記一次 https 配置

說明： 做者全是看文檔和他人的教程彙總完成 示例網站

總覽

• 系統ubuntu 18.x
• 工具acme.sh
• dns 服務商：阿里雲
• web服務器nginx

證書

證書的選擇有不少，各個雲服務商都有免費的證書提供（有效期通常是一年），土豪也能夠買買買。我的小網站建議使用 letsencrypt，缺點是有效期只有3個月。

本文以 letsencrypt 證書爲例。

by the way: 證書有通配符證書 和 單域名證書。

獲取證書

獲取letsencrypt證書有不少種方式：

• acme.sh 推薦（做者採用）
• certbot 獲取單域名證書方便，若是你用國內雲服務器，獲取通配符證書，須要找第三方作的插件，github star 都不多
• letsencrypt-auto 沒用過，不評價

因爲通配符證書比單域名證書 優點太多，做者採用通配符證書。

做者採用阿里雲DNS， 其餘雲服務商看文檔

1. 看文檔 進入阿里雲後臺 獲取 API key
2. 爲了之後自動續訂 寫入 .bashrc

export Ali_Key="your key"
export Ali_Secret="your Secret"
複製代碼

3. 看文檔得知證書獲取命令

acme.sh --issue --dns dns_ali -d yingyj.com -d *.yingyj.com
複製代碼

以後會獲得~/.acme.sh/yingyj.com文件夾. 這時不要手動複製證書到目標文件夾，或者將證書文件直接指到這裏，一是由於之後續訂證書還須要手動移動證書 ，二是由於這個是acme 生成的文件，文件結構沒法保證。

採用自帶的命令文檔 安裝（移動）證書

acme.sh --install-cert -d yingyj.com \
--cert-file /etc/nginx/ssl/yingyj.com/yingyj.com.cer \ 
--key-file /etc/nginx/ssl/yingyj.com/yingyj.com.key \
--fullchain-file /etc/nginx/ssl/yingyj.com/fullchain.cer \
--reloadcmd "service nginx force-reload"
複製代碼

--reloadcmd 命令將在每次更新證書的時候調用

by the way acme.sh 會自動生成定時任務

服務器配置

• nginx.conf

server {
    server_name www.yingyj.com yingyj.com;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    include /etc/nginx/ssl/options-ssl-nginx.conf;

    root /path-to-your-website-folder;
    # charset koi8-r;
    access_log /var/log/nginx/yingyj.com.access.log  main;
    location / {
        index index.html;
    }
    location = /50x.html {
        root /usr/share/nginx/html;
    }
    #error_page 404 /404.html;
    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504  /50x.html;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name .yingyj.com;
    return 301 https://$host$request_uri;
}

複製代碼

• /etc/nginx/ssl/options-ssl-nginx.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:le_nginx_SSL:20m;
ssl_session_timeout 60m;
ssl_session_tickets off;

# The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP
# 2 years https://hstspreload.org/?domain=yingyj.com#submission-requirements
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

# https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';

ssl_certificate /etc/nginx/ssl/yingyj.com/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/yingyj.com/yingyj.com.key;
ssl_trusted_certificate /etc/nginx/ssl/yingyj.com/fullchain.cer;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_buffer_size 8k;

# don't send the nginx version number in error pages and Server header
server_tokens off;

# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# 禁用 MIME 類型嗅探
add_header X-Frame-Options DENY always;

# ref: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Content-Type-Options
# nosniff 只應用於 "script" 和 "style" 兩種類型。不能用於圖片，會出bug https://github.com/whatwg/fetch/issues/395
# add_header X-Content-Type-Options nosniff always;

# ref: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
# https://blog.dareboost.com/en/2018/03/deploying-csp-a-5-step-approach/
# https://developer.mozilla.org/zh-CN/docs/Web/HTTP/CSP
add_header Content-Security-Policy "default-src 'self' *.yingyj.com; script-src 'self' 'unsafe-inline' *.yingyj.com data: 'unsafe-eval' *.googletagmanager.com *.google-analytics.com https://connect.facebook.net; font-src 'self' data: *.yingyj.com; img-src 'self' data: *.googletagmanager.com *.google-analytics.com https://static.xx.fbcdn.net; style-src 'self' *.yingyj.com 'unsafe-inline' data: *.googleapis.com; frame-src *.yingyj.com https://www.facebook.com https://static.xx.fbcdn.net; object-src *.yingyj.com 'none';report-uri https://log.yingyj.com/cps";

# https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Public_Key_Pinning
# add_header Public-Key-Pins 'pin-sha256="JggCEN+Cwv8amet+U9YfF3Mn1hdIU4vIjnn4B3W62Nk="; pin-sha256="VtkIBhOtzbdTOGNvGkLWArlWptUS+xT37fMAeFkchWY="; max-age=5184000; includeSubDomains' always;
複製代碼

其中 /etc/nginx/ssl/options-ssl-nginx.conf 裏面不少和ssl配置無關，這是不太好的習慣，能夠分文件放

須要注意的地方

• ssl_ciphers 這個配置會影響瀏覽器兼容性， 文檔 and 配置生成器
• Content-Security-Policy 能必定程度阻止一部分攻擊，配置不當會致使部分資源沒法加載,其中 加載base64資源的data 要寫成 data: （如上面配置）主要是一些瀏覽器擴展會加一些圖片
• Strict-Transport-Security 會開啓強制HTTPS，設置正確，瀏覽器開發商會硬編碼到源碼裏面

相關連接

1. nginx conf 基本配置
2. ssllabs 給你的網址ssl配置評分
3. nginx TLS 1.3 開啓教程
4. 常見問題