名称: ssl-helper 描述: 配置SSL/TLS证书,实施安全协议和密码,并设置安全头部。用于设置HTTPS、SSL证书、TLS配置或网络安全强化。
SSL/TLS 配置助手
快速开始
配置nginx与SSL/TLS证书、现代安全协议和推荐的安全头部。
指令
步骤1: 获取SSL证书
选项A: Let’s Encrypt (生产环境推荐)
# 安装certbot
apt-get install certbot python3-certbot-nginx
# 获取证书
certbot --nginx -d example.com -d www.example.com
# 自动续订已自动配置
选项B: 自签名证书 (仅用于开发)
# 生成自签名证书
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/nginx/ssl/selfsigned.key \
-out /etc/nginx/ssl/selfsigned.crt \
-subj "/C=US/ST=State/L=City/O=Organization/CN=example.com"
# 生成DH参数
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
选项C: 商业证书
# 生成CSR
openssl req -new -newkey rsa:2048 -nodes \
-keyout /etc/nginx/ssl/example.com.key \
-out /etc/nginx/ssl/example.com.csr
# 向证书颁发机构提交CSR
# 下载证书和中间证书
# 放置于 /etc/nginx/ssl/
步骤2: 在nginx中配置SSL
基本SSL配置:
server {
listen 443 ssl http2;
server_name example.com www.example.com;
# SSL证书文件
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# SSL协议和密码
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# SSL会话缓存
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# OCSP装订
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
# 安全头部
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
location / {
# 您的应用程序配置
proxy_pass http://backend;
}
}
# 重定向HTTP到HTTPS
server {
listen 80;
server_name example.com www.example.com;
return 301 https://$server_name$request_uri;
}
步骤3: 测试SSL配置
# 测试nginx配置
nginx -t
# 重新加载nginx
nginx -s reload
# 使用curl测试SSL
curl -I https://example.com
# 检查SSL证书
openssl s_client -connect example.com:443 -servername example.com
步骤4: 验证安全性
在线工具:
- SSL Labs: https://www.ssllabs.com/ssltest/
- Security Headers: https://securityheaders.com/
命令行:
# 检查证书过期时间
echo | openssl s_client -connect example.com:443 2>/dev/null | \
openssl x509 -noout -dates
# 测试TLS版本
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
现代SSL配置
Mozilla现代配置文件 (新站点推荐):
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# OCSP装订
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
Mozilla中间配置文件 (更广泛兼容性):
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# DH参数
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# OCSP装订
ssl_stapling on;
ssl_stapling_verify on;
安全头部
基本安全头部:
# HSTS (HTTP严格传输安全)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# 防止点击劫持
add_header X-Frame-Options "SAMEORIGIN" always;
# 防止MIME类型嗅探
add_header X-Content-Type-Options "nosniff" always;
# XSS保护 (旧版浏览器)
add_header X-XSS-Protection "1; mode=block" always;
# 引用策略
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# 内容安全策略 (根据您的站点自定义)
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;
# 权限策略
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
常见模式
多个域使用单独证书
server {
listen 443 ssl http2;
server_name example.com www.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# ... 其余配置
}
server {
listen 443 ssl http2;
server_name api.example.com;
ssl_certificate /etc/letsencrypt/live/api.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.example.com/privkey.pem;
# ... 其余配置
}
通配符证书
server {
listen 443 ssl http2;
server_name *.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# ... 其余配置
}
客户端证书认证
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# 客户端证书验证
ssl_client_certificate /etc/nginx/ssl/ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
location / {
# 将客户端证书信息传递给后端
proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
proxy_pass http://backend;
}
}
SSL终止用于负载均衡
upstream backend {
server backend1.example.com:8080;
server backend2.example.com:8080;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/nginx/ssl/example.com.crt;
ssl_certificate_key /etc/nginx/ssl/example.com.key;
location / {
# 在nginx终止SSL,使用HTTP连接到后端
proxy_pass http://backend;
# 告知后端原始协议
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
证书管理
Let’s Encrypt自动续订
# 测试续订
certbot renew --dry-run
# 续订通过systemd定时器自动进行
systemctl status certbot.timer
# 手动续订
certbot renew
# 续订后重新加载nginx
certbot renew --deploy-hook "nginx -s reload"
证书监控
# 检查过期日期
for cert in /etc/letsencrypt/live/*/cert.pem; do
echo "证书: $cert"
openssl x509 -in "$cert" -noout -enddate
done
# 如果证书即将过期发出警报
#!/bin/bash
CERT="/etc/letsencrypt/live/example.com/cert.pem"
DAYS_UNTIL_EXPIRY=$(( ($(date -d "$(openssl x509 -in $CERT -noout -enddate | cut -d= -f2)" +%s) - $(date +%s)) / 86400 ))
if [ $DAYS_UNTIL_EXPIRY -lt 30 ]; then
echo "证书将在 $DAYS_UNTIL_EXPIRY 天后过期!"
fi
高级
详细信息请参见: