nginx部署HTTPS、HTTP/2
下载:
wget -c https://www.openssl.org/source/openssl-1.1.0.tar.gz wget -c https://nginx.org/download/nginx-1.11.3.tar.gz
./configure --prefix=/usr/local/nginx --user=www --group=www --with-http_ssl_module --with-http_gzip_static_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_slice_module --with-http_v2_module --with-openssl=../openssl-1.1.0 make mv /usr/local/nginx/sbin/nginx{,.old} cp objs/nginx /usr/local/nginx/sbin/nginx
编译时如果提示变量SSL_R_NO_CIPHERS_PASSED未定义,可以打开src/event/ngx_event_openssl.c文件,删除以下这行
|| n == SSL_R_NO_CIPHERS_PASSED
说明:
安装最新版openssl支持ALPN,用于浏览器协商HTTP/2。系统默认openssl比较旧,从1.0.2版本以上才开始支持ALPN。
如果ssl_prefer_server_ciphers设置为on,可能HTTP/2不一定工作,降级为HTTP1.1,可尝试注释,这里的Caveats小节有相关说明。
获取证书:
使用https://www.startssl.com/的免费证书,使用 OpenSSL 或网站提供的工具生成 SSL Key 和 CSR 文件,用 CSR 文件提交签署得到 CRT 证书。
优化过的nginx配置文件:
http节加入:
#配置共享会话缓存大小 ssl_session_cache shared:SSL:10m; #配置会话超时时间 ssl_session_timeout 10m;
HTTP跳转HTTPS:
server { listen 80; server_name feiworks.com www.feiworks.com; return 301 https://www.feiworks.com$request_uri; }
HTTPS及HTTP/2配置:
server { listen 443 ssl http2; ssl_certificate /usr/local/nginx/conf/1_feiworks.com_bundle.crt; ssl_certificate_key /usr/local/nginx/conf/feiworks.key; keepalive_timeout 70; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #定义算法 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; #减少点击劫持 add_header X-Frame-Options SAMEORIGIN; #禁止服务器自动解析资源类型 add_header X-Content-Type-Options nosniff; #防XSS攻击 add_header X-Xss-Protection 1; ......
上述dhparam.pem文件的生成:
cd /etc/ssl/certs openssl dhparam -out dhparam.pem 2048
在线测试是否支持HTTP/2、ALPN
https://tools.keycdn.com/http2-test
在线测试SSL Server安全性
https://www.ssllabs.com/ssltest/index.html