如何为 NGINX 配置选择正确的密码
[英]How to choose the right ciphers for NGINX config
问题描述
I'm new to nginx and I just recently decided to make a change to the config file to redirect my applications from http to https using the return statement return 301 https://$host$request_uri;
我是nginx的新手,最近我决定更改配置文件以使用 return 语句return 301 https://$host$request_uri;将我的应用程序从http重定向到https ; . . This all worked fine until I noticed that we weren't receiving text messages via Twilio API .这一切都很好,直到我注意到我们没有通过Twilio API接收短信。 I decided to debug the issue and found that I was receiving an SSL/TLS Handshake Error .我决定调试这个问题,发现我收到了SSL/TLS Handshake Error 。
Looking into the debugger I saw that they gave this as the possible cause of the issue:查看调试器,我发现他们认为这是问题的可能原因:
Incompatible cipher suites in use by the client and the server. This would require the client to use (or enable) a cipher suite that is supported by the server.
Looking at the nginx config file, I noticed that there are no ciphers being used, which is probably the root of the problem and not because TLS isn't enabled looking at the config below:查看nginx配置文件,我注意到没有使用密码,这可能是问题的根源,而不是因为未启用 TLS 查看下面的配置:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name localhost;
ssl_certificate "/etc/nginx/ssl/domain-crt.txt";
ssl_certificate_key "/etc/nginx/ssl/domain-key.txt";
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
## More configuration below this...
}
Twilio has a list of supported ciphers which can be found here , but I'm not sure how to do this within my config file. Twilio有一个支持的密码列表,可以在此处找到,但我不确定如何在我的配置文件中执行此操作。 Am I supposed to use all of them since my protocols include TLSv1, TLSv1.1, and TLS1.2 ?由于我的协议包括TLSv1, TLSv1.1, and TLS1.2我是否应该使用所有这些协议? Or do I only use one of those in the list.或者我只使用列表中的其中一个。 I'm really confused as to what I need to have set in my ssl_ciphers variable.我真的很困惑我需要在我的ssl_ciphers变量中设置什么。
Also I read that having SSLv3 enabled in ssl_protocols is a bad idea.我还读到在ssl_protocols中启用SSLv3是个坏主意。 Can I just remove that from the ssl_protocols and save the config without it causing major issues?我可以只从ssl_protocols中删除它并保存配置而不会导致重大问题吗?
If anyone could help me answer these questions, that would be very helpful.如果有人能帮我回答这些问题,那将非常有帮助。 Thank You!谢谢你!
1 个解决方案
解决方案1
4 已采纳 2020-06-30 08:17:19
Ciphers are being used by default and Nginx configure it by the version.默认情况下使用密码,Nginx 按版本配置。
In version 1.0.5 and later, the default SSL ciphers are HIGH::aNULL..MD5.
But you can also be explicit and choose the cipher you want to allow using: ssl_ciphers "cipher1 cipher2... cipherN";但你也可以明确选择你想要允许使用的密码:ssl_ciphers“cipher1 cipher2 ... cipherN”; For example - ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256";例如 - ssl_ciphers“ECDHE-RSA-AES128-GCM-SHA256”; to support only this specific ciphersuite.只支持这个特定的密码套件。 Regarding:关于:
Also I read that having SSLv3 enabled in ssl_protocols is a bad idea.
The only major issue that it can cause is that a client using SSLv3 trying to connect your server will get rejected since it is not acceptable by your server (not supported by the config file).它可能导致的唯一主要问题是使用 SSLv3 的客户端尝试连接您的服务器将被拒绝,因为它不被您的服务器接受(配置文件不支持)。 In any case it's Nginx default in some versions and shouldn't be the problem.在任何情况下,它在某些版本中默认为 Nginx,不应该是问题所在。
From Nginx Docs:来自 Nginx 文档:
From versions 0.7.65 and 0.8.19 and later, the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.