[WordPress系列之012] 给网站添加更加安全的访问方式: HTTPS 的配置与增强

By 程序知路 | 2022-06-13
0
(0)

HTTPS 全称“Hypertext Transfer Protocol Secure ”,就是安全版的 HTTP 协议。

它通过客户端和服务器端的加解密方式让 HTTP 协议更加安全,现在已经发展到 TLS v1.3。

HTTPS 已经成为一个现代网站的必备要素,现在 HTTPS 加密流量比例已经超过九成,它是 Web 发展的趋势之一。

本文适用于以 Nginx 作为服务器软件的 RHEL 7 和 CentOS 7 操作系统,其他操作系统未做测试。

本文后面章节关于给 HTTPS 增加安全系数的 OCSP、HSTS 和 HPKP 等内容所支持的操作系统平台是比较广泛的。

安装 Certbot for Nginx

启用 RHEL 源

yum -y install yum-utils
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

安装 Certbot

yum install -y certbot python2-certbot-nginx

安装 HTTPS 证书

接下来开始给 Nginx 驱动的网站安装 HTTPS 证书:

执行 certbot 命令

certbot --nginx

输入用于接收证书服务商邮件的邮箱

这个邮箱地址接收证书过期提醒。

通过 CertBot 安装的 HTTPS 证书有 90 天的有效期,到期前你将在这个邮箱接收到临近过期的提醒。

我输入的是 “mailname@a-good-mail.com”。

[root@VM-16-14-centos ~]# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): mailname@a-good-mail.com

查看 LetsEncrypt 的条款

lease read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

这里输入 “Y”,必须这样选择才可以继续。

询问是否同意向你发送邮件

是否同意合作商向你发送邮件。

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

选择要应用 HTTPS 的域名

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: https-test.chengxuzhilu.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

如果你的 Nginx 部署着多个域名,那么全部的域名将在上面列表中列出来。此时,可自由选择要被 HTTPS 加密的域名,选中的域名用数字表示,分别用英文逗号或空格分隔开来。如果全选,则直接按回车键。

若你不想被打扰,则选择 “N”。

HTTPS 证书顺利完成安装

Congratulations! You have successfully enabled
https://https-test.chengxuzhilu.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/https-test.chengxuzhilu.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/https-test.chengxuzhilu.com/privkey.pem
   Your certificate will expire on 2022-09-09. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

测试刚刚安装的 HTTPS 证书

用浏览器访问 http://https-test.chengxuzhilu.com ,它会自动跳转到 https 开头的网址。

增强 HTTPS 的安全性

配置 HSTS

HSTS,(HTTP Strict Transport Security),即“HTTP严格传输安全”,使用它来减少会话劫持风险。

将以下配置放进 Nginx 虚拟主机相应的(server)块内:

add_header Strict-Transport-Security "max-age=31536000;includeSubDomains";

保存配置文件,然后重启 Nginx。

systemctl restart nginx.service
systemctl status -l nginx.service

再用浏览器访问站点,通过开发者工具栏(在浏览器按 F12 打开)查看 HSTS 是否生效。

设置 HTTP/2

HTTP/2(超文本传输协议第2版),采用多路复用技术,多个请求集中在一个 TCP 连接内,不用每次都重新进行 TCP 握手,提高网页的性能。并且只要愿意,在一些应用可以具有服务器推送功能,这样就不用关闭和再打开 TCP 连接来接收服务器通知,从而节省服务器的开销。

启用 HTTP/2 的过程很简单,只须在相应的 server 块内将 listen 443 ssl; 改为 listen 443 ssl http2;

同时,也将 listen [::]:443 ssl ipv6only=on; 改为 listen [::]:443 ssl http2 ipv6only=on;

重启 Nginx 服务。

systemctl restart nginx.service
systemctl status -l nginx.service

验证 HTTP/2:

启用 OCSP 装订

OCSP(Online Certificate Status Protocol,在线证书状态协议),通过一定的机制和手段用于检查 HTTPS 证书是否过期的技术。

cd /etc/letsencrypt/live/https-test.chengxuzhilu.com
cat fullchain.pem  privkey.pem > https-test_chengxuzhilu_com.chain.stapling.pem
mv https-test_chengxuzhilu_com.chain.stapling.pem /etc/ssl/certs/

修改 Nginx 相应的 server 块配置:

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
ssl_trusted_certificate /etc/ssl/certs/https-test_chengxuzhilu_com.chain.stapling.pem;

重启 Nginx 服务。

systemctl restart nginx.service
systemctl status -l nginx.service

查看 OCSP 是否开启成功:

openssl s_client -connect https-test.chengxuzhilu.com:443 -servername https-test.chengxuzhilu.com -s

如果执行结果是这样的,则表示开启成功:

OCSP response:
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response

如果是以下的结果,则表示失败:

OCSP response: no response sent

配置 HPKP

HPKP,HTTP Public Key Pinning(HTTP 公钥锁定),它的作用是告诉浏览器特定加密公钥与特定服务器相关联,防范“请求伪造”攻击。

请把下文的 https-test.chengxuzhilu.com 和 https-test_chengxuzhilu_com 修改为你的。

以下生成的每一个指纹都是特别的,每次生成都不同,所以不要在你的环境下使用这些指纹,否则会配置失败。

获取第一个指纹

openssl x509 -pubkey < /etc/letsencrypt/archive/https-test.chengxuzhilu.com/cert1.pem | \
openssl pkey -pubin -outform der | \
openssl dgst -sha256 -binary | base64

得到: We3oNGS7gzozE72kB5z9xOG8XoI8gyp5x22Ia6Y//qk=

获取第二个指纹

mkdir -p /etc/ssl/certs/https-test.chengxuzhilu.com
cp /etc/letsencrypt/archive/https-test.chengxuzhilu.com/privkey1.pem /etc/ssl/certs/https-test.chengxuzhilu.com/https-test_chengxuzhilu_com.first.key 
cp /etc/letsencrypt/csr/0000_csr-certbot.pem /etc/ssl/certs/https-test.chengxuzhilu.com/https-test_chengxuzhilu_com.first.csr

获取指纹:

cd /etc/ssl/certs/https-test.chengxuzhilu.com/
openssl genrsa -out https-test_chengxuzhilu_com.second.key 4096
openssl req -new -key https-test_chengxuzhilu_com.second.key -sha256 -out https-test_chengxuzhilu_com.second.csr
Country Name (2 letter code) [XX]:跳过
State or Province Name (full name) []:跳过
Locality Name (eg, city) [Default City]:跳过
Organization Name (eg, company) [Default Company Ltd]:跳过
Organizational Unit Name (eg, section) []:跳过
Common Name (eg, your name or your server's hostname) []:跳过
Email Address []:跳过
A challenge password []:设定一个不长于 20 个字符的强密码
An optional company name []:跳过
openssl req -pubkey < https-test_chengxuzhilu_com.second.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

得到第二个指纹: GKHz0fGXhRarAbRI2jEFhkrRVwoTX7A05AXAQ4S4I6s=

获取第三个指纹

openssl genrsa -out https-test_chengxuzhilu_com.third.key 4096
openssl req -new -key https-test_chengxuzhilu_com.third.key -sha256 -out https-test_chengxuzhilu_com.third.csr
# 此处与第二个指纹的过程一样
openssl req -pubkey < https-test_chengxuzhilu_com.third.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

得到第三个指纹: 6LxilaheNtmeRF4nsnSAqB+7Uy9jcIwVoB7jvMZiDF8=

把三个指纹填进以下的配置中:

add_header Public-Key-Pins 'pin-sha256="We3oNGS7gzozE72kB5z9xOG8XoI8gyp5x22Ia6Y//qk="; pin-sha256="GKHz0fGXhRarAbRI2jEFhkrRVwoTX7A05AXAQ4S4I6s="; pin-sha256="6LxilaheNtmeRF4nsnSAqB+7Uy9jcIwVoB7jvMZiDF8=";max-age=2592000';

然后把上述配置放置到 Nginx 配置文件相应的 server 块中。

重启 Nginx 服务。

systemctl restart nginx.service
systemctl status -l nginx.service

在浏览器里面验证 HPKP 的生效与否,同样,在开发者工具栏:

到 https://www.ssllabs.com/ssltest/analyze.html 这个网站验证 HTTPS 的安全性。

HTTPS 的部署至此完成!

定期更新证书

echo "0 */2 * * * root python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" >> /etc/crontab
crontab -uroot /etc/crontb
crontab -uroot -l

在这个互联网安全风险泛滥的时代,作为因特网基石般地位的应用层协议 HTTP 理应与时俱进。淘汰掉旧技术,追赶、应用新的技术已然成为了趋势。站在 SSL/TLS 技术之上的 HTTPS 应运而生,风靡整个时代,可知 HTTPS 对于因特网而言是有多重要。因此,我们要让 HTTPS 成为建设网站必须要配置的工具。

本文,完。

如果在配置过程中有疑问,请先百度,若是得不到解决,可以联系作者: admin@chengxuzhilu.com ,我们共同探讨一下。

欢迎访问本人的博客和关注微信公众号!

相关文章:

喜欢就请您给我评一下分吧!(从左到右为低分到高分)

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.


鉴于本人的相关知识储备以及能力有限,本博客的观点和描述如有错漏或是有考虑不周到的地方还请多多包涵,欢迎互相探讨,一起学习,共同进步。

本文章可以转载,但是需要说明来源出处!

本文使用的部分图片来源于网上,若是侵权,请与本文作者联系删除: admin@chengxuzhilu.com