记一次 https 配置

证书的选择有很多，各个云服务商都有免费的证书提供（有效期一般是一年），土豪也可以买买买。个人小网站建议使用letsencrypt，缺点是有效期只有3个月。

本文以 letsencrypt 证书为例。

by the way: 证书有通配符证书 和 单域名证书。

获取证书

获取 letsencrypt 证书有很多种方式：

• acme.sh 推荐（作者采用）
• certbot 获取单域名证书方便，如果你用国内云服务器，获取通配符证书，需要找第三方做的插件，github star 都很少
• letsencrypt-auto 没用过，不评价

由于 通配符证书 比单域名证书 优势太多，作者采用 单域名证书 , 哦不，是 通配符证书 。

作者采用阿里云DNS， 其他云服务商看 文档

1. 看 文档 进入阿里云后台 获取 API key
2. 为了以后自动续订 写入 .bashrc

export Ali_Key="your key"
export Ali_Secret="your Secret"
复制代码

3. 看文档得知证书获取命令

acme.sh --issue --dns dns_ali -d yingyj.com -d *.yingyj.com
复制代码

之后会得到 ~/.acme.sh/yingyj.com 文件夹. 这时不要手动复制证书到目标文件夹，或者将证书文件直接指到这里，一是因为以后续订证书还需要手动移动证书 ，二是因为这个是acme 生成的文件，文件结构无法保证。

采用自带的命令 文档 安装（移动）证书

acme.sh --install-cert -d yingyj.com \
--cert-file /etc/nginx/ssl/yingyj.com/yingyj.com.cer \ 
--key-file /etc/nginx/ssl/yingyj.com/yingyj.com.key \
--fullchain-file /etc/nginx/ssl/yingyj.com/fullchain.cer \
--reloadcmd "service nginx force-reload"
复制代码

--reloadcmd 命令将在每次更新证书的时候调用

服务器配置

• nginx.conf

server {
    server_name www.yingyj.com yingyj.com;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    include /etc/nginx/ssl/options-ssl-nginx.conf;

    root /path-to-your-website-folder;
    # charset koi8-r;
    access_log /var/log/nginx/yingyj.com.access.log  main;
    location / {
        index index.html;
    }
    location = /50x.html {
        root /usr/share/nginx/html;
    }
    #error_page  404              /404.html;
    # redirect server error pages to the static page /50x.html
    #
    error_page 500 502 503 504  /50x.html;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name .yingyj.com;
    return 301 https://$host$request_uri;
}

复制代码

• /etc/nginx/ssl/options-ssl-nginx.conf

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:le_nginx_SSL:20m;
ssl_session_timeout 60m;
ssl_session_tickets off;

# The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP
# 2 years https://hstspreload.org/?domain=yingyj.com#submission-requirements
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;

# https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5';

ssl_certificate /etc/nginx/ssl/yingyj.com/fullchain.cer;
ssl_certificate_key /etc/nginx/ssl/yingyj.com/yingyj.com.key;
ssl_trusted_certificate /etc/nginx/ssl/yingyj.com/fullchain.cer;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
ssl_buffer_size 8k;

# don't send the nginx version number in error pages and Server header
server_tokens off;

# ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# 禁用 MIME 类型嗅探
add_header X-Frame-Options DENY always;

# ref: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Content-Type-Options
# nosniff 只应用于 "script" 和 "style" 两种类型。不能用于图片，会出bug https://github.com/whatwg/fetch/issues/395
# add_header X-Content-Type-Options nosniff always;

# ref: https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;

# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
# https://blog.dareboost.com/en/2018/03/deploying-csp-a-5-step-approach/
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.google-analytics.com https://connect.facebook.net; img-src 'self' *.googletagmanager.com *.google-analytics.com https://static.xx.fbcdn.net; style-src 'self' 'unsafe-inline' *.googleapis.com; frame-src https://www.facebook.com https://static.xx.fbcdn.net; object-src 'none';report-uri https://log.yingyj.com/cps";

# https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Public_Key_Pinning
# add_header Public-Key-Pins 'pin-sha256="JggCEN+Cwv8amet+U9YfF3Mn1hdIU4vIjnn4B3W62Nk="; pin-sha256="VtkIBhOtzbdTOGNvGkLWArlWptUS+xT37fMAeFkchWY="; max-age=5184000; includeSubDomains' always;
复制代码

其中 /etc/nginx/ssl/options-ssl-nginx.conf 里面很多和ssl配置无关，这是不太好的习惯，可以分文件放

---------未完待续

1. nginx conf 基本配置
2. nginx TLS 1.3 开启教程
3. 常见问题