SSL/TLS配置指南
TLS版本支持
| 版本 | 状态 | 建议 |
|---|---|---|
| TLS 1.3 | ✓ Current | 启用——最快最安全 |
| TLS 1.2 | ⚠ Legacy | 为兼容性启用(2015年后客户端) |
| TLS 1.1 | ✗ Deprecated | 禁用——2020年起浏览器不支持 |
| TLS 1.0 | ✗ Deprecated | 禁用——易受POODLE、BEAST攻击 |
| SSL 2/3 | ✗ Insecure | 永不启用 |
Nginx最佳TLS配置
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# TLS versions
ssl_protocols TLSv1.2 TLSv1.3;
# Cipher suites (TLS 1.2 fallback)
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off; # Let client pick in TLS 1.3
# Session resumption
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 valid=300s;
# HSTS (enable after testing)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
}
Let's Encrypt配置(Certbot)
# Install certbot sudo apt install certbot python3-certbot-nginx # Obtain certificate (auto-configures nginx) sudo certbot --nginx -d example.com -d www.example.com # Test auto-renewal sudo certbot renew --dry-run # Cron job (auto-renewal every 12h) 0 */12 * * * certbot renew --quiet --post-hook "nginx -s reload"
SSL Labs评分要求
| 评级 | 要求 |
|---|---|
| A+ | HSTS预加载、TLS 1.2+、仅强密码套件、OCSP装订 |
| A | TLS 1.2+、无弱密码、有效证书、HSTS |
| B | 启用TLS 1.0/1.1或弱密码套件 |
| F | 证书过期、严重漏洞、启用SSL 3.0 |