HTTPS配置

配置HTTPS可以保护网站数据传输安全，提高用户信任度。

基本配置

简单HTTPS配置

nginx

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    root /var/www/html;
    index index.html;
}

HTTP跳转HTTPS

nginx

server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    root /var/www/html;
    index index.html;
}

SSL协议和加密套件

SSL协议配置

nginx

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    root /var/www/html;
}

完整HTTPS配置

生产环境配置

nginx

server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    # SSL协议和加密套件
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;

    # SSL会话缓存
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # 安全头
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    root /var/www/html;
    index index.html;

    access_log /var/log/nginx/https.access.log;
    error_log /var/log/nginx/https.error.log;
}

多域名HTTPS

多证书配置

nginx

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    root /var/www/example.com;
}

server {
    listen 443 ssl;
    server_name test.com;

    ssl_certificate /etc/nginx/ssl/test.com.crt;
    ssl_certificate_key /etc/nginx/ssl/test.com.key;

    root /var/www/test.com;
}

SNI配置

nginx

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;

    root /var/www/example.com;
}

server {
    listen 443 ssl;
    server_name test.com;

    ssl_certificate /etc/nginx/ssl/test.com.crt;
    ssl_certificate_key /etc/nginx/ssl/test.com.key;

    root /var/www/test.com;
}

SSL优化

SSL会话缓存

nginx

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;

OCSP Stapling

nginx

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

HTTP/2

nginx

listen 443 ssl http2;

安全头

HSTS

nginx

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

X-Frame-Options

nginx

add_header X-Frame-Options "SAMEORIGIN" always;

X-Content-Type-Options

nginx

add_header X-Content-Type-Options "nosniff" always;

X-XSS-Protection

nginx

add_header X-XSS-Protection "1; mode=block" always;

测试HTTPS

SSL测试

bash

openssl s_client -connect example.com:443 -tls1_2

检查证书

bash

curl -I https://example.com

SSL评分

访问 https://www.ssllabs.com/ssltest/ 进行SSL评分

常见问题

混合内容错误

原因： HTTPS页面包含HTTP资源

解决： 将所有资源改为HTTPS

证书错误

原因： 证书配置错误

解决： 检查证书路径和权限

bash

ls -l /etc/nginx/ssl/

SSL握手失败

原因： SSL协议或加密套件不兼容

解决： 更新SSL配置

nginx

ssl_protocols TLSv1.2 TLSv1.3;

总结

HTTPS配置的关键点：

基本配置：ssl_certificate和ssl_certificate_key
协议和加密套件：使用TLSv1.2/TLSv1.3
SSL优化：会话缓存、OCSP Stapling
安全头：HSTS、X-Frame-Options等
HTTP/2：启用HTTP/2提高性能

合理配置HTTPS，保护网站数据传输安全。

HTTPS配置 ​

基本配置 ​

简单HTTPS配置 ​

HTTP跳转HTTPS ​

SSL协议和加密套件 ​

SSL协议配置 ​

推荐配置 ​

完整HTTPS配置 ​

生产环境配置 ​

多域名HTTPS ​

多证书配置 ​

SNI配置 ​

SSL优化 ​

SSL会话缓存 ​

OCSP Stapling ​

HTTP/2 ​

安全头 ​

HSTS ​

X-Frame-Options ​

X-Content-Type-Options ​

X-XSS-Protection ​

测试HTTPS ​

SSL测试 ​

检查证书 ​

SSL评分 ​

常见问题 ​

混合内容错误 ​

证书错误 ​

SSL握手失败 ​

总结 ​

HTTPS配置

基本配置

简单HTTPS配置

HTTP跳转HTTPS

SSL协议和加密套件

SSL协议配置

推荐配置

完整HTTPS配置

生产环境配置

多域名HTTPS

多证书配置

SNI配置

SSL优化

SSL会话缓存

OCSP Stapling

HTTP/2

安全头

HSTS

X-Frame-Options

X-Content-Type-Options

X-XSS-Protection

测试HTTPS

SSL测试

检查证书

SSL评分

常见问题

混合内容错误

证书错误

SSL握手失败

总结