使用 https, 并将 WWW 跳转到 NON-WWW

0x01: 背景

博客经常不更新,服务器还时不时挂掉一次,导致 PageRank 基本是负的了,不过技术上要跟的上更新啊! 微信小程序接口必须是 https, 这次就当是练手了。

0x02: 整体思路流程

  1. 确保自己的域名解析全部是 A 记录

  2. 使用 Let's Encrypt 证书, Certbot 安装证书

  3. 使用 Crontab 自动 Renew 证书

  4. 配置 Nginx ,SSL Server

  5. 将 HTTP 跳转到 HTTPS , 将 WWW 跳转到 NON-WWW

  6. 用检测工具检测一下自己 HTTPS 的评级

0x03: 检查自己的域名解析是否是A记录

刚开始使用 Certbot 安装证书的时候,老是报错,经过搜索发现,原来自己的域名有 CNAME 解析的。 所以在安装证书钱,请确保自己的域名都是A记录解析

0x04: 使用免费的 Let's Encrypt 证书

关于免费的证书,这里有其他选项可供选择:

  • 阿里云免费的 : Symantec 证书

  • Let's Encrypt :免费证书

  • 一站式解决方案: cloudflare

根据 Lets' Encrypt 官网说明,我们使用推荐的 Certbot 安装我们的证书。 当然你也可以选择 acme-tiny 来安装证书。
我的服务器环境是 CentOS 7Nginx/1.10.1, 这里强烈推荐大家将Nginx 升级到最新的版本,新版本在SSL配置上比较省事。

//安装Certbot
sudo yum install certbot

//安装命令很简单, -w 后面跟网站根目录, -d 就是你要添加证书的域名,如果有多个域名,多个-d就可以了
certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com

如果顺利,他会提示出安装成功,证书会保存在 /etc/letsencrypt/live/example.com/ 里面。

0x05: 使用 Crontab 定时Renew 证书

因为是免费证书, 所以有一个有效期是90天,到期之后需要 Renew 一下。 官方推荐是每天检查用任务 Renew 两次,因为如果证书没过期,他就只是检测一下,并不会做其他操作。这里我们设置的定时任务是每天检查一次。

$ crontab -e

10 6 * * * certbot renew --quiet

//列出任务看看是否添加成功
$ crontab -l

0x06: 配置NGINX, SSL Server

节约生命,请使用神器: Mozilla出品的 SSL配置生成器
使用生成器需要填写 nginxopenssl 版本, 用下面命令进行查看

//查看nginx版本
nginx -v
//查看openssl 版本
yum info openssl
//如果需要更新openssl
yum update openssl

下面就是我生成的配置(nginx: 1.10.1, openssl: 1.0.1e)

server {
    server_name example.com  wwww.example.com;
    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/letsencrypt/live/example.com/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

    #resolver ;

    server_name example.com;
    index index.html;
    root  /home/wwwroot/example.com;

    location ~ .*\.(ico|gif|jpg|jpeg|png|bmp|swf)$
    {
        access_log   off;
        expires      1d;
    }

    location ~ .*\.(js|css|txt|xml)?$
    {
        access_log   off;
        expires      12h;
    }

    location / {
        try_files $uri $uri/ =404;
    }

    access_log  /home/wwwlogs/example.com.log  access;
}

上面配置的第一个 Server 将所有的 http 请求跳转到 https 请求上。 其中 ssl_dhparam 这个参数的 .pem 用下面命令生成:

openssl dhparam -out /etc/letsencrypt/live/example.com/dhparam.pem 2048

现在加上https看一下效果吧!

0x07: 将WWW跳转到NON-WWW

为了SEO,网站使用 WWW 前缀,或者全部不使用 WWW,要实现的效果就是将下面三种情况,
统统跳转到 https://example.com

http://example.com
http://www.example.com
https://www.example.com

0x06中的配置,第一个 server 已经将处理好钱两种情况, 现在来处理第三种情况。
这个配置主要需要注意的是,这里也要加上所有的 ssl 配置参数。

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/letsencrypt/live/example.com/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;


    server_name www.example.com;
    return 301 https://example.com$request_uri;
}

0x08: 工具

  • ssllabs 测试评级

  • securityheaders 测试评级

  • Mozilla出品的 SSL配置生成器

你可能感兴趣的:(letsencrypt,nginx,https)