Nginx

Nginx兼容Windows XP HTTPS访问

概述

Windows XP访问HTTPS网页需要3DES加密支持,而openSSL 1.1.0以上版本默认不支持3DES,需要自行编译启用支持。

编译OpenSSL启用WeakCiphers支持

1
2
3
4
5
6
7

wget https://www.openssl.org/source/openssl-1.1.1n.tar.gz
tar -zxvf openssl-1.1.1n.tar.gz
cd  openssl-1.1.1n
./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl enable-weak-ssl-ciphers
make
make test
sudo make install

配置Nginx Systemd服务参数

1
2
3
4
5
6
7
8
9

sudo cp /lib/systemd/system/nginx.service /etc/systemd/system/nginx.service
sudo vim /etc/systemd/system/nginx.service

#[Service]字段添加以下参数
Environment="LD_LIBRARY_PATH=/usr/local/ssl/lib/"

sudo systemctl daemon-reload
sudo systemctl enable nginx.service
sudo systemctl start nginx.service

查看Nginx调用动态库信息

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

sudo lsof -p $(ps -ef | grep "[n]ginx: master process" | awk '{print $2}') | grep "\.so"

nginx   93615 root  mem    REG              253,0    51832 5252173 /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so
nginx   93615 root  mem    REG              253,0  2029560 5252165 /usr/lib/x86_64-linux-gnu/libc-2.31.so
nginx   93615 root  mem    REG              253,0   108936 5249260 /usr/lib/x86_64-linux-gnu/libz.so.1.2.11
nginx   93615 root  mem    REG              253,0  3394632 1840213 /usr/local/ssl/lib/libcrypto.so.1.1
nginx   93615 root  mem    REG              253,0   712712 1840216 /usr/local/ssl/lib/libssl.so.1.1
nginx   93615 root  mem    REG              253,0   465008 5249167 /usr/lib/x86_64-linux-gnu/libpcre.so.3.13.3
nginx   93615 root  mem    REG              253,0   202760 5249013 /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0
nginx   93615 root  mem    REG              253,0   157224 5252178 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
nginx   93615 root  mem    REG              253,0    18816 5252166 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
nginx   93615 root  mem    REG              253,0   191472 5252161 /usr/lib/x86_64-linux-gnu/ld-2.31.so

查看libssl.solibcrypto.so调用路径是否为正确的路径。

修改Nginx SSL配置

1
2

#修改Nginx配置文件添加ssl_ciphers设置
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

重载配置文件: sudo service nginx reload

Nginx
Licensed under CC BY-NC-SA 4.0
最后更新于 May 05, 2022 03:26 CST