自建https站点
现在https已经成为web服务的标配了,由于完整的https部署流程需要一系列的备案申请ca的一些过程, 不适合开发人员调试https服务功能,这样创建自授权的https就很有用了。
(注:自授权的证书不会被浏览器识别为可信的证书,可以在系统中添加该ca证书为可信证书即可)
如下介绍创建自授权的https站点流程,以nginx配置为例:
生成证书
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
其他配置可以随便写,但是Common Name必须是需要的域名.
配置nginx
配置/etc/nginx/snippets/self-signed.conf
添加如下内容:
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
配置/etc/nginx/snippets/ssl-params.conf
添加内容:
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
# ssl_stapling on; # Requires nginx >= 1.3.7
# ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
生成dhparam
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
配置nginx站点
以example.com域名为例子:
vi /etc/nginx/sites-available/www.example.com
输入以下内容:
server {
listen 443 ssl;
listen [::]:443 ssl;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
server_name example.com www.example.com;
root /var/www/example.com/html;
index index.html index.htm index.nginx-debian.html;
}
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 302 https://$server_name$request_uri;
}
链接到site-enable文件夹下:
ln -s /etc/nginx/sites-available/www.example.com /etc/nginx/sites-enabled/
重启nginx服务,完工:
systemctl restart nginx