SSL Labs 测试 A+ 评级技巧
TLS 1.3
- 若后面有
TLSv1.1TLSv1将其移除 - A+ 需要服务器的所有站点都开启 TLS 1.3
nginx
ssl_protocols TLSv1.2 TLSv1.3;OCSP Stapling
ssl_trusted_certificate与ssl_certificate保持一致即可
nginx
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/fullchain.pem;默认站点
- 禁止 IP 直接访问
- 防止域名恶意解析
ssl_reject_handshake需要nginx版本高于1.19.4
nginx
server {
listen 80 default_server;
listen 443 ssl http2 default_server;
server_name _;
ssl_ciphers aNULL;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_reject_handshake on;
return 444;
}
