/nginx/conf/cert.pem;
        ssl\_certificate\_key /usr/local/nginx/conf/cert.key;
        ssl\_session\_cache shared:SSL:10m;
        ssl\_session\_timeout 10m;
    }
}

实例在 server 块级指令中设置监听启用 ssl 加密的 8843 端口。使用的 ssl 协议

为 TLS1.2 版本。服务器有访问 SSL 证书及密钥目录的权限。另外,服务器和客户端

交互采用最高强度加密数据。ssl_sesson_cache 和 ssl_session_timeout 指令用于

设置会话存储内存空间和时间,除这两个指令外,还有一些与会员有关的指令,可以

用于提升性能和安全性。However,specifying one without the default will turn

off that default, built-in session cache.


Discussion

Secure transport layers are the most common way of encrypting

information in transit. At the time of writing, the Transport Layer

Security protocol (TLS) is the default over the Secure Socket Layer

(SSL) protocol. That’s because versions 1 through 3 of SSL are now

considered insecure. While the protocol name may be different, TLS

still establishes a secure socket layer. NGINX enables your service to

protect information between you and your clients, which in turn

protects the client and your business. When using a signed certifi‐

cate, you need to concatenate the certificate with the certificate

authority chain. When you concatenate your certificate and the

chain, your certificate should be above the chain in the file. If your

certificate authority has provided many files in the chain, it is also

able to provide the order in which they are layered. The SSL session

cache enhances performance by not having to negotiate for SSL/TLS

versions and ciphers.

结论

安全传输层是加密传输数据的常用手段。在写作本书时,传输层安全协议(TSL)是

安全套接字层协议(SSL)的默认协议,因为,现在认为 1.0 到 3.0 版本的 SSL 协

议都是不安全的。尽管安全协议的名称有所不同,但无论 TSL 协议还是 SSL 协议

它们的最终目的都是构建一个安全的套接层。NGINX 服务器让你能在服务与客户端

之间构建加密的数据传输,保证业务与用户数据安全。使用签名证书时,需要将证

书与证书颁发机构链连接起来。证书和颁发机构通信时时,你的证书应该在文件链

中。如果您的证书颁发机构在链中提供了许多文件,它也能够提供它们分层的顺序。

SSL 会话缓存性能通过不带版本信息和数据加密方式的 SSL / TLS 协议实现。

Also See

Mozilla Server Side TLS Page

Mozilla SSL Configuration Generator

Test your SSL Configuration with SSL Labs SSL Test

results matching ""

    No results matching ""