记一次 https 配置

说明： 做者全是看文档和他人的教程汇总完成 示例网站

总览

• 系统ubuntu 18.x
• 工具acme.sh
• dns 服务商：阿里云
• web服务器nginx

证书

证书的选择有不少，各个云服务商都有免费的证书提供（有效期通常是一年），土豪也能够买买买。我的小网站建议使用 letsencrypt，缺点是有效期只有3个月。

本文以 letsencrypt 证书为例。

by the way: 证书有通配符证书 和 单域名证书。

获取证书

获取letsencrypt证书有不少种方式：

• acme.sh 推荐（做者采用）
• certbot 获取单域名证书方便，若是你用国内云服务器，获取通配符证书，须要找第三方作的插件，github star 都不多
• letsencrypt-auto 没用过，不评价

因为通配符证书比单域名证书 优点太多，做者采用通配符证书。

做者采用阿里云DNS， 其余云服务商看文档

1. 看文档 进入阿里云后台 获取 API key
2. 为了之后自动续订 写入 .bashrc

export Ali_Key="your key"
export Ali_Secret="your Secret"
复制代码

3. 看文档得知证书获取命令

acme.sh --issue --dns dns_ali -d yingyj.com -d *.yingyj.com
复制代码

以后会获得~/.acme.sh/yingyj.com文件夹. 这时不要手动复制证书到目标文件夹，或者将证书文件直接指到这里，一是由于之后续订证书还须要手动移动证书 ，二是由于这个是acme 生成的文件，文件结构没法保证。

采用自带的命令文档 安装（移动）证书

acme.sh --install-cert -d yingyj.com \
--cert-file /etc/nginx/ssl/yingyj.com/yingyj.com.cer \ 
--key-file /etc/nginx/ssl/yingyj.com/yingyj.com.key \
--fullchain-file /etc/nginx/ssl/yingyj.com/fullchain.cer \
--reloadcmd "service nginx force-reload"
复制代码

--reloadcmd 命令将在每次更新证书的时候调用

by the way acme.sh 会自动生成定时任务

服务器配置

• nginx.conf

server {
    server_name www.yingyj.com yingyj.com;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    include /etc/nginx/ssl/options-ssl-nginx.conf;

    root /path-to-your-website-folder;
    # charset koi8-r;
    access_log /var/log/nginx/yingyj.com.access.log  main;
    location / {
        index index.html;
    }
    location = /50x.html {
        root /usr/share/nginx/html;
    }
    #error_page 404 /404.html;
    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504  /50x.html;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name .yingyj.com;
    return 301 https://$host$request_uri;
}

复制代码

• /etc/nginx/ssl/options-ssl-nginx.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:le_nginx_SSL:20m;
ssl_session_timeout 60m;
ssl_session_tickets off;

# The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP
# 2 years https://hstspreload.org/?domain=yingyj.com#submission-requirements
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

# https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';

ssl_certificate /etc/nginx/ssl/yingyj.com/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/yingyj.com/yingyj.com.key;
ssl_trusted_certificate /etc/nginx/ssl/yingyj.com/fullchain.cer;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_buffer_size 8k;

# don't send the nginx version number in error pages and Server header
server_tokens off;

# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# 禁用 MIME 类型嗅探
add_header X-Frame-Options DENY always;

# ref: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Content-Type-Options
# nosniff 只应用于 "script" 和 "style" 两种类型。不能用于图片，会出bug https://github.com/whatwg/fetch/issues/395
# add_header X-Content-Type-Options nosniff always;

# ref: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
# https://blog.dareboost.com/en/2018/03/deploying-csp-a-5-step-approach/
# https://developer.mozilla.org/zh-CN/docs/Web/HTTP/CSP
add_header Content-Security-Policy "default-src 'self' *.yingyj.com; script-src 'self' 'unsafe-inline' *.yingyj.com data: 'unsafe-eval' *.googletagmanager.com *.google-analytics.com https://connect.facebook.net; font-src 'self' data: *.yingyj.com; img-src 'self' data: *.googletagmanager.com *.google-analytics.com https://static.xx.fbcdn.net; style-src 'self' *.yingyj.com 'unsafe-inline' data: *.googleapis.com; frame-src *.yingyj.com https://www.facebook.com https://static.xx.fbcdn.net; object-src *.yingyj.com 'none';report-uri https://log.yingyj.com/cps";

# https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Public_Key_Pinning
# add_header Public-Key-Pins 'pin-sha256="JggCEN+Cwv8amet+U9YfF3Mn1hdIU4vIjnn4B3W62Nk="; pin-sha256="VtkIBhOtzbdTOGNvGkLWArlWptUS+xT37fMAeFkchWY="; max-age=5184000; includeSubDomains' always;
复制代码

其中 /etc/nginx/ssl/options-ssl-nginx.conf 里面不少和ssl配置无关，这是不太好的习惯，能够分文件放

须要注意的地方

• ssl_ciphers 这个配置会影响浏览器兼容性， 文档 and 配置生成器
• Content-Security-Policy 能必定程度阻止一部分攻击，配置不当会致使部分资源没法加载,其中 加载base64资源的data 要写成 data: （如上面配置）主要是一些浏览器扩展会加一些图片
• Strict-Transport-Security 会开启强制HTTPS，设置正确，浏览器开发商会硬编码到源码里面

相关连接

1. nginx conf 基本配置
2. ssllabs 给你的网址ssl配置评分
3. nginx TLS 1.3 开启教程
4. 常见问题