NGINX configures SSL support

This article was last updated on: February 7, 2024 pm

preface

atArticle - Tencent Cloud applies for a free SSL certificate, we have applied for an SSL certificate. So now, let’s configure site-wide SSL! 💪💪💪

This time the work is mainly NGINX configuration, but there will be some configuration of my blog itself.

Configuration changes to the blog itself include: (I won’t go into detail in this article)

  • All links in the web page are changed from http to https (in fact, configure SITEURL, the tool will automatically generate it) and republish. (In particular, if there are on-site CSS, js, etc. that are embarrassing without HTTPS, they will be blocked by various browsers and prompt “insecure scripts”)
  • For useful third-party tools (such as dial-up), change the address of the website to something that starts with https.

NGINX configuration

First, create and upload the prepared certificate file to the specified directory: (CRT and key files)

1
2
$ sudo mkdir -p /etc/pki/nginx/
#  通过 sftp 上传到该目录

Carry out the SSL configuration of nginx.conf, this time mainly involves the configuration change of the server block, as follows: (See the note for the specific role of the directive)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
   server {
       listen       80;
       server_name  www.e-whisper.com;
       return 301 https://$host$request_uri;
   }
server {
       listen       443 ssl http2;
       server_name  www.e-whisper.com;
       root         /usr/share/nginx/html;  # 静态博客的存放位置 

       ssl_certificate "/etc/pki/nginx/1_www.e-whisper.com_bundle.crt";  # 证书路径 
       ssl_certificate_key "/etc/pki/nginx/2_www.e-whisper.com.key";  # 证书密钥路径 
       ssl_session_cache shared:SSL:50m;  # ssl session cache 分配 50m 空间, 缓存 ssl session
       ssl_session_timeout  1d;  # ssl session 超时时间为 1 天 
       ssl_session_tickets off;  # ssl session ticket 机制, 部分版本有 bug, 视情况开启.

       ssl_protocols TLSv1.2;  # ssl 协议版本 
       ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';  # ssl ciphers
       ssl_prefer_server_ciphers on;  # 倾向于使用 server 端的 ciphers

       # HSTS 6 months
       add_header Strict-Transport-Security max-age=15768000;  
       # 添加个 http header, 告诉浏览器直接转到 https, 此功能有风险, 慎重选择. 
       # (比如你的证书过期忘记续了, 那么用户想转到 http 都没办法)

       ssl_stapling on;  # 启用 ssl OCSP stapling 功能, 服务端主动查询 OCSP 结果, 提高 TLS 效率 
       ssl_stapling_verify on;  # 开启 OCSP stapling 验证 

       # Load configuration files for the default server block.
       include /etc/nginx/default.d/*.conf;  # 我的博客的 location 在这里配置 

       #location / {
       #}

       error_page 404 /404.html;
           location = /40x.html {
       }

       error_page 500 502 503 504 /50X.html;
           location = /50X.html {
       }
   }

📓 Description:

Some of the above instructions, I will first introduce them in general, and there will be articles in detail later.

  1. return 301 https://$host$request_uri; All HTTP permanently redirects to the URL corresponding to https
  2. /usr/share/nginx/html Where static blogs are stored
  3. ssl_session_timeout 1d; The SSL session timeout period is 1 day
  4. ssl_session_tickets off; # SSL Session Ticket mechanism, some versions have bugs, open according to the situation.
  5. ssl_prefer_server_ciphers on; Prefer to use server-side ciphers
  6. HSTS function: Add an HTTP header, tell the browser to go directly to https, This function is risky, choose carefully. (For example, if your certificate expires and forgets to renew, then users can’t switch to HTTP if they want to)
  7. ssl_stapling on; Enable the SSL OCSP stapling function to actively query OCSP results on the server and improve the efficiency of TLS handshake
  8. /etc/nginx/default.d/*.conf; My bloglocationdisposition

📓 Tips:

The foundation behind Firefox, open sourced a very useful tool: ssl-config-generator

On top of this, you can automatically generate the recommended SSL configuration with a single click.

ssl-config-generator

To mention, as shown in the image above, the second column must be carefully selected based on the version usage of your customer’s browser or client.

For example, if you are still using Windows XP, IE6, Java 6, then you can only choose Old.

Next, it is necessary to restart nginx to take effect.

1
2
$ sudo nginx -t  # 测试配置, 没问题再重启 
$ sudo systemctl reload nginx.service

After restarting, tests found that CSS JS did not take effect. 😱😱😱

Because nginx has just configured caching before. At that time, the brain did not turn, did not realize at the first time that it may be a problem with the browser cache. Just nginx stop and start again. As a result, the usability of my website dropped from 100% to 99.81%.

网站可用性

Later, I finally realized that it might be a problem with the browser cache, cleaned the cache, and then started, and finally the page displayed normally, and the icon changed from “unsafe” to a small lock.

http://www.e-whisper.com test access, it will also be forced to go to the https://www.e-whisper.com. Perfect!

My SSL rating

Let’s introduce a good stuff - SSL Labs. It is possible to give your website an SSL security rating.

Click on the link, enter the website address, and the result is out - A+ Hahahahaha!!!

我的网站 SSL 评分

Finally attached mineFull report

DevOps
#Nginx #Security #Openssl #ssl #https #Linux #Centos
NGINX configures SSL support
https://e-whisper.com/posts/28976/
Author
east4ming
Posted on
June 19, 2019
Licensed under