NGINX configures SSL support

foreword

In the article-Tencent Cloud Application for Free SSL Certificate , we have already applied for the SSL certificate. Now, we are going to configure the whole site SSL! :muscle::muscle::muscle:

This work is mainly the configuration of NGINX, and there will be some configurations of my blog itself.

The configuration changes of the blog itself include: (I won’t go into details in this article)

All the links in the web page are changed from http to https (in fact, the tool will automatically generate it after configuring SITEURL) and republish. (Special attention should be paid to the embarrassment if some css, js, etc. in the site do not use https, and will be browsed by various types The browser intercepts it, and prompts "unsafe script")

For third-party tools used by the website (such as dial test), change the address of the website to start with https.

NGINX configuration

First, create and upload the prepared certificate file to the specified directory: (crt and key files)

$ sudo mkdir -p /etc/pki/nginx/
# 通过sftp上传到该目录

Perform the ssl configuration of nginx.conf, this time mainly involves the configuration change of the server block, as follows: (see the note for the specific instruction function)

    server {
        listen       80;
        server_name  www.ewhisper.cn;
        return 301 https://$host$request_uri;
    }
    server {
        listen       443 ssl http2;
        server_name  www.ewhisper.cn;
        root         /usr/share/nginx/html;  # 静态博客的存放位置

        ssl_certificate "/etc/pki/nginx/1_www.ewhisper.cn_bundle.crt";  # 证书路径
        ssl_certificate_key "/etc/pki/nginx/2_www.ewhisper.cn.key";  # 证书密钥路径
        ssl_session_cache shared:SSL:50m;  # ssl session cache分配50m空间, 缓存ssl session
        ssl_session_timeout  1d;  # ssl session 超时时间为1天
        ssl_session_tickets off;  # ssl session ticket 机制, 部分版本有bug, 视情况开启.

        ssl_protocols TLSv1.2;  # ssl 协议版本
        ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';  # ssl ciphers
        ssl_prefer_server_ciphers on;  # 倾向于使用server端的ciphers

        # HSTS 6 months
        add_header Strict-Transport-Security max-age=15768000;  
        # 添加个http header, 告诉浏览器直接转到https, 此功能有风险, 慎重选择. 
        # (比如你的证书过期忘记续了, 那么用户想转到http都没办法)

        ssl_stapling on;  # 启用ssl OCSP stapling功能, 服务端主动查询OCSP结果, 提高TLS效率
        ssl_stapling_verify on;  # 开启OCSP stapling 验证

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;  # 我的博客的location在这里配置

        #location / {
        #}

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50X.html;
            location = /50X.html {
        }
    }

:notebook: Description:

Some of the above commands, I will briefly introduce them, and there will be articles to introduce them in detail later.

return 301 https://$host$request_uri;All HTTPs are permanently redirected to the URL corresponding to https
/usr/share/nginx/htmlWhere to store static blogs
ssl_session_timeout 1d;ssl session timeout is 1 day
ssl_session_tickets off; #The ssl session ticket mechanism, some versions have bugs, enable it depending on the situation.
ssl_prefer_server_ciphers on;Prefer to use server-side ciphers
HSTS function: Add an HTTP header to tell the browser to go directly to https, :exclamation: This function is risky, choose carefully. (For example, if your certificate expires and you forget to renew, then the user has no way to go to HTTP)
ssl_stapling on;Enable the ssl OCSP stapling function, the server actively queries the OCSP results, and improves the efficiency of the TLS handshake
/etc/nginx/default.d/*.conf;my blog locationconfiguration

:notebook: Tips:

The foundation behind the Firefox browser has open sourced a very useful tool: ssl-config-generator

On this, click to automatically generate the recommended SSL configuration.

One thing to mention, as shown in the figure above, the second column must be carefully selected according to the version usage of your client browser or client.

For example, if the user is still using Windows XP, IE6, Java 6, then only Old can be selected.

Next, restart nginx to take effect.

$ sudo nginx -t  # 测试配置, 没问题再重启
$ sudo systemctl reload nginx.service

After restarting, the test found that neither css nor js took effect. :scream::scream::scream:

Because nginx had just configured caching before. At that time, my mind didn’t turn around, and I didn’t realize that it might be a browser caching problem. I just stopped nginx and started it again. As a result, the availability of my website fell from 100% to 99.81% up.

website availability

Later, I finally realized that it might be a problem with the browser cache. After clearing the cache and restarting, the page finally displayed normally, and the icon changed from "unsafe" to a small lock.

Test visit http://www.ewhisper.cn , it will also be forced to https://www.ewhisper.cn . Perfect!

my ssl rating

Let's introduce another good thing- SSL Labs . You can perform SSL security ratings on your website.

Click on the link, enter the website address, have a cup of tea, and here comes the result - A+ hahahahaha!!!!

My Website SSL Rating

Attached is my full report at the end

Three people walk together, there must be my teacher; knowledge sharing, the world is for the public. This article is written by Dongfeng Weiming technical blog EWhisper.cn .