超文本传输安全协议英语:Hypertext Transfer Protocol Secure,缩写:HTTPS,也被称为HTTP over TLSHTTP over SSLHTTP Secure)是一种网络安全传输协议。在计算机网络上,HTTPS经由超文本传输协议(HTTP)进行通信,但利用SSL/TLS来对数据包进行加密。HTTPS开发的主要目的,是提供对网络服务器的身份认证,保护交换数据的隐私与完整性。

与普通的 HTTP 连接相比,使用 HTTPS 可以提供更高的隐私性和安全性,降低信息被第三方拦截或滥用的风险,比如常见的 ISP 广告劫持。

HTTPS的安全基于对预先安装在浏览器中的证书颁发机构的信任:

  • 用户浏览器正确实现了HTTPS且安装了可信的证书颁发机构(一般都是比较大型的机构)
  • 用户访问 HTTPS 网站,该网站提供了上述机构签发的证书
  • 用户浏览器根据证书验证网站的真实性

部署 HTTPS 步骤:

  • 获取 SSL 证书,从证书签发机构获取证书,根据证书签发机构和种类的不同,费用从免费到几百、数千元不等,常见的收费证书机构有GeoTrust,Symantec,VeriSign,免费证书机构有Let’s Encrypt,StartSSL 等
  • 在 WEB 服务器上安装 SSL 证书
  • 修改网站,对相关页面或资源启用 HTTPS

由于本站是个人网站,使用免费的 Let’s Encrypt 证书即可,为了防止滥用,证书的有效期为3个月,到期后,可以通过定时任务刷新证书。

 

下面以CentOS7为例,介绍配置HTTPS方法:

1.安装证书生成工具Certbot

sudo yum install epel-release
sudo yum install certbot

2.使用Certbot获取证书:

certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com

3.生成ssl dhparam:

sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

4.使用Mozilla SSL Configuration Generator生成nginx配置:

值得注意的是 HSTS 的 Strict-Transport-Security头信息,当用户第一次通过 HTTPS 访问网站后,如果响应头中包含Strict-Transport-Security,浏览器会对声明的 max-age 有效期内后续的普通 HTTP 请求,强制使用 HTTPS,例如,后续访问 http: //aiddroid.com/page/2 会被重定向到https://aiddroid.com/page/2

  server {
     listen 80;
     server_name www.example.com example.com;

     # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
     return 301 https://$host$request_uri;
    }    

    server{
        listen 443 ssl http2;        

        # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ssl_dhparam /usr/local/nginx/ssl/dhparam.pem;

        # intermediate configuration. tweak to your needs.
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-A
ES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECD
HE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-
SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA
256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_prefer_server_ciphers on;

        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
        add_header Strict-Transport-Security max-age=15768000;

        # OCSP Stapling ---
        # fetch OCSP records from URL in ssl_certificate and cache them
        ssl_stapling on;
        ssl_stapling_verify on;

        ## verify chain of trust of OCSP response using Root CA and Intermediate certs
        ssl_trusted_certificate /usr/local/nginx/ssl/isrgrootx1.pem;

        resolver 114.114.114.114 8.8.8.8 valid=300s;
        resolver_timeout 3s;

        .......
        .......
    }

5.reload nginx

sudo service nginx reload

再次访问,浏览器地址栏即可看到小绿锁

green-lock

6.添加定时任务以刷新证书

0 0 1 */3 * certbot renew --quiet && /usr/sbin/nginx -s reload

7.使用Qualys SSL Labs测试网站HTTPS等级

测试需要几分钟,如果评级过低,可根据提示进行相应优化

ssllab-test-result

ssllab-test-result

 

 

 

Post Navigation