[HTTPS]使用letsencrypt搭建SSL证书

官网:https://letsencrypt.org/getting-started/

使用certbot

certbot:https://certbot.eff.org/

可以按照官网上的来(一直没有成功过。。。)
也可以按照我的方法来执行

git clone https://github.com/certbot/certbot.git
cd certbot
./certbot-auto

然后等待,自动安装完成之后会弹出一个蓝色的框,然后选择NO退出
如果nginx正在运行要把nginx关掉pkill nginx
再执行以下命令(如果想要知道更详细的信息,请自行查看官方文档或者./certbot-auto --help all)

./certbot-auto certonly --standalone --agree-tos -v -t --email chen93104@163.com -d www.chenhuachao.com -d chenhuachao.com -d chchc.me -d www.chchc.me

成功之后,会告诉我证书放在了/etc/letsencrypt/live/www.chenhuachao.com/这个位置
然后,到此证书就生成完毕了
nginx的配置中 加上两行:

server {
    listen 443;
    // ...
    ssl on;
    ssl_certificate /etc/letsencrypt/live/www.chenhuachao.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.chenhuachao.com/privkey.pem;
    // ...
}

HTTP跳转HTTPS

一般用户输入网址是不会输入https的,但是输入http访问的话确不是访问的HTTPS,这里有一个解决方案,就是在80那里跳转到https

server {
    listen       80; 
    server_name  ~chenhuachao|chenxchen|chchc;
    rewrite ^(.*)$  https://$host$1 permanent;
    # 避免嵌入iframe,避免点击劫持
    add_header X-Frame-Options "DENY";
    root   /usr/local/nginx/blog/chc-blog;
    index index.html index.htm;

    location ~ /\. {
        deny all;
    }   
}

然而,因为302的这个过程中,有可能被拦截篡改(中间人攻击),因此,需要配置HSTS了,如果你之前访问过这个网站,浏览器就知道只使用HTTPS,HSTS的意思是告诉浏览器只使用HTTPS,它需要在HTTPS server中配置
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";即可

HTTPS安全性及其性能优化

涉及到的相关知识点
OCSP
HSTS
SPDY(1.9.5版本过后被http2取代)

生成ssl

cd /usr/local/nginx/ssl/
openssl dhparam -out dhparam.pem 2048

然后加到配置文件中

server {
    listen       443 ssl http2;
    server_name  ~chenhuachao|chenxchen|chchc;
    ssl_certificate /etc/letsencrypt/live/www.chenhuachao.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.chenhuachao.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on; 
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-    AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-      AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-   SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    # 启用HSTS
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    # 避免嵌入iframe,避免点击劫持
    add_header X-Frame-Options "DENY";
    ssl_stapling on;
    #ssl_stapling_file ocsp.staple;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/www.chenhuachao.com/chain.pem;
    ssl_session_cache shared:SSL:10m;
    resolver 8.8.4.4 8.8.8.8 valid=300s;
    resolver_timeout 10s;
    ssl_dhparam /usr/local/nginx/ssl/dhparam.pem;
}

进阶参考:

https://bjornjohansen.no/lets-encrypt-for-nginx
https://bjornjohansen.no/optimizing-https-nginx
https://bjornjohansen.no/enable-http2-on-nginx
https://blog.kuoruan.com/71.html
https://httpsecurityreport.com/
https://cipherli.st/
https://johnmaguire.me/2015/12/configuring-nginx-lets-encrypt-automatic-renewal/
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
http://www.tuicool.com/articles/3Ezayiy