前言
记录web服务端常用优化配置
Nginx
打开tls,禁用旧版tls
打开OCSP装订
强制HTTPS跳转
配置强加密
打开http/2
Apache2 Ubuntu变体
开启tls1.2~1.3,禁用旧版tls
1
2
3
| vim /etc/apache2/mods-enabled/ssl.conf
添加
SSLProtocol -all +TLSv1.3 +TLSv1.2
|
开启OCSP装订
1
2
3
4
| vim /etc/apache2/mods-enabled/ssl.conf
添加
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
|
开启强制HTTPS跳转
打开/etc/apache2/sites-available/000-default.conf
1
2
3
4
| <VirtualHost *:80></VirtualHost>标签内加入
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*) https://%{SERVER_NAME}$1 [L,R]
|
开启http/2
1
| a2enmod http2 \\打开http2模块
|
打开/etc/apache2/apache2.conf添加以下内容
1
| Protocols h2 h2c http/1.1
|
配置强加密套件
打开/etc/apache2/sites-enabled内配置文件
1
2
3
| <VirtualHost *:443></VirtualHost>标签内加入
SSLHonorCipherOrder on
SSLCipherSuite TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES
|
开启HSTS
1
| a2enmod headers \\打开headers模块
|
打开/etc/apache2/sites-enabled内配置文件
1
2
| <VirtualHost *:443></VirtualHost>标签内加入
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
Apache2 redhat,suse,centos变体