一、HTTPS 部署基础
1. 获取 SSL 证书
![图片[1]_Nginx 安全防护与 HTTPS 部署全过程_知途无界](https://zhituwujie.com/wp-content/uploads/2025/05/d2b5ca33bd20250507103414.png)
自签名证书(仅测试用)
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/nginx/ssl/selfsigned.key \
-out /etc/nginx/ssl/selfsigned.crt生产环境证书(推荐使用 Let’s Encrypt)
# 安装 certbot
sudo apt install certbot python3-certbot-nginx
# 获取证书
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com2. Nginx HTTPS 基础配置
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
# SSL证书路径
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# SSL协议配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
# 启用HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 其他配置...
}二、Nginx 安全防护配置
1. 基础安全头设置
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.example.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://cdn.example.com; font-src 'self' https://fonts.gstatic.com;";
add_header Referrer-Policy "no-referrer-when-downgrade";2. 防止点击劫持
add_header X-Frame-Options "DENY"; # 或 SAMEORIGIN3. 防止信息泄露
server_tokens off; # 隐藏Nginx版本信息4. 限制请求方法和大小
limit_except GET POST {
deny all;
}
client_max_body_size 10M; # 限制上传文件大小5. 防止暴力破解
# 限制登录尝试
limit_req_zone $binary_remote_addr zone=login_limit:10m rate=5r/m;
server {
location /login {
limit_req zone=login_limit burst=10 nodelay;
# 其他配置...
}
}6. 防止DDoS攻击
# 限制连接数
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
location / {
limit_conn addr 10; # 每个IP最多10个并发连接
# 其他配置...
}
}三、HTTPS 高级配置
1. 强制HTTPS重定向
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}2. OCSP Stapling 配置
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;3. 会话缓存优化
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off; # 更安全但可能影响性能4. HTTP/2 配置
listen 443 ssl http2;四、完整安全配置示例
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
# SSL证书
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# SSL协议和加密套件
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
# 会话缓存
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# 安全头
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.example.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: https://cdn.example.com; font-src 'self' https://fonts.gstatic.com;";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 防止暴力破解
limit_req_zone $binary_remote_addr zone=login_limit:10m rate=5r/m;
location /login {
limit_req zone=login_limit burst=10 nodelay;
# 登录页面配置
}
# 限制连接数
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn addr 10;
# 其他配置...
root /var/www/html;
index index.html;
}五、维护与监控
- 证书自动续期(Let’s Encrypt)
sudo certbot renew --dry-run # 测试续期
sudo systemctl reload nginx # 续期后重载Nginx- 安全监控
- 定期检查Nginx日志:
/var/log/nginx/access.log和/var/log/nginx/error.log - 使用工具如Fail2Ban防止暴力破解
- 设置入侵检测系统(IDS)如OSSEC
- 性能优化
- 定期测试SSL配置:
https://www.ssllabs.com/ssltest/ - 使用HTTP/2提升性能
- 启用Gzip压缩减少传输大小
六、常见问题解决
- 混合内容警告
- 确保所有资源(图片、脚本、样式表)都通过HTTPS加载
- 更新内容安全策略(CSP)头
- HSTS预加载
- 在HSTS头中添加
preload指令 - 提交到Chrome HSTS预加载列表
- OCSP Stapling失败
- 检查DNS解析是否正常
- 确保服务器可以访问证书颁发机构的OCSP服务器
通过以上配置,您可以建立一个安全可靠的HTTPS网站,有效防止常见网络攻击并保护用户数据安全。
© 版权声明
文中内容均来源于公开资料,受限于信息的时效性和复杂性,可能存在误差或遗漏。我们已尽力确保内容的准确性,但对于因信息变更或错误导致的任何后果,本站不承担任何责任。如需引用本文内容,请注明出处并尊重原作者的版权。
THE END
暂无评论内容