有用户说安装SSL证书后既要保证网站安全又要保证访问速度还要有更好的安全性,大家都知道安全性和兼容性一直是一个比较矛盾,有时有了安全性但是兼容性变差;今天给大家演示下在同一个域名上面部署两种算法的证书ECC和RSA,关于两者的比较可以参考我之前发的这篇文章:开始使用ECC证书
先看下测试用新版的浏览器访问的结果自动加载的是ECC算法的证书;
ssllabs检查结果也是A+,并且兼容所有浏览器
首先需要申请两张算法的SSL证书;
下面是配置代码:
server { listen 443 ssl http2; server_name www.gworg.com gworg.com; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; ssl on; ssl_certificate /usr/xxx/gworg-rsa.crt; #RSA证书 ssl_certificate_key /usr/xxx/gworg-rsa.key; ssl_certificate /usr/xxx/gworg-ecc.crt; #ECC证书 ssl_certificate_key /usr/xxx/gworg-ecc.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_session_tickets on; index index.php index.html ; root /xxx/www; include enable-php.conf; location /nginx_status { stub_status on; access_log off; } }