[英]How to choose the right ciphers for NGINX config
I'm new to nginx
and I just recently decided to make a change to the config file to redirect my applications from http
to https
using the return statement return 301 https://$host$request_uri;
我是
nginx
的新手,最近我决定更改配置文件以使用 return 语句return 301 https://$host$request_uri;
将我的应用程序从http
重定向到https
; . . This all worked fine until I noticed that we weren't receiving text messages via
Twilio API
.这一切都很好,直到我注意到我们没有通过
Twilio API
接收短信。 I decided to debug the issue and found that I was receiving an SSL/TLS Handshake Error
.我决定调试这个问题,发现我收到了
SSL/TLS Handshake Error
。
Looking into the debugger I saw that they gave this as the possible cause of the issue:查看调试器,我发现他们认为这是问题的可能原因:
Incompatible cipher suites in use by the client and the server. This would require the client to use (or enable) a cipher suite that is supported by the server.
Looking at the nginx
config file, I noticed that there are no ciphers being used, which is probably the root of the problem and not because TLS isn't enabled looking at the config below:查看
nginx
配置文件,我注意到没有使用密码,这可能是问题的根源,而不是因为未启用 TLS 查看下面的配置:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name localhost;
ssl_certificate "/etc/nginx/ssl/domain-crt.txt";
ssl_certificate_key "/etc/nginx/ssl/domain-key.txt";
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
## More configuration below this...
}
Twilio
has a list of supported ciphers which can be found here , but I'm not sure how to do this within my config file. Twilio
有一个支持的密码列表,可以在此处找到,但我不确定如何在我的配置文件中执行此操作。 Am I supposed to use all of them since my protocols include TLSv1, TLSv1.1, and TLS1.2
?由于我的协议包括
TLSv1, TLSv1.1, and TLS1.2
我是否应该使用所有这些协议? Or do I only use one of those in the list.或者我只使用列表中的其中一个。 I'm really confused as to what I need to have set in my
ssl_ciphers
variable.我真的很困惑我需要在我的
ssl_ciphers
变量中设置什么。
Also I read that having SSLv3
enabled in ssl_protocols
is a bad idea.我还读到在
ssl_protocols
中启用SSLv3
是个坏主意。 Can I just remove that from the ssl_protocols
and save the config without it causing major issues?我可以只从
ssl_protocols
中删除它并保存配置而不会导致重大问题吗?
If anyone could help me answer these questions, that would be very helpful.如果有人能帮我回答这些问题,那将非常有帮助。 Thank You!
谢谢你!
Ciphers are being used by default and Nginx configure it by the version.默认情况下使用密码,Nginx 按版本配置。
In version 1.0.5 and later, the default SSL ciphers are HIGH::aNULL..MD5.
在 1.0.5 及更高版本中,默认的 SSL 密码为 HIGH::aNULL..MD5。 In versions 0.7.65 and 0,8:20 and later: the default SSL ciphers are HIGH..ADH.:MD5: From version 0:8:19 the default SSL ciphers are ALL..ADH.RC4+RSA,+HIGH.+MEDIUM.
在版本 0.7.65 和 0,8:20 及更高版本中:默认 SSL 密码为 HIGH..ADH.:MD5:从版本 0:8:19 开始,默认 SSL 密码为 ALL..ADH.RC4+RSA,+HIGH .+中等。 From version 0:7:64: 0:8:18 and earlier the default SSL ciphers are ALL::ADH.RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP.
从版本 0:7:64: 0:8:18 及更早版本开始,默认的 SSL 密码为 ALL::ADH.RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP。 See Nginx Docs for more information.
有关详细信息,请参阅Nginx 文档。
But you can also be explicit and choose the cipher you want to allow using: ssl_ciphers "cipher1 cipher2... cipherN";但你也可以明确选择你想要允许使用的密码:ssl_ciphers“cipher1 cipher2 ... cipherN”; For example - ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256";
例如 - ssl_ciphers“ECDHE-RSA-AES128-GCM-SHA256”; to support only this specific ciphersuite.
只支持这个特定的密码套件。 Regarding:
关于:
Also I read that having SSLv3 enabled in ssl_protocols is a bad idea.
我还读到在 ssl_protocols 中启用 SSLv3 是个坏主意。 Can I just remove that from the ssl_protocols and save the config without it causing major issues?
我可以只从 ssl_protocols 中删除它并保存配置而不会导致重大问题吗?
The only major issue that it can cause is that a client using SSLv3 trying to connect your server will get rejected since it is not acceptable by your server (not supported by the config file).它可能导致的唯一主要问题是使用 SSLv3 的客户端尝试连接您的服务器将被拒绝,因为它不被您的服务器接受(配置文件不支持)。 In any case it's Nginx default in some versions and shouldn't be the problem.
在任何情况下,它在某些版本中默认为 Nginx,不应该是问题所在。
From Nginx Docs:来自 Nginx 文档:
From versions 0.7.65 and 0.8.19 and later, the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
从 0.7.65 和 0.8.19 及更高版本开始,默认的 SSL 协议为 SSLv3、TLSv1、TLSv1.1 和 TLSv1.2(如果 OpenSSL 库支持)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.