设置Ubuntu SSL
申请SSL证书(略)
调整Nginx配置以使用SSL
现在我们已经有了我们的代码片段,我们可以调整我们的Nginx配置来启用SSL。
我们将在本指南中假设您正在使用/etc/nginx/sites-available目录中的defaultnginx配置文件。如果您使用的是其他nginx配置文件,请在以下命令中替换其名称。
在我们继续之前,让我们备份当前的nginx配置文件:
|
1 |
sudo cp <span class="token operator">/</span>etc<span class="token operator">/</span>nginx<span class="token operator">/</span>sites<span class="token operator">-</span>available<span class="token operator">/</span><span class="token keyword">default</span> <span class="token operator">/</span>etc<span class="token operator">/</span>nginx<span class="token operator">/</span>sites<span class="token operator">-</span>available<span class="token operator">/</span><span class="token keyword">default</span><span class="token punctuation">.</span>bak |
现在,打开nginx配置文件进行调整:
|
1 |
sudo nano <span class="token operator">/</span>etc<span class="token operator">/</span>nginx<span class="token operator">/</span>sites<span class="token operator">-</span>available<span class="token operator">/</span><span class="token keyword">default</span> |
您的nginx配置文件可能像这样:
|
1 2 3 4 5 6 7 8 9 10 |
server <span class="token punctuation">{</span> listen <span class="token number">80</span> default_server<span class="token punctuation">;</span> listen <span class="token punctuation">[</span><span class="token punctuation">:</span><span class="token punctuation">:</span><span class="token punctuation">]</span><span class="token punctuation">:</span><span class="token number">80</span> default_server<span class="token punctuation">;</span> # SSL configuration # listen <span class="token number">443</span> ssl default_server<span class="token punctuation">;</span> # listen <span class="token punctuation">[</span><span class="token punctuation">:</span><span class="token punctuation">:</span><span class="token punctuation">]</span><span class="token punctuation">:</span><span class="token number">443</span> ssl default_server<span class="token punctuation">;</span> <span class="token punctuation">.</span> <span class="token punctuation">.</span> <span class="token punctuation">.</span> |
我们将修改此配置,以便将未加密的HTTP请求自动重定向到加密的HTTPS。这为我们的网站提供了最佳安全性。如果要同时允许HTTP和HTTPS流量,请使用后面的备用配置。
我们将把配置分成两个独立的块。在第一个listen指令之后,我们将添加一个server_name指令,设置为服务器的域名。然后,我们将设置重定向到我们将要创建的第二个nginx配置文件。之后,我们将关闭这个配置:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
server <span class="token punctuation">{</span> listen <span class="token number">80</span> default_server<span class="token punctuation">;</span> listen <span class="token punctuation">[</span><span class="token punctuation">:</span><span class="token punctuation">:</span><span class="token punctuation">]</span><span class="token punctuation">:</span><span class="token number">80</span> default_server<span class="token punctuation">;</span> server_name example<span class="token punctuation">.</span>com www<span class="token punctuation">.</span>example<span class="token punctuation">.</span>com<span class="token punctuation">;</span> <span class="token keyword">return</span> <span class="token number">301</span> https<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>$server_name$request_uri<span class="token punctuation">;</span> <span class="token punctuation">}</span> # SSL configuration # listen <span class="token number">443</span> ssl default_server<span class="token punctuation">;</span> # listen <span class="token punctuation">[</span><span class="token punctuation">:</span><span class="token punctuation">:</span><span class="token punctuation">]</span><span class="token punctuation">:</span><span class="token number">443</span> ssl default_server<span class="token punctuation">;</span> <span class="token punctuation">.</span> <span class="token punctuation">.</span> <span class="token punctuation">.</span> |
接下来,我们需要在下面启动一个新的nginx配置文件以。我们可以取消注释listen使用端口443的两个指令。之后,我们只需要在里面包含我们设置的两个片段文件:
注意:您可能只有一个listen指令,其中包含default_server每个IP版本和端口组合的修饰符。如果为已设置default_server的这些端口启用了其他nginx配置文件,则必须从其中一个块中删除修改器。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
server <span class="token punctuation">{</span> listen <span class="token number">80</span> default_server<span class="token punctuation">;</span> listen <span class="token punctuation">[</span><span class="token punctuation">:</span><span class="token punctuation">:</span><span class="token punctuation">]</span><span class="token punctuation">:</span><span class="token number">80</span> default_server<span class="token punctuation">;</span> server_name example<span class="token punctuation">.</span>com www<span class="token punctuation">.</span>example<span class="token punctuation">.</span>com<span class="token punctuation">; //网站的域名,设置不正确会无法访问</span> <span class="token keyword">return</span> <span class="token number">301</span> https<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>$server_name$request_uri<span class="token punctuation">;</span> <span class="token punctuation">}</span> server <span class="token punctuation">{</span> # SSL configuration listen <span class="token number">443</span> ssl default_server<span class="token punctuation">;</span> listen <span class="token punctuation">[</span><span class="token punctuation">:</span><span class="token punctuation">:</span><span class="token punctuation">]</span><span class="token punctuation">:</span><span class="token number">443</span> ssl default_server<span class="token punctuation">;</span> include snippets<span class="token operator">/</span>ssl<span class="token operator">-</span>example<span class="token punctuation">.</span>com<span class="token punctuation">.</span>conf<span class="token punctuation">;</span> include snippets<span class="token operator">/</span>ssl<span class="token operator">-</span>params<span class="token punctuation">.</span>conf<span class="token punctuation">;</span> <span class="token punctuation">.</span> <span class="token punctuation">.</span> <span class="token punctuation">.</span> |
完成后保存并关闭文件。
(备用配置)允许HTTP和HTTPS流量
如果您想要或需要同时允许加密和未加密内容,则必须以不同方式配置Nginx。我们只是将两个单独的nginx配置文件压缩为一个块并删除重定向:
|
1 2 3 4 5 6 7 8 9 10 11 |
server <span class="token punctuation">{</span> listen <span class="token number">80</span> default_server<span class="token punctuation">;</span> listen <span class="token punctuation">[</span><span class="token punctuation">:</span><span class="token punctuation">:</span><span class="token punctuation">]</span><span class="token punctuation">:</span><span class="token number">80</span> default_server<span class="token punctuation">;</span> listen <span class="token number">443</span> ssl default_server<span class="token punctuation">;</span> listen <span class="token punctuation">[</span><span class="token punctuation">:</span><span class="token punctuation">:</span><span class="token punctuation">]</span><span class="token punctuation">:</span><span class="token number">443</span> ssl default_server<span class="token punctuation">;</span> server_name example<span class="token punctuation">.</span>com www<span class="token punctuation">.</span>example<span class="token punctuation">.</span>com<span class="token punctuation">; //网站的域名</span> ssl_certificate <span class="token operator">/</span>home<span class="token operator">/</span>root<span class="token operator">/</span>domain<span class="token punctuation">.</span>com<span class="token operator">/</span>1_www<span class="token punctuation">.</span>domain<span class="token punctuation">.</span>com_bundle<span class="token punctuation">.</span>pem<span class="token punctuation">;</span> //从证书颁发者那儿下载到的 ssl_certificate_key <span class="token operator">/</span>home<span class="token operator">/</span>root<span class="token operator">/</span>domain<span class="token punctuation">.</span>com<span class="token operator">/</span>2_www<span class="token punctuation">.</span>domain<span class="token punctuation">.</span>com<span class="token punctuation">.</span>key<span class="token punctuation">;</span> <span class="token punctuation">.</span> <span class="token punctuation">.</span> <span class="token punctuation">.</span> |
完成后保存并关闭文件。
使用强加密设置创建配置代码段
慎重开启这个功能,一旦开启,Google浏览器会启用HSTS,强制Http访问流量变为Https,如果有多个域名指向同一个服务器,可能导致其他域名(未配置SSL)也强制转换为https而无法访问
接下来,我们将创建另一个片段,用于定义一些SSL设置。这将使Nginx具有强大的SSL密码套件,并启用一些有助于保证我们的服务器安全的高级功能。
预加载HSTS可提高安全性,但如果意外启用或启用错误,可能会产生深远的影响。在本教程中,我们不会预加载该设置,但如果您确定了解其含义,则可以对其进行修改(将其放在server字段中即可):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
# <span class="token keyword">from</span> https<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>cipherli<span class="token punctuation">.</span>st<span class="token operator">/</span> # and https<span class="token punctuation">:</span><span class="token operator">/</span><span class="token operator">/</span>raymii<span class="token punctuation">.</span>org<span class="token operator">/</span>s<span class="token operator">/</span>tutorials<span class="token operator">/</span>Strong_SSL_Security_On_nginx<span class="token punctuation">.</span>html ssl_protocols TLSv1 TLSv1<span class="token number">.1</span> TLSv1<span class="token number">.2</span><span class="token punctuation">;</span> ssl_prefer_server_ciphers on<span class="token punctuation">;</span> ssl_ciphers <span class="token string">"EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"</span><span class="token punctuation">;</span> ssl_ecdh_curve secp384r1<span class="token punctuation">;</span> ssl_session_cache shared<span class="token punctuation">:</span>SSL<span class="token punctuation">:</span>10m<span class="token punctuation">;</span> ssl_session_tickets off<span class="token punctuation">;</span> ssl_stapling on<span class="token punctuation">;</span> ssl_stapling_verify on<span class="token punctuation">;</span> resolver <span class="token number">8.8</span><span class="token punctuation">.</span><span class="token number">8.8</span> <span class="token number">8.8</span><span class="token punctuation">.</span><span class="token number">4.4</span> valid<span class="token operator">=</span>300s<span class="token punctuation">;</span> resolver_timeout 5s<span class="token punctuation">;</span> # Disable preloading HSTS <span class="token keyword">for</span> now<span class="token punctuation">.</span> You can use the commented out header line that includes # the <span class="token string">"preload"</span> directive <span class="token keyword">if</span> you understand the implications<span class="token punctuation">.</span> #add_header Strict<span class="token operator">-</span>Transport<span class="token operator">-</span>Security <span class="token string">"max-age=63072000; includeSubdomains; preload"</span><span class="token punctuation">;</span> add_header Strict<span class="token operator">-</span>Transport<span class="token operator">-</span>Security <span class="token string">"max-age=63072000; includeSubdomains"</span><span class="token punctuation">;</span> add_header X<span class="token operator">-</span>Frame<span class="token operator">-</span>Options DENY<span class="token punctuation">;</span> add_header X<span class="token operator">-</span>Content<span class="token operator">-</span>Type<span class="token operator">-</span>Options nosniff<span class="token punctuation">;</span> |
完成后保存并关闭文件。
调整防火墙
如果您使用的是ufw,则可以通过输入以下内容来查看当前设置:
|
1 |
sudo ufw status |
它可能看起来像这样,这意味着只允许HTTP流量进入Web服务器:
|
1 2 3 4 5 6 7 8 |
Status<span class="token punctuation">:</span> active To Action From <span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span> SSH ALLOW Anywhere WWW ALLOW Anywhere <span class="token function">SSH</span> <span class="token punctuation">(</span>v6<span class="token punctuation">)</span> ALLOW <span class="token function">Anywhere</span> <span class="token punctuation">(</span>v6<span class="token punctuation">)</span> <span class="token function">WWW</span> <span class="token punctuation">(</span>v6<span class="token punctuation">)</span> ALLOW <span class="token function">Anywhere</span> <span class="token punctuation">(</span>v6<span class="token punctuation">)</span> |
为了进一步允许HTTPS流量,我们可以允许“WWW Full”配置文件,然后删除冗余的“WWW”配置文件:
|
1 2 |
sudo ufw allow <span class="token string">'WWW Full'</span> sudo ufw <span class="token keyword">delete</span> allow <span class="token string">'WWW'</span> |
您的状态现在应该如下所示:
|
1 2 3 4 5 6 7 8 9 |
sudo ufw status Status<span class="token punctuation">:</span> active To Action From <span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span><span class="token operator">--</span> <span class="token operator">--</span><span class="token operator">--</span> SSH ALLOW Anywhere WWW Full ALLOW Anywhere <span class="token function">SSH</span> <span class="token punctuation">(</span>v6<span class="token punctuation">)</span> ALLOW <span class="token function">Anywhere</span> <span class="token punctuation">(</span>v6<span class="token punctuation">)</span> WWW <span class="token function">Full</span> <span class="token punctuation">(</span>v6<span class="token punctuation">)</span> ALLOW <span class="token function">Anywhere</span> <span class="token punctuation">(</span>v6<span class="token punctuation">)</span> |
现在,您的服务器应接受HTTPS请求。
测试
现在我们已经进行了更改并调整了防火墙,我们可以重新启动Nginx以实现我们的新更改。
首先,我们应该检查以确保我们的文件中没有语法错误。我们可以通过输入以下内容来执行
|
1 |
sudo nginx <span class="token operator">-</span>t |
如果一切顺利,您将得到如下结果:
|
1 2 |
nginx<span class="token punctuation">:</span> the configuration file <span class="token operator">/</span>etc<span class="token operator">/</span>nginx<span class="token operator">/</span>nginx<span class="token punctuation">.</span>conf syntax is ok nginx<span class="token punctuation">:</span> configuration file <span class="token operator">/</span>etc<span class="token operator">/</span>nginx<span class="token operator">/</span>nginx<span class="token punctuation">.</span>conf test is successful |
如果输出与上述内容匹配,则配置文件没有语法错误。我们可以安全地重启Nginx以实现我们的更改:
|
1 |
sudo systemctl restart nginx |
腾讯云SSL的TLS /SSL证书现已到位,防火墙现在允许流量到端口80和443。此时,您应该通过在Web浏览器中通过HTTPS访问您的域来测试TLS/ SSL证书。
