记一次 https 配置

栏目: 服务器 · Nginx · 发布时间: 5年前

内容简介：证书的选择有很多，各个云服务商都有免费的证书提供（有效期一般是一年），土豪也可以买买买。个人小网站建议使用letsencrypt，缺点是有效期只有3个月。本文以 letsencrypt 证书为例。by the way: 证书有通配符证书和单域名证书。

证书的选择有很多，各个云服务商都有免费的证书提供（有效期一般是一年），土豪也可以买买买。个人小网站建议使用letsencrypt，缺点是有效期只有3个月。

本文以 letsencrypt 证书为例。

by the way: 证书有通配符证书和单域名证书。

获取证书

获取 letsencrypt 证书有很多种方式：

acme.sh 推荐（作者采用）
certbot 获取单域名证书方便，如果你用国内云服务器，获取通配符证书，需要找第三方做的插件，github star 都很少
letsencrypt-auto 没用过，不评价

由于 通配符证书 比单域名证书优势太多，作者采用 单域名证书 , 哦不，是 通配符证书 。

作者采用阿里云DNS，其他云服务商看文档

看文档进入阿里云后台获取 API key
为了以后自动续订写入 .bashrc

export Ali_Key="your key"
export Ali_Secret="your Secret"
复制代码

看文档得知证书获取命令

acme.sh --issue --dns dns_ali -d yingyj.com -d *.yingyj.com
复制代码

之后会得到 ~/.acme.sh/yingyj.com 文件夹. 这时不要手动复制证书到目标文件夹，或者将证书文件直接指到这里，一是因为以后续订证书还需要手动移动证书，二是因为这个是acme 生成的文件，文件结构无法保证。

采用自带的命令文档安装（移动）证书

acme.sh --install-cert -d yingyj.com \
--cert-file /etc/nginx/ssl/yingyj.com/yingyj.com.cer \ 
--key-file /etc/nginx/ssl/yingyj.com/yingyj.com.key \
--fullchain-file /etc/nginx/ssl/yingyj.com/fullchain.cer \
--reloadcmd "service nginx force-reload"
复制代码

--reloadcmd 命令将在每次更新证书的时候调用

服务器配置

nginx.conf

server {
    server_name www.yingyj.com yingyj.com;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    include /etc/nginx/ssl/options-ssl-nginx.conf;

    root /path-to-your-website-folder;
    # charset koi8-r;
    access_log /var/log/nginx/yingyj.com.access.log  main;
    location / {
        index index.html;
    }
    location = /50x.html {
        root /usr/share/nginx/html;
    }
    #error_page  404              /404.html;
    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504  /50x.html;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name .yingyj.com;
    return 301 https://$host$request_uri;
}

复制代码

/etc/nginx/ssl/options-ssl-nginx.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:le_nginx_SSL:20m;
ssl_session_timeout 60m;
ssl_session_tickets off;

# The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP
# 2 years https://hstspreload.org/?domain=yingyj.com#submission-requirements
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

# https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';

ssl_certificate /etc/nginx/ssl/yingyj.com/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/yingyj.com/yingyj.com.key;
ssl_trusted_certificate /etc/nginx/ssl/yingyj.com/fullchain.cer;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_buffer_size 8k;

# don't send the nginx version number in error pages and Server header
server_tokens off;

# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# 禁用 MIME 类型嗅探
add_header X-Frame-Options DENY always;

# ref: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Content-Type-Options
# nosniff 只应用于 "script" 和 "style" 两种类型。不能用于图片，会出bug https://github.com/whatwg/fetch/issues/395
# add_header X-Content-Type-Options nosniff always;

# ref: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
# https://blog.dareboost.com/en/2018/03/deploying-csp-a-5-step-approach/
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.google-analytics.com https://connect.facebook.net; img-src 'self' *.googletagmanager.com *.google-analytics.com https://static.xx.fbcdn.net; style-src 'self' 'unsafe-inline' *.googleapis.com; frame-src https://www.facebook.com https://static.xx.fbcdn.net; object-src 'none';report-uri https://log.yingyj.com/cps";

# https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Public_Key_Pinning
# add_header Public-Key-Pins 'pin-sha256="JggCEN+Cwv8amet+U9YfF3Mn1hdIU4vIjnn4B3W62Nk="; pin-sha256="VtkIBhOtzbdTOGNvGkLWArlWptUS+xT37fMAeFkchWY="; max-age=5184000; includeSubDomains' always;
复制代码

其中 /etc/nginx/ssl/options-ssl-nginx.conf 里面很多和ssl配置无关，这是不太好的习惯，可以分文件放

---------未完待续

nginx conf 基本配置
nginx TLS 1.3 开启教程
常见问题

以上所述就是小编给大家介绍的《记一次 https 配置》，希望对大家有所帮助，如果大家有任何疑问请给我留言，小编会及时回复大家的。在此也非常感谢大家对码农网的支持！

查看所有标签

猜你喜欢:

本站部分资源来源于网络，本站转载出于传递更多信息之目的，版权归原作者或者来源机构所有，如转载稿涉及版权问题，请联系我们。

码农书籍

渐进增强的Web设计

[美] Todd Parker、[英] Patty Toland、[英] Scott Jehl、[法] Maggie Costello Wachs / 牛化成 / 人民邮电出版社 / 2014-1 / 69.00

本书由全球著名Web设计公司Filament集团两位创始人和两位开发主力联手打造，其中Scott Jehl还是jQuery团队成员。四位作者具有多年的网站设计和开发经验，曾为网站、无线设备、Web应用设计过众多高度实用的用户界面，受到了高度赞扬。本书展示了如何利用渐进增强方法开发网站，从而获得最佳用户体验。本书既是理解渐进增强原则和益处的实用指南，也用详细的案例分析，目的是向设计师以及开发人员传授......一起来看看《渐进增强的Web设计》这本书的介绍吧!

码农工具

JS 压缩/解压工具

在线压缩/解压 JS 代码

RGB CMYK 转换工具

RGB CMYK 互转工具