Nginx 配置 SSL 證書 + 搭建 HTTPS 網站

操做流程

• 第一步，生成csr文件和key文件

$ cd /etc/ssl/private
$ openssl req -new -newkey rsa:2048 -sha256 -nodes -out maketea_loc.csr -keyout maketea_loc.key -subj "/C=CN/ST=Beijing/L=Beijing/O=maketea Inc./OU=Web Security/CN=*.maketea.loc"

• 第二步，提交csr文件到CA機構

• 第三步，拿到crt文件

• 第四步，maketea_loc.csr maketea_loc.key maketea_loc.crt 三個文件放到/etc/ssl/private目錄下

• 第五步，修改nginx文件

server {  
    listen 80;#也能夠不監聽80端口 看須要
    listen 443 ssl;
    server_name www.maketea.loc;

    ssl on;
    ssl_certificate /etc/ssl/private/maketea_loc.crt;
    ssl_certificate_key /etc/ssl/private/maketea_loc.key;
}

通常的SHA-1形式https就配置好了

爲了更安全 ，能夠考慮使用迪菲－赫爾曼密鑰交換

$ cd /etc/ssl/certs
$ openssl dhparam -out dhparam.pem 2048

而後在nginx ssl配置的後面加上下面的配置

ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

同時，若是是全站 HTTPS 而且不考慮 HTTP 的話，能夠加入 HSTS 告訴你的瀏覽器本網站全站加密，而且強制用 HTTPS 訪問

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

同時也能夠單獨開一個 Nginx 配置，把 HTTP 的訪問請求都用 301 跳轉到 HTTPS

server {  
        listen 80;
        server_name  www.maketea.loc;
        return 301 https://www.maketea.loc$request_uri;
}

頒發證書的機構

目前通常市面上針對中小站長和企業的 SSL 證書頒發機構有：

StartSSL

Comodo / 子品牌 Positive SSL

GlobalSign / 子品牌 AlphaSSL

GeoTrust / 子品牌 RapidSSL

其中 Postivie SSL、AlphaSSL、RapidSSL 等都是子品牌，通常都是三級四級證書，因此你會須要增長 CA 證書鏈到你的 CRT 文件裏。

以 Comodo Positive SSL 爲例，須要串聯 CA 證書，假設你的域名是 example.com

那麼，串聯的命令是

$ cat example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > example_com.signed.crt

在 Nginx 配置裏使用 example_com.signed.crt 便可

級聯問題

有些時候，由第三方機構簽發的證書在瀏覽器上是OK的，可是到了例如安卓端會不認這個證書，Nginx官方是這樣說的

Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file

就是說須要有個中間證書

通常相似godaddy這種機構會提供這個證書給你，你要作的就是把這個串放在crt文件的後面，作成一個新的crt，就能夠正常使用了

$ cat nginx.crt bundle.crt > nginx.chain.crt

測試的時候自簽證書的方法

$ openssl ca -in nginx.csr -out nginx.crt

參考文獻

https://s.how/nginx-ssl/
http://www.cnblogs.com/chjbbs...