说明: 作者全是看文档和他人的教程汇总完成 示例网站
总览
- 系统ubuntu 18.x
- 工具acme.sh
- dns 服务商:阿里云
- web服务器nginx
证书
证书的选择有很多,各个云服务商都有免费的证书提供(有效期一般是一年),土豪也可以买买买。个人小网站建议使用 letsencrypt,缺点是有效期只有3个月。
本文以 letsencrypt 证书为例。
by the way: 证书有通配符证书 和 单域名证书。
获取证书
获取letsencrypt
证书有很多种方式:
- acme.sh 推荐(作者采用)
- certbot 获取单域名证书方便,如果你用国内云服务器,获取通配符证书,需要找第三方做的插件,github star 都很少
- letsencrypt-auto 没用过,不评价
由于通配符证书
比单域名证书 优势太多,作者采用通配符证书
。
作者采用阿里云DNS, 其他云服务商看文档
export Ali_Key="your key"
export Ali_Secret="your Secret"
- 看文档得知证书获取命令
acme.sh --issue --dns dns_ali -d yingyj.com -d *.yingyj.com
之后会得到~/.acme.sh/yingyj.com
文件夹. 这时不要手动复制证书到目标文件夹,或者将证书文件直接指到这里,一是因为以后续订证书还需要手动移动证书 ,二是因为这个是acme 生成的文件,文件结构无法保证。
采用自带的命令文档 安装(移动)证书
acme.sh --install-cert -d yingyj.com \
--cert-file /etc/nginx/ssl/yingyj.com/yingyj.com.cer \
--key-file /etc/nginx/ssl/yingyj.com/yingyj.com.key \
--fullchain-file /etc/nginx/ssl/yingyj.com/fullchain.cer \
--reloadcmd "service nginx force-reload"
--reloadcmd 命令将在每次更新证书的时候调用
by the way acme.sh
会自动生成定时任务
服务器配置
- nginx.conf
server {
server_name www.yingyj.com yingyj.com;
listen 443 ssl http2;
listen [::]:443 ssl http2;
include /etc/nginx/ssl/options-ssl-nginx.conf;
root /path-to-your-website-folder;
# charset koi8-r;
access_log /var/log/nginx/yingyj.com.access.log main;
location / {
index index.html;
}
location = /50x.html {
root /usr/share/nginx/html;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name .yingyj.com;
return 301 https://$host$request_uri;
}
- /etc/nginx/ssl/options-ssl-nginx.conf
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:le_nginx_SSL:20m;
ssl_session_timeout 60m;
ssl_session_tickets off;
# The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP
# 2 years https://hstspreload.org/?domain=yingyj.com#submission-requirements
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';
ssl_certificate /etc/nginx/ssl/yingyj.com/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/yingyj.com/yingyj.com.key;
ssl_trusted_certificate /etc/nginx/ssl/yingyj.com/fullchain.cer;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_buffer_size 8k;
# don't send the nginx version number in error pages and Server header
server_tokens off;
# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# 禁用 MIME 类型嗅探
add_header X-Frame-Options DENY always;
# ref: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Content-Type-Options
# nosniff 只应用于 "script" 和 "style" 两种类型。不能用于图片,会出bug https://github.com/whatwg/fetch/issues/395
# add_header X-Content-Type-Options nosniff always;
# ref: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;
# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
# https://blog.dareboost.com/en/2018/03/deploying-csp-a-5-step-approach/
# https://developer.mozilla.org/zh-CN/docs/Web/HTTP/CSP
add_header Content-Security-Policy "default-src 'self' *.yingyj.com; script-src 'self' 'unsafe-inline' *.yingyj.com data: 'unsafe-eval' *.googletagmanager.com *.google-analytics.com https://connect.facebook.net; font-src 'self' data: *.yingyj.com; img-src 'self' data: *.googletagmanager.com *.google-analytics.com https://static.xx.fbcdn.net; style-src 'self' *.yingyj.com 'unsafe-inline' data: *.googleapis.com; frame-src *.yingyj.com https://www.facebook.com https://static.xx.fbcdn.net; object-src *.yingyj.com 'none';report-uri https://log.yingyj.com/cps";
# https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Public_Key_Pinning
# add_header Public-Key-Pins 'pin-sha256="JggCEN+Cwv8amet+U9YfF3Mn1hdIU4vIjnn4B3W62Nk="; pin-sha256="VtkIBhOtzbdTOGNvGkLWArlWptUS+xT37fMAeFkchWY="; max-age=5184000; includeSubDomains' always;
其中 /etc/nginx/ssl/options-ssl-nginx.conf
里面很多和ssl配置无关,这是不太好的习惯,可以分文件放
需要注意的地方
- ssl_ciphers 这个配置会影响浏览器兼容性, 文档 and 配置生成器
- Content-Security-Policy 能一定程度阻止一部分攻击,配置不当会导致部分资源无法加载,其中 加载base64资源的data 要写成 data: (如上面配置)主要是一些浏览器扩展会加一些图片
- Strict-Transport-Security 会开启强制HTTPS,设置正确,浏览器开发商会硬编码到源码里面
相关链接
- nginx conf 基本配置
- ssllabs 给你的网址ssl配置评分
- nginx TLS 1.3 开启教程
- 常见问题