Nginx HTTPSÉèÖý̳̣¬±£»¤ÍøÕ¾Êý¾Ý´«ÊäÇå¾²
nginx httpsÉèÖý̳̣¬±£»¤ÍøÕ¾Êý¾Ý´«ÊäÇå¾²
Ëæ×Å»¥ÁªÍøµÄѸÃÍÉú³¤£¬ÍøÕ¾Çå¾²ÎÊÌâÈÕÒæÊܵ½ÖØÊÓ¡£ÎªÁ˱£»¤ÍøÕ¾Êý¾ÝµÄ´«ÊäÇå¾²£¬Ê¹ÓÃHTTPSÐÒéÊÇÒ»¸öºÜÊÇÖ÷ÒªµÄ²½·¥¡£±¾ÎĽ«ÏÈÈÝÔõÑùʹÓÃNginxÉèÖÃHTTPS£¬È·±£ÍøÕ¾µÄÊý¾Ý´«ÊäÇå¾²¡£
Ò»¡¢×°ÖÃSSLÖ¤Êé
ÔÚÉèÖÃHTTPS֮ǰ£¬ÎÒÃÇÐèÒª»ñµÃÒ»¸öSSLÖ¤Ê飬ÒÔÈ·±£ÍøÕ¾µÄÉí·ÝºÍÊý¾Ý´«ÊäµÄÇå¾²ÐÔ¡£Äã¿ÉÒÔ´ÓµÚÈý·½Ö¤ÊéÊÚȨ»ú¹¹£¨CA£©¹ºÖÃÖ¤Ê飬»òÕßʹÓÃÃâ·ÑµÄ¿ªÔ´Ö¤ÊéÌìÉú¹¤¾ßÈçLet’s Encrypt¡£
×°ÖÃÖ¤ÊéµÄ°ì·¨ÈçÏ£º
ÏÂÔØÖ¤Ê飺½«Ö¤ÊéÎļþ£¨°üÀ¨¹«Ô¿¡¢Ë½Ô¿ºÍÖ¤ÊéÁ´£©ÏÂÔص½Ð§ÀÍÆ÷ÉÏ¡£Í¨³££¬Ö¤ÊéÎļþµÄÀ©Õ¹ÃûΪ.crtºÍ.key¡£
½¨ÉèSSL´æ´¢Îļþ£ºÊ¹ÓÃopensslÏÂÁ.crtºÍ.keyÎļþºÏ²¢ÎªÒ»¸ö.pemÃûÌõÄÎļþ£º
openssl rsa -in privateKey.key -text > privateKey.pem
openssl x509 -inform PEM -in certificate.crt > certificate.pem
cat privateKey.pem certificate.pem > ssl.crt
¶þ¡¢NginxÉèÖÃHTTPS
·¿ªNginxÉèÖÃÎļþ£ºÍ¨³£Î»ÓÚ/etc/nginx/nginx.conf»ò/usr/local/nginx/conf/nginx.conf¡£
Ìí¼ÓHTTPSЧÀͿ飺ÔÚhttp¿éÄÚ£¬Ìí¼ÓÈçÏÂÉèÖãº
server {
listen 443 ssl; server_name yourdomain.com; ssl_certificate /path/to/ssl.crt; ssl_certificate_key /path/to/privateKey.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ......
µÇ¼ºó¸´ÖÆ
}
listen 443 ssl£º¼àÌýHTTPSÐÒéµÄĬÈ϶˿Ú443£¬²¢ÆôÓÃSSL¡£
server_name£ºÌ滻ΪÄãµÄÓòÃû¡£
ssl_certificate£ºÖ¸¶¨SSLÖ¤ÊéµÄ·¾¶¡£
ssl_certificate_key£ºÖ¸¶¨SSL˽ԿµÄ·¾¶¡£
ssl_protocols£ºÖ¸¶¨Ö§³ÖµÄSSL/TLSÐÒé°æ±¾¡£
ssl_ciphers£ºÖ¸¶¨Ö§³ÖµÄ¼ÓÃÜËã·¨¡£
ÉèÖÃHTTPµ½HTTPSµÄÖض¨Ïò£ºÔÚhttp¿éÄÚ£¬Ìí¼ÓÈçÏÂÉèÖãº
server {
listen 80; server_name yourdomain.com; return 301 https://$server_name$request_uri;
µÇ¼ºó¸´ÖÆ
}
µ±Óû§»á¼ûHTTPÍøַʱ£¬Nginx»á×Ô¶¯½«ÆäÖض¨Ïòµ½HTTPSÍøÖ·¡£
ÉúÑIJ¢ÖØмÓÔØÉèÖãºÉúÑÄÉèÖÃÎļþ²¢Ö´ÐÐÒÔÏÂÏÂÁîÖØÆôNginxЧÀÍ£º
sudo service nginx restart
ÖÁ´Ë£¬ÄãÒÑÀÖ³ÉÉèÖÃÁËNginxµÄHTTPSЧÀÍ¡£
Èý¡¢ÓÅ»¯HTTPSÉèÖÃ
ΪÁ˽øÒ»²½Ìá¸ßÍøÕ¾µÄÇå¾²ÐÔºÍÐÔÄÜ£¬Äã¿ÉÒÔ½ÓÄÉÒÔÏÂÓÅ»¯²½·¥£º
¿ªÆôHTTP/2ÐÒ飺ʹÓÃNginxµÄHTTP/2Ä£¿é£¬½«HTTPSÐÒéÉý¼¶µ½HTTP/2£¬ÌáÉýÍøÕ¾µÄ¼ÓÔØËÙÂʺÍÐÔÄÜ¡£
ÔÚserver¿éÖÐÌí¼Ó£º
listen 443 ssl http2;
ÆôÓÃOCSP Stapling£ºOCSP StaplingÊÇÒ»ÖÖÌá¸ßSSLÑéÖ¤ËÙÂʺÍÇå¾²ÐÔµÄÊÖÒÕ¡£ÔÚserver¿éÖÐÌí¼Ó£º
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ÉèÖÃHTTP Strict Transport Security£¨HSTS£©£ºHSTS¿ÉÒÔÇ¿Öƽ«ËùÓеÄHTTPÇëÇóÖض¨Ïòµ½HTTPS£¬²¢±ÜÃâÖÐÑëÈ˹¥»÷¡£
ÔÚserver¿éÖÐÌí¼Ó£º
add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”;
ËÄ¡¢HTTPSÉèÖÃÖеij£¼ûÎÊÌâÏ¢Õù¾ö¼Æ»®
ÉèÖÃHTTPSʱ£¬¿ÉÄÜ»áÓöµ½Ò»Ð©³£¼ûµÄÎÊÌâ¡£ÒÔÏÂÊÇһЩ³£¼ûÎÊÌâ¼°Æä½â¾ö¼Æ»®£º
ÉèÖÃÎļþ¹ýʧ£º¼ì²éNginxÉèÖÃÎļþÊÇ·ñ׼ȷ£¬ÓÈÆäÊÇssl_certificateºÍssl_certificate_keyµÄ·¾¶ÊÇ·ñ׼ȷ¡£
Ö¤Êé¹ýʧ£ºÈ·±£ÄãµÄSSLÖ¤ÊéÓÐÓÃÇÒÓëÓòÃûÆ¥Åä¡£¿ÉÒÔÔÚä¯ÀÀÆ÷ÖÐÑéÖ¤Ö¤ÊéµÄÓÐÓÃÐÔ¡£
·À»ðǽÎÊÌ⣺ÈôÊÇÄãʹÓÃÁË·À»ðǽ£¬È·±£¶Ë¿Ú443£¨HTTPSÐÒ飩ÊÇ¿ª·ÅµÄ¡£
SSL/TLSÐÒéÎÊÌ⣺ÓÐЩ¿Í»§¶Ë¿ÉÄܲ»Ö§³Ö¾É°æ±¾µÄSSL/TLSÐÒé¡£ÔÚssl_protocolsÖÐÖ»±£´æTLSv1.2£¬¿ÉÒÔ½â¾ö´ËÎÊÌâ¡£
½áÓï
ͨ¹ýNginxÉèÖÃHTTPSÐÒ飬ÎÒÃÇ¿ÉÒÔΪÍøÕ¾ÌṩԽ·¢Çå¾²µÄÊý¾Ý´«ÊäͨµÀ¡£±¾ÎÄÏÈÈÝÁËÔõÑù×°ÖÃSSLÖ¤ÊéºÍÉèÖÃNginxµÄHTTPSЧÀÍ£¬²¢ÌṩÁËһЩÓÅ»¯ÉèÖúͳ£¼ûÎÊÌâµÄ½â¾ö¼Æ»®¡£Ï£ÍûÕâƪÎÄÕ¶ÔÄãÓÐËù×ÊÖú£¬ÈÃÄãµÄÍøÕ¾Êý¾Ý´«ÊäÔ½·¢Çå¾²¿É¿¿¡£
ÒÔÉϾÍÊÇNginx HTTPSÉèÖý̳̣¬±£»¤ÍøÕ¾Êý¾Ý´«ÊäÇå¾²µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡