用Nginx作为ZNC的SSL终结点

本来打算配HAProxy的,HAProxy要求证书和私钥写在一个文件里面,certbot默认又不带这个功能,所以就换Nginx了,感觉配置写起来更方便一些。


需要编译进ngx_stream_core_module 模块(Nginx官网apt源那个包是有的)。

stream {
    upstream znc {
        server 127.0.1.1:6697;
    }

    server {
        listen 6697 ssl;
        listen [::]:6697 ssl;

        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

        proxy_pass znc;

        proxy_connect_timeout 10s;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL-TCP:50m;
        ssl_session_tickets off;

        # https://mozilla.github.io/server-side-tls/ssl-config-generator/
        ssl_protocols TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
        ssl_prefer_server_ciphers on;

        # run `openssl dhparam -out /etc/ssl/dhparam.pem 4096` to generate dhparam
        ssl_dhparam /etc/ssl/dhparam.pem;
    }
}

注意stream 和http 是并列的块,不要写到http 里边了。

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据