仅 Stream* 模块作TLS Tunnel的精简配置, 范例对应版本1.9.12
需要编译有stream和stream_ssl模块
证书生成部分不作介绍
# nginx.conf
...
load_module modules/ngx_stream_module.so;
...
http {
...
}
stream {
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_dhparam /usr/local/etc/ssl/dh4096.pem;
tcp_nodelay on;
server {
listen 50000 ssl reuseport so_keepalive=10m::10;
listen [::]:50000 ssl reuseport so_keepalive=10m::10;
ssl_certificate /usr/local/etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /usr/local/etc/nginx/ssl/privkey.pem;
proxy_pass 127.0.0.1:12345;
}
}