运维
运维相关知识和内容
Nginx HTTPS配置实战:从证书到SSL Labs A+评分
一、HTTPS基础配置
1.1 安装Certbot
# Ubuntu/Debian sudo apt update sudo apt install certbot python3-certbot-nginx
1.2 申请证书
sudo certbot --nginx -d example.com -d www.example.com
1.3 基础HTTPS配置
server {
listen 443 ssl;
http2 on;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
root /var/www/html;
index index.html;
}二、TLS安全加固
2.1 TLS版本配置
ssl_protocols TLSv1.2 TLSv1.3;
2.2 Cipher Suite配置
ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers on;
2.3 HSTS配置
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
三、性能优化
3.1 SSL Session Cache
ssl_session_cache shared:SSL:10m; ssl_session_timeout 1d; ssl_session_tickets off;
3.2 OCSP Stapling
ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s;
四、证书自动续期
# 测试续期 sudo certbot renew --dry-run # crontab配置 0 3 * * * /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"
五、总结
本文提供了Nginx HTTPS配置的完整指南,包括证书申请、TLS加固、性能优化和自动化续期。