FavoriteLoading
0

Nginx 使用 Let’s Encrypt 配置 HTTPS 和 HTTP2

HTTPS 目前已经逐渐成为标配,利用 Let’s Encrypt 可以免费实现网站的 HTTPS,保证传输安全,以下环境使用 CentOS 7。

letsencrypt 安装和配置

安装 letsencrypt

1
2
yum update
yum install letsencrypt

创建 Nginx 配置文件

1
2
3
4
5
6
7
8
server {
    listen 80; // 改为指定的端口
    server_name www.example.com;
    root /var/www/html;
    location ~ /.well-known {
        allow all;
    }
}

重启 Nginx

service restart nginx

验证域名所有权并申请证书

1
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d www.example.com

会自动创建一个文件,同时访问当前服务器的80端口,来验证域名的所有权

1
http://www.example.com/.well-known/acme-challenge/p1jaEziikiiKer311uQ9fh03_pJmiPSCG0vYahUtWVA

可以让多个域名使用相同的证书

1
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d www.example.com -d example.com

目前不支持通配符域名,*.sub.domain.com

Generate Strong Diffie-Hellman Group
To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:

1
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This may take a few minutes but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem.

配置 nginx 代码段,来指向 SSL Key and Certificate

sudo vim /etc/nginx/snippets/ssl-www.example.com.conf

文件内容

1
2
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;

创建 Nginx 强加密配置的代码段

sudo vim /etc/nginx/snippets/ssl-params.conf

文件内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

配置 Nginx 支持 HTTPS

1
2
3
4
5
6
7
server {
    listen 443 ssl http2 default_server;
    server_name www.example.com;
    root /var/www/html;
    include snippets/ssl-www.example.com.conf;
    include snippets/ssl-params.conf;
}

这里配置了 http2,要求 Nginx 版本要大于 1.9.5。HTTP2

分页阅读: 1 2 3
【声明】:8090安全小组门户(http://www.8090-sec.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱hack@ddos.kim,我们会在最短的时间内进行处理。