博客引流
环境:
Ubuntu18.04.1 LTS - aliYun nginx/1.15.3 openssl 1.1.1
目前已经资瓷Https,Http2.0,TLS1.3,HSTS,控制一定时间内请求数等功能
HTTPS本质上是一个公钥和私钥的配对过程,其通过SSL/TLS协议实现,通常只对服务器端进行效验
HTTPS配置就是配置证书
配置HTTPS主要是从使用Service Work角度出发的,Service Work必须配置HTTPS才能work
Https的配置主要难点就是SSL证书的生成+多域名证书的生成
OpenSSL提供的是自签名证书, 自签名访问时会出现不安全字样
## 生成私钥 openssl genrsa -out server.key 2048 ## 修改openssl.cnf文件 cp /etc/ssl/openssl.cnf ./ 1. 取消[ req ] 模块下注释:req_extensions = v3_req 2. 确保[ req_distinguished_name ]下没有 0.xxx 的标签,有的话把0.xxx的0. 去掉 3. 在 [ v3_req ] 块下增加一行 subjectAltName = @SubjectAlternativeName 4. 在文件末尾增加所有域名信息: [SubjectAlternativeName] DNS.1 = *.wyydsb.xin DNS.2 = *.wyydsb.cn DNS.3 = *.wyydsb.com ## 配置证书文件 openssl req -new -key server.key -out server.csr -config ./openssl.cnf ## openssl req -new -newkey rsa:2048 -sha256 -nodes -out wyydsb.csr -keyout wyydsb.key -subj "/C=CN/ST=ZheJiang/L=HangZhou/O=wyydsb/OU=wyydsb/CN=wyydsb.xin" Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:ZheJiang Locality Name (eg, city) []:HangZhou Organization Name (eg, company) [Internet Widgits Pty Ltd]:wyydsb Organizational Unit Name (eg, section) []:wyydsb Common Name (e.g. server FQDN or YOUR name) []:wyydsb.xin # your server site Email Address []:yue.li3@21vianet.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:wyydsb ## 生成自签名证书.crt openssl req -new -x509 -days 3650 -keyout server.key -out server.crt -config openssl.cnf ## 拷贝.crt, .key地址于nginx.conf内Certbot提供的是权威签名证书
sudo apt-get update sudo apt-get install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt-get update sudo apt-get install python-certbot-nginx # 多域名证书生成 certbot certonly --standalone --email your@email.com -d yourdomain.com -d yourdomain2.com -d www.yourdomain.com -d xxx # 记录命令执行后显示的key address vim /usr/local/nginx/conf/nginx.conf # 修改为 server{ listen 443 ssl; ssl_certificate /etc/letsencrypt/live/{yourdomain}.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{yourdomain}.com/privkey.pem; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; } # reload nginx另外参考凹凸实验室的博客对HTTPS还进行了优化
另外Mozilla专门做了一个ssl配置生成器
# 生成dhparam.pem文件 cd /etc/ssl/certs openssl dhparam -out dhparam.pem 2048 vim /usr/local/nginx/conf/nginx.conf # 修改为 server{ listen 443 ssl http2; ... #优先采取服务器算法 ssl_prefer_server_ciphers on; #使用DH文件 ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #定义算法 ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; #减少点击劫持 add_header X-Frame-Options DENY; #禁止服务器自动解析资源类型 add_header X-Content-Type-Options nosniff; #防XSS攻击 add_header X-Xss-Protection 1; }HSTS = HTTP Strict Transport Security,即强制使用HTTPS进行连接
试图解决HTTP请求被劫持的情况,虽然其真实效果有待商榷
当客户端通过HTTP发出请求时,rewrite至443当客户端通过HTTPS发出请求时,服务器会发送一个带有Strict-Transport-Security的Response Header头,浏览器在获取该响应头后,在max-age的时间内,如果遇到HTTP连接,就会通过 307跳转強制使用 HTTPS 进行连接,并忽略其它的跳转设置 vim /usr/local/nginx/conf/nginx.conf # 修改为 ## 80端口拦截重定向 server { listen 80; server_name wyydsb.xin www.wyydsb.xin; rewrite ^(.*)$ https://${server_name}$1 permanent; } ## https header头增加Strict-Transport-Security server{ listen 443 ssl http2; ... add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;preload" always; }由于 HSTS 需要用戶经过一次安全的 HTTPS 连接后才会在max-age的时间內生效,因此 HSTS 策略并不能完美防止 HTTP 会话劫持,在下面这些情況下还是存在被劫持的可能:
从未访问过的网站近期重裝过操作系統期重裝过浏览器用新的浏览器用了新的设备(如手机)除了浏览器缓存期沒有打开过网站且max-age过期对这种情況,Google 维护了一份『HSTS 预加载列表』,列表里包含了使用了HSTS的站点主域名和子域名,可以通过该链接申请加入
HTTP2是万维网目前最新的网络传输协议,相对于HTTP/1.1优化了传输效率
HTTP2的配置比较简单,主要是Nginx升至1.9.3以上,OpenSSL升至1.0.2以上
HTTP2虽然不强制使用HTTPS,但普遍都建立在TLS之上,所以还是需要HTTPS的配置的
vim /usr/local/nginx/conf/nginx.conf # 修改为 server{ listen 443 ssl http2; }TLS1.3在2018年8月的RFC 8446会议中正式定稿,其相较于TLS1.2有很大改动
将密钥协议和身份验证算法与密码套件分开删除对弱和较少使用的命名椭圆曲线的支持删除对MD5和SHA-224 加密哈希函数的支持即使使用先前的配置,也需要数字签名整合HKDF和半短暂的DH提案用PSK和门票取代恢复支持1-RTT握手和对0-RTT的初始支持通过在(EC)DH密钥协议期间使用短暂密钥来强制完美的前向保密删除对许多不安全或过时功能的支持,包括压缩,重新协商,非AEAD密码,非PFS密钥交换(其中包括静态RSA和静态DH密钥交换),自定义DHE组,EC点格式协商,更改密码规范协议,Hello消息UNIX时间,以及输入到AEAD密码的长度字段AD禁止SSL或RC4协商以实现向后兼容性集成使用会话哈希弃用记录层版本号并冻结该数字以提高向后兼容性将一些与安全相关的算法详细信息从附录移至规范,并将ClientKeyShare降级为附录使用Poly1305消息验证代码添加ChaCha20流密码添加Ed25519和Ed448数字签名算法添加x25519和x448密钥交换协议 安装Nginx时 ./configure --with-openssl-opt=enable-tls1_3openSSL 升至1.1.1ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256;浏览器打开TLS1.3支持chrome://flags/利用高版本curl,验证TLS1.3配置成功
$ curl -vvv https://wyydsb.xin * Rebuilt URL to: https://wyydsb.xin/ * Trying 47.75.137.198... * TCP_NODELAY set * Connected to wyydsb.xin (47.75.137.198) port 443 (#0) * ALPN, offering http/2 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (OUT), TLS change cipher, Client hello (1): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, CERT verify (15): * TLSv1.3 (IN), TLS handshake, [no content] (0): * TLSv1.3 (IN), TLS handshake, Finished (20): * TLSv1.3 (OUT), TLS handshake, [no content] (0): * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384爬虫对网站浏览量的统计有较大的影响
为保护网站安全,对爬虫及访问次数进行了限制
http{ proxy_cache_path /usr/local/nginx/proxy_cache levels=1:2 keys_zone=content:20m inactive=1d max_size=100m; server{ if ($http_user_agent ~* (Scrapy|Curl|HttpClient)) { return 403; } if ($http_user_agent ~* "ython|Hakai|Gemini|Shinka|LMAO|Ronin|Go-http-client|WinHttp|WebZIP|Postman|FetchURL|node-superagent|java/|FeedDemon|Jullo|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|Java|Feedly|Apache-HttpAsyncClient|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|HttpClient|MJ12bot|heritrix|EasouSpider|Ezooms|BOT/0.1|YandexBot|FlightDeckReports|Linguee Bot|^$" ) { return 403; } if ($request_method !~ "GET|^$") { return 403; } if ($request_uri ~* "login|php|wp|^$") { return 403; } if ($request_uri !~ "\/(service-worker\/[a-zA-Z0-9]{2,20}.html|robots.txt|assets.*|javascript\/[a-zA-Z0-9]{2,20}.html.*|other\/[a-zA-Z0-9]{2,20}.html.*|pat\/[a-zA-Z0-9]{2,20}.html.*|)$") { return 403; } } }虽然已经有了Server Work,但Nginx最牛的静态资源优化方案-缓存还是要配一下的
server{ proxy_cache content; proxy_cache_valid 200 304 301 302 99s; proxy_cache_valid any 1s; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Connection ""; proxy_http_version 2; proxy_next_upstream off; proxy_ignore_client_abort on; proxy_ignore_headers Set-Cookie Cache-Control; client_max_body_size 30m; client_body_buffer_size 256k; proxy_connect_timeout 75; proxy_send_timeout 300; proxy_read_timeout 300; proxy_buffer_size 1m; proxy_buffers 8 512k; proxy_busy_buffers_size 2m; proxy_temp_file_write_size 2m; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_max_temp_file_size 128m; }PS: 因为使用了Server Work,利用文件的Hash值做版本管理,缓存管理的html文件对这一系统造成了较大的麻烦,故取消配置
… Because of qiong, There is only one Server machine.
. 让你的网站秒配 HTTPS 证书 . Nginx 配置 HTTPS 服务器 . 让Nginx快速支持TLS1.3协议
