SSL on 码途手记https://tunango.top/tags/ssl/Recent content in SSL on 码途手记Hugozh-cnSat, 05 Jul 2025 00:00:00 +0000Nginx 配置 HTTPS 完整指南https://tunango.top/posts/nginx-%E9%85%8D%E7%BD%AE-https-%E5%AE%8C%E6%95%B4%E6%8C%87%E5%8D%97/Sat, 05 Jul 2025 00:00:00 +0000https://tunango.top/posts/nginx-%E9%85%8D%E7%BD%AE-https-%E5%AE%8C%E6%95%B4%E6%8C%87%E5%8D%97/<h2 id="为什么必须用-https">为什么必须用 HTTPS</h2> <p>现在几乎所有网站都应该启用 HTTPS。不仅是安全考虑,还因为:</p> <ul> <li>Chrome 等浏览器会将 HTTP 站点标记为「不安全」</li> <li>HTTP/2 和 HTTP/3 都需要 TLS</li> <li>某些浏览器 API(如地理位置、Service Worker)要求 HTTPS</li> </ul> <h2 id="申请免费证书">申请免费证书</h2> <h3 id="使用-lets-encrypt推荐">使用 Let&rsquo;s Encrypt(推荐)</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 安装 certbot</span> </span></span><span style="display:flex;"><span>apt install certbot python3-certbot-nginx -y </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 自动配置 Nginx(推荐新手)</span> </span></span><span style="display:flex;"><span>certbot --nginx -d yourdomain.com </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 或者只获取证书,手动配置</span> </span></span><span style="display:flex;"><span>certbot certonly --nginx -d yourdomain.com </span></span></code></pre></div><p>证书文件会存放在 <code>/etc/letsencrypt/live/yourdomain.com/</code> 目录下。</p> <h3 id="手动申请">手动申请</h3> <p>如果服务器不能直接访问 80 端口,可以用 DNS 验证:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>certbot certonly --manual --preferred-challenges dns -d yourdomain.com </span></span></code></pre></div><p>按照提示在 DNS 中添加 TXT 记录即可。</p> <h2 id="nginx-配置">Nginx 配置</h2> <h3 id="基础-https-配置">基础 HTTPS 配置</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">443</span> <span style="color:#e6db74">ssl</span> <span style="color:#e6db74">http2</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">yourdomain.com</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate</span> <span style="color:#e6db74">/etc/letsencrypt/live/yourdomain.com/fullchain.pem</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate_key</span> <span style="color:#e6db74">/etc/letsencrypt/live/yourdomain.com/privkey.pem</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e"># SSL 优化配置 </span></span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_protocols</span> <span style="color:#e6db74">TLSv1.2</span> <span style="color:#e6db74">TLSv1.3</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_ciphers</span> <span style="color:#e6db74">ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_prefer_server_ciphers</span> <span style="color:#66d9ef">off</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_session_cache</span> <span style="color:#e6db74">shared:SSL:10m</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_session_timeout</span> <span style="color:#e6db74">1d</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">root</span> <span style="color:#e6db74">/var/www/yourdomain.com</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">index</span> <span style="color:#e6db74">index.html</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">try_files</span> $uri $uri/ =<span style="color:#ae81ff">404</span>; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h3 id="http-自动跳转">HTTP 自动跳转</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">80</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">yourdomain.com</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">return</span> <span style="color:#ae81ff">301</span> <span style="color:#e6db74">https://</span>$server_name$request_uri; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h3 id="反向代理--https">反向代理 + HTTPS</h3> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-nginx" data-lang="nginx"><span style="display:flex;"><span><span style="color:#66d9ef">server</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">listen</span> <span style="color:#ae81ff">443</span> <span style="color:#e6db74">ssl</span> <span style="color:#e6db74">http2</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">server_name</span> <span style="color:#e6db74">yourdomain.com</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate</span> <span style="color:#e6db74">/path/to/fullchain.pem</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">ssl_certificate_key</span> <span style="color:#e6db74">/path/to/privkey.pem</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">location</span> <span style="color:#e6db74">/</span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_pass</span> <span style="color:#e6db74">http://127.0.0.1:8080</span>; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">Host</span> $host; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Real-IP</span> $remote_addr; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Forwarded-For</span> $proxy_add_x_forwarded_for; </span></span><span style="display:flex;"><span> <span style="color:#f92672">proxy_set_header</span> <span style="color:#e6db74">X-Forwarded-Proto</span> $scheme; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="自动续期">自动续期</h2> <p>Let&rsquo;s Encrypt 证书有效期为 90 天,需要定期续期:</p>