HTTPS 目前已经逐渐成为标配,利用 Let’s Encrypt 可以免费实现网站的 HTTPS,保证传输安全,以下环境使用 CentOS 7。
letsencrypt 安装和配置
安装 letsencrypt
1 2 |
yum update yum install letsencrypt |
创建 Nginx 配置文件
1 2 3 4 5 6 7 8 |
server { listen 80; // 改为指定的端口 server_name www.example.com; root /var/www/html; location ~ /.well-known { allow all; } } |
重启 Nginx
service restart nginx
验证域名所有权并申请证书
1 |
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d www.example.com |
会自动创建一个文件,同时访问当前服务器的80端口,来验证域名的所有权
1 |
http://www.example.com/.well-known/acme-challenge/p1jaEziikiiKer311uQ9fh03_pJmiPSCG0vYahUtWVA |
可以让多个域名使用相同的证书
1 |
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d www.example.com -d example.com |
目前不支持通配符域名,*.sub.domain.com
Generate Strong Diffie-Hellman Group
To further increase security, you should also generate a strong Diffie-Hellman group. To generate a 2048-bit group, use this command:
1 |
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 |
This may take a few minutes but when it’s done you will have a strong DH group at /etc/ssl/certs/dhparam.pem.
配置 nginx 代码段,来指向 SSL Key and Certificate
sudo vim /etc/nginx/snippets/ssl-www.example.com.conf
文件内容
1 2 |
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem; |
创建 Nginx 强加密配置的代码段
sudo vim /etc/nginx/snippets/ssl-params.conf
文件内容
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# from https://cipherli.st/ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # Disable preloading HSTS for now. You can use the commented out header line that includes # the "preload" directive if you understand the implications. #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_dhparam /etc/ssl/certs/dhparam.pem; |
配置 Nginx 支持 HTTPS
1 2 3 4 5 6 7 |
server { listen 443 ssl http2 default_server; server_name www.example.com; root /var/www/html; include snippets/ssl-www.example.com.conf; include snippets/ssl-params.conf; } |
这里配置了 http2,要求 Nginx 版本要大于 1.9.5。HTTP2
发表评论