海运的博客

tls1.2版本可在tls config中配置：

        tlsconf := &tls.Config{
                InsecureSkipVerify:       true,
                MaxVersion:               tls.VersionTLS13,
                MinVersion:               tls.VersionTLS12,
                PreferServerCipherSuites: true,
        }
        tlsconf.CipherSuites = []uint16{
                tls.TLS_AES_128_GCM_SHA256,
                tls.TLS_CHACHA20_POLY1305_SHA256,
                tls.TLS_AES_256_GCM_SHA384,
                tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
                tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
                tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
        }

tls1.3看官方文档不支持配置CipherSuites，在tls/common.go中initDefaultCipherSuites()会根据cpu是否支持aes硬解设置TLS_AES_128_GCM_SHA256或TLS_CHACHA20_POLY1305_SHA256优先

https://golang.org/src/crypto/tls/common.go
https://golang.org/pkg/crypto/tls/#Config

stream {
  log_format tcp '$remote_addr [$time_local] '
    '$protocol $status $bytes_sent $bytes_received '
    '$session_time "$upstream_addr" '
    '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

  log_format stream_routing '$remote_addr [$time_local] '
    'with SNI name "$ssl_preread_server_name" '
    'proxying to "$upstream_addr" '
    '$protocol $status $bytes_sent $bytes_received '
    '$session_time';

  map $ssl_preread_server_name $name {
    ~^www.haiyun.me haiyun;
    ~^haiyun.me haiyun;
    default nginx;
  }
  upstream haiyun {
    #hash $remote_addr consistent;
    server 1.1.1.1:1111 weight=5 max_fails=1 fail_timeout=10s;
    server 1.1.1.1:1112 weight=5 max_fails=1 fail_timeout=10s;
    server 1.1.1.1:1113 weight=5 max_fails=1 fail_timeout=10s;
  }
  upstream nginx {
    server 127.0.0.1:4443;
  }
  server {
    listen 443 ;
    listen [::]:443 ;
    ssl_preread on;
    proxy_protocol on;
    proxy_pass $name;
    proxy_connect_timeout 10s;
    proxy_timeout 10s;
    access_log /run/log/nginx/access.log tcp;
    error_log /run/log/nginx/error.log;
  }
}

后端获取来源真实IP：

server
{
  listen       1443 default proxy_protocol ssl ;
  server_name www.haiyun.me haiyun.me;

  set_real_ip_from 127.0.0.1;
  real_ip_header proxy_protocol;
}

遇到的一些问题：
1.修改stream内配置后nginx -s reload无效，需重启nginx
2.当开启proxy_protocol后每个后端都要支持proxy_protocol，不然无法正常连接，这点不如haproxy，可以指定后端开启
https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/
https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/

nginx下ssl_ciphers配置对tls1.3无效，当开启ssl_prefer_server_ciphers选项时以openssl默认的顺序选择ciphers。
查看openssl支持的ciphers:

openssl ciphers -s -tls1_3
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256

修改openssl tls1.3 ciphers顺序
centos8下修改配置文件/etc/crypto-policies/back-ends/opensslcnf.config

Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256

其它版本，修改/etc/pki/tls/openssl.cnf配置文件：

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256

然后重启nginx即可。

https://trac.nginx.org/nginx/ticket/1529
https://trac.nginx.org/nginx/ticket/1445
https://wiki.openssl.org/index.php/TLS1.3#Ciphersuites
https://github.com/ssllabs/ssllabs-scan/issues/636