用户工具

站点工具


freebsd:network:nginx_stream_ssl_tunnel

Nginx Stream SSL Tunnel 精简配置

仅 Stream* 模块作TLS Tunnel的精简配置, 范例对应版本1.9.12

需要编译有stream和stream_ssl模块

证书生成部分不作介绍

# nginx.conf
...
load_module modules/ngx_stream_module.so;
...
http {
...
}
stream {
	ssl_protocols			TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers			"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DSS:!DES:!RC4:!3DES:!MD5:!PSK";
	ssl_prefer_server_ciphers	on;
	ssl_session_cache		shared:SSL:10m;
	ssl_session_timeout		10m;
	ssl_dhparam			/usr/local/etc/nginx/ssl/dh.pem;
	tcp_nodelay			on;

	server {		
		listen			50000 ssl reuseport so_keepalive=10m::10;
		listen			[::]:50000 ssl reuseport so_keepalive=10m::10;
		ssl_certificate		/usr/local/etc/nginx/ssl/fullchain.pem;
		ssl_certificate_key	/usr/local/etc/nginx/ssl/privkey.pem;
		proxy_pass		127.0.0.1:60010;
	}					   
	server {		
		listen			50001 ssl reuseport so_keepalive=10m::10;
		listen			[::]:50001 ssl reuseport so_keepalive=10m::10;
		ssl_certificate		/usr/local/etc/nginx/ssl/fullchain.pem;
		ssl_certificate_key	/usr/local/etc/nginx/ssl/privkey.pem;
		proxy_pass		127.0.0.1:60011;
	}					   
}
freebsd/network/nginx_stream_ssl_tunnel.txt · 最后更改: 2016/03/13 19:43 由 Hshh