记一次 https 配置

栏目: 服务器 · Nginx · 发布时间: 5年前

内容简介：证书的选择有很多，各个云服务商都有免费的证书提供（有效期一般是一年），土豪也可以买买买。个人小网站建议使用letsencrypt，缺点是有效期只有3个月。本文以 letsencrypt 证书为例。by the way: 证书有通配符证书和单域名证书。

证书的选择有很多，各个云服务商都有免费的证书提供（有效期一般是一年），土豪也可以买买买。个人小网站建议使用letsencrypt，缺点是有效期只有3个月。

本文以 letsencrypt 证书为例。

by the way: 证书有通配符证书和单域名证书。

获取证书

获取 letsencrypt 证书有很多种方式：

acme.sh 推荐（作者采用）
certbot 获取单域名证书方便，如果你用国内云服务器，获取通配符证书，需要找第三方做的插件，github star 都很少
letsencrypt-auto 没用过，不评价

由于 通配符证书 比单域名证书优势太多，作者采用 单域名证书 , 哦不，是 通配符证书 。

作者采用阿里云DNS，其他云服务商看文档

看文档进入阿里云后台获取 API key
为了以后自动续订写入 .bashrc

export Ali_Key="your key"
export Ali_Secret="your Secret"
复制代码

看文档得知证书获取命令

acme.sh --issue --dns dns_ali -d yingyj.com -d *.yingyj.com
复制代码

之后会得到 ~/.acme.sh/yingyj.com 文件夹. 这时不要手动复制证书到目标文件夹，或者将证书文件直接指到这里，一是因为以后续订证书还需要手动移动证书，二是因为这个是acme 生成的文件，文件结构无法保证。

采用自带的命令文档安装（移动）证书

acme.sh --install-cert -d yingyj.com \
--cert-file /etc/nginx/ssl/yingyj.com/yingyj.com.cer \ 
--key-file /etc/nginx/ssl/yingyj.com/yingyj.com.key \
--fullchain-file /etc/nginx/ssl/yingyj.com/fullchain.cer \
--reloadcmd "service nginx force-reload"
复制代码

--reloadcmd 命令将在每次更新证书的时候调用

服务器配置

nginx.conf

server {
    server_name www.yingyj.com yingyj.com;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    include /etc/nginx/ssl/options-ssl-nginx.conf;

    root /path-to-your-website-folder;
    # charset koi8-r;
    access_log /var/log/nginx/yingyj.com.access.log  main;
    location / {
        index index.html;
    }
    location = /50x.html {
        root /usr/share/nginx/html;
    }
    #error_page  404              /404.html;
    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504  /50x.html;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name .yingyj.com;
    return 301 https://$host$request_uri;
}

复制代码

/etc/nginx/ssl/options-ssl-nginx.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:le_nginx_SSL:20m;
ssl_session_timeout 60m;
ssl_session_tickets off;

# The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP
# 2 years https://hstspreload.org/?domain=yingyj.com#submission-requirements
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

# https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';

ssl_certificate /etc/nginx/ssl/yingyj.com/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/yingyj.com/yingyj.com.key;
ssl_trusted_certificate /etc/nginx/ssl/yingyj.com/fullchain.cer;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_buffer_size 8k;

# don't send the nginx version number in error pages and Server header
server_tokens off;

# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# 禁用 MIME 类型嗅探
add_header X-Frame-Options DENY always;

# ref: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Content-Type-Options
# nosniff 只应用于 "script" 和 "style" 两种类型。不能用于图片，会出bug https://github.com/whatwg/fetch/issues/395
# add_header X-Content-Type-Options nosniff always;

# ref: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
# https://blog.dareboost.com/en/2018/03/deploying-csp-a-5-step-approach/
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.google-analytics.com https://connect.facebook.net; img-src 'self' *.googletagmanager.com *.google-analytics.com https://static.xx.fbcdn.net; style-src 'self' 'unsafe-inline' *.googleapis.com; frame-src https://www.facebook.com https://static.xx.fbcdn.net; object-src 'none';report-uri https://log.yingyj.com/cps";

# https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Public_Key_Pinning
# add_header Public-Key-Pins 'pin-sha256="JggCEN+Cwv8amet+U9YfF3Mn1hdIU4vIjnn4B3W62Nk="; pin-sha256="VtkIBhOtzbdTOGNvGkLWArlWptUS+xT37fMAeFkchWY="; max-age=5184000; includeSubDomains' always;
复制代码

其中 /etc/nginx/ssl/options-ssl-nginx.conf 里面很多和ssl配置无关，这是不太好的习惯，可以分文件放

---------未完待续

nginx conf 基本配置
nginx TLS 1.3 开启教程
常见问题

以上所述就是小编给大家介绍的《记一次 https 配置》，希望对大家有所帮助，如果大家有任何疑问请给我留言，小编会及时回复大家的。在此也非常感谢大家对码农网的支持！

查看所有标签

猜你喜欢:

本站部分资源来源于网络，本站转载出于传递更多信息之目的，版权归原作者或者来源机构所有，如转载稿涉及版权问题，请联系我们。

码农书籍

Coding the Matrix

Philip N. Klein / Newtonian Press / 2013-7-26 / $35.00

An engaging introduction to vectors and matrices and the algorithms that operate on them, intended for the student who knows how to program. Mathematical concepts and computational problems are motiva......一起来看看《Coding the Matrix》这本书的介绍吧!

码农工具

记一次 https 配置

获取证书

服务器配置

Coding the Matrix

HTML 压缩/解压工具

随机密码生成器

HEX CMYK 转换工具