官网:https://letsencrypt.org/getting-started/
使用certbot
certbot:https://certbot.eff.org/
可以按照官网上的来(一直没有成功过。。。)
也可以按照我的方法来执行
git clone https://github.com/certbot/certbot.git
cd certbot
./certbot-auto
|
然后等待,自动安装完成之后会弹出一个蓝色的框,然后选择NO退出
如果nginx正在运行要把nginx关掉pkill nginx
再执行以下命令(如果想要知道更详细的信息,请自行查看官方文档或者./certbot-auto --help all)
./certbot-auto certonly --standalone --agree-tos -v -t --email chen93104@163.com -d www.chenhuachao.com -d chenhuachao.com -d chchc.me -d www.chchc.me
|
成功之后,会告诉我证书放在了/etc/letsencrypt/live/www.chenhuachao.com/这个位置
然后,到此证书就生成完毕了
nginx的配置中 加上两行:
server {
listen 443;
// ...
ssl on;
ssl_certificate /etc/letsencrypt/live/www.chenhuachao.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.chenhuachao.com/privkey.pem;
// ...
}
|
HTTP跳转HTTPS
一般用户输入网址是不会输入https的,但是输入http访问的话确不是访问的HTTPS,这里有一个解决方案,就是在80那里跳转到https
server {
listen 80;
server_name ~chenhuachao|chenxchen|chchc;
rewrite ^(.*)$ https://$host$1 permanent;
# 避免嵌入iframe,避免点击劫持
add_header X-Frame-Options "DENY";
root /usr/local/nginx/blog/chc-blog;
index index.html index.htm;
location ~ /\. {
deny all;
}
}
|
然而,因为302的这个过程中,有可能被拦截篡改(中间人攻击),因此,需要配置HSTS了,如果你之前访问过这个网站,浏览器就知道只使用HTTPS,HSTS的意思是告诉浏览器只使用HTTPS,它需要在HTTPS server中配置
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";即可
HTTPS安全性及其性能优化
涉及到的相关知识点
OCSP
HSTS
SPDY(1.9.5版本过后被http2取代)
生成ssl
cd /usr/local/nginx/ssl/
openssl dhparam -out dhparam.pem 2048
|
然后加到配置文件中
server {
listen 443 ssl http2;
server_name ~chenhuachao|chenxchen|chchc;
ssl_certificate /etc/letsencrypt/live/www.chenhuachao.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.chenhuachao.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA- AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA- AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128- SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
# 启用HSTS
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
# 避免嵌入iframe,避免点击劫持
add_header X-Frame-Options "DENY";
ssl_stapling on;
#ssl_stapling_file ocsp.staple;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/www.chenhuachao.com/chain.pem;
ssl_session_cache shared:SSL:10m;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
ssl_dhparam /usr/local/nginx/ssl/dhparam.pem;
}
|
进阶参考:
https://bjornjohansen.no/lets-encrypt-for-nginx
https://bjornjohansen.no/optimizing-https-nginx
https://bjornjohansen.no/enable-http2-on-nginx
https://blog.kuoruan.com/71.html
https://httpsecurityreport.com/
https://cipherli.st/
https://johnmaguire.me/2015/12/configuring-nginx-lets-encrypt-automatic-renewal/
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
http://www.tuicool.com/articles/3Ezayiy
