Nginx配置RSA+ECC双证书

创建日期：2022/09/14 修改日期：2023/10/24 Nginx

1. 证书申请：在腾讯云申请的免费证书可以选择 `ECC` 格式
2. 参考教程：[Nginx 服务器 SSL 证书安装部署](https://cloud.tencent.com/document/product/400/35244)
3. 最终检查：[https://myssl.com](https://myssl.com)

> 核心配置如下

```conf
server {
    listen 443 ssl http2;
    server_name maxqiu.com;
    ssl_certificate maxqiu.com.rsa.crt;
    ssl_certificate_key maxqiu.com.rsa.key;
    ssl_certificate maxqiu.com.ecc.crt;
    ssl_certificate_key maxqiu.com.ecc.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security "max-age=31536000" always;
    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header HTTP_X_FORWARDED_FOR $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect default;
        proxy_pass http://127.0.0.1:8080/;
    }
}
server {
    listen 80;
    server_name maxqiu.com;
    return 301 https://test3.maxqiu.com$request_uri;
}
```

注：

- `server_name`：填写自己的域名
- `ssl_certificate + ssl_certificate_key`：双证书是指配置两次，分别指向 `RSA` 和 `ECC`
- `ssl_ciphers`：使用了 `myssl.com` 推荐的配置，详见 [https://myssl.com/www.baidu.com#basic](https://myssl.com/www.baidu.com#basic) 中的配置指南

全部评论