本文討論如何為Nginx配置SSL證書,並通過設置Nginx相關指令將安全等級提升至A+。此處不涉及內核參數優化,該部分可參考本人Blog LEMP Installation and Nginx Optimization

Preparation

準備工作包含準備VPS主機、初始化操作、通過包管理器安裝Nginx

VPS Host

本文所有操作都在Digital Ocean的VPS上進行

item detail
OS Version CentOS Linux release 7.3.1611 (Core)
Kernel Version 3.10.0-514.2.2.el7.x86_64

以下是IP和域名信息

item detail
IP Address 138.197.80.35
Test Domian lemptest.tech

初始化操作包括 * 更新系統 * 重啟後移除舊內核 * 安裝Vim編輯器 * 更改時區,安裝chrony服務同步網路時間

Nginx Installation

Nginx的安裝通過Shell Script實現,腳本已經上傳至GitHub autoInstallNginxWebServerViaPackageManager.sh

執行如下命令進行安裝

curl -s https://raw.githubusercontent.com/LempStacker/personalShellScriptCollection/master/shellScripts/autoInstallNginxWebServerViaPackageManager.sh | bash

安裝完成後啟動Nginx服務

# 啟動服務
systemctl start nginx
# 設置為開機啟動
systemctl enable nginx

可通過命令nginx -s signal對Nginx服務進行啟動、關閉、重載配置文件等操作,具體見官方文檔Starting, Stopping, and Reloading Configuration。以下為具體命令:

#fast shutdown
sudo nginx -s stop

#graceful shutdown(推薦方式)
sudo nginx -s quit

#reloading the configuration file
sudo nginx -s reload

# reopening the log files
sudo nginx -s reopen

Nginx Info

Nginx相關信息

執行如下命令查詢Nginx安裝包相關信息

# 查詢安裝包信息
rpm -qi nginx
# 查詢生成的文件路徑
rpm -ql nginx
# 配置文件路徑
rpm -qc nginx
# man文檔路徑
rpm -qd nginx
# 依賴的庫文件
rpm -qR nginx

執行如下命令查看Nginx具體版本信息

# 通過nginx -v
sudo nginx -v 2>&1 | awk -v FS='/' '{print $NF}'
sudo nginx -v 2>&1 | sed -r -n 's@.*/(.*)@\1@p'

# 通過nginx -V
sudo nginx -V 2>&1 | awk -v FS='/' '{print $NF;exit}'
sudo nginx -V 2>&1 | sed -r -n '1 s@.*/(.*)@\1@p'

# - Bash 4+
sudo nginx -v |& awk -v FS='/' '{print $NF}'
sudo nginx -v |& sed -r -n 's@.*/(.*)@\1@p'

sudo nginx -V |& awk -v FS='/' '{print $NF;exit}'
sudo nginx -V |& sed -r -n '1 s@.*/(.*)@\1@p'

執行如下命令查看Nginx配置文件

sudo nginx -V 2>&1 | sed -r -n 's@.*conf-path=(.*) --error.*@\1@p'

本次安裝的Nginx * 版本 1.10.2; * 配置文件路徑 /etc/nginx/nginx.conf; * Web路徑 /usr/share/nginx/html;

與證書相關的文件放置在目錄/etc/nginx/ssl/中,執行如下命令創建該目錄

[[ ! -d /etc/nginx/ssl ]] && mkdir -pv /etc/nginx/ssl

Domain name Resolution

域名解析,爲域名配置VPS的IP地址(假設IP爲172.217.12.132)。若無需配置其它子域名,只需配置以下兩條A Record即可。

Type Host Value TTL
A Record @ 172.217.12.132 30 min
A Record www 172.217.12.132 30 min

NameCheap的配置方式見How can I set up an A (address) record for my domain?

須注意:中國大陸地區的域名服務商的域名解析的生效時間會比較長(數小時甚至一兩天)。

Generating SSL Certificate

使用Let’s Encrypt生成免費的SSL證書,為方便部署,使用certbot生成SSL證書。在CentOS中,certbot依賴EPEL,須先安裝epel-release

Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates. – https://certbot.eff.org/

執行如下命令安裝epel、cerbot

yum install -y epel-release
yum install -y certbot

certbot在生成SSL證書時使用Webroot插件,Nginx默認的Web路徑為/usr/share/nginx/htm,故有如下格式的命令

certbot certonly --webroot -w /usr/share/nginx/html -d lemptest.tech -d www.lemptest.tech -d gitlab.lemptest.tech

參數說明 * certonly Obtain cert, but do not install it (aka “auth”) * --webroot Place files in a server’s webroot folder for authentication * -d domain 指定域名地址,可同時指定多個

命令執行後會跳出彈框

根據各自實際情況進行填寫,SSL證書成功生成後,出現如下信息

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/lemptest.tech/fullchain.pem. Your cert will expire on 2017-03-22. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew all of your certificates, run “certbot renew” - If you lose your account credentials, you can recover through e-mails sent to lempstacker@hotmail.com. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

根據提示生成的證書的路徑是

/etc/letsencrypt/live/lemptest.tech/

其中有4個文件,都是符號鏈接

lrwxrwxrwx 1 root root 37 Dec 22 23:43 cert.pem -> ../../archive/lemptest.tech/cert1.pem
lrwxrwxrwx 1 root root 38 Dec 22 23:43 chain.pem -> ../../archive/lemptest.tech/chain1.pem
lrwxrwxrwx 1 root root 42 Dec 22 23:43 fullchain.pem -> ../../archive/lemptest.tech/fullchain1.pem
lrwxrwxrwx 1 root root 40 Dec 22 23:43 privkey.pem -> ../../archive/lemptest.tech/privkey1.pem

文件說明 * fullchain.pem 合併cert.pem和chian.pem後的文件 * cert.pem 域名證書 * privkey.pem 證書私鑰 * chain.pem Let’s Encrypt chain證書

配置Nginx時,須用到文件fullchain.pemprivkey.pem,格式如下

ssl_certificate /etc/letsencrypt/live/lemptest.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lemptest.tech/privkey.pem;

在設置HTTP Public Key Pinning(HPKP)時會用到文件cert.pem

Security Optimization

以下是提高Nginx安全係數的操作

OCSP Stapling Configuration

OCSP stapling is a TLS/SSL extension which aims to improve the performance of SSL negotiation while maintaining visitor privacy.

OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked. It was created as an alternative to CRL to reduce the SSL negotiation time. With CRL (Certificate Revocation List) the browser downloads a list of revoked certificate serial numbers and verifies the current certificate, which increases the SSL negotiation time. In OCSP the browser sends a request to a OCSP URL and receives a response containing the validity status of the certificate.

操作過程參考How To Configure OCSP Stapling on Apache and Nginx。操作需要用到根證書(root CA)和中間證書(intermediate CA),因此處選擇使用Let’s Encrypt生成SSL證書,故需獲取Let's Encrypt的根證書和中間證書。

通過瀏覽Let's Encrypt官網相關頁面 * Let’s Encrypt Root and Intermediate Certificates * Chain of Trust

獲取到如下信息

# Let's Encrypt Root and Intermediate Certificates

#Active Root Certificates (ISRG Root X1)
https://letsencrypt.org/certs/isrgrootx1.pem

#Active Intermediate Certificates
#Let’s Encrypt Authority X3 (IdenTrust cross-signed)
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

生成所需的證書需要使用到這兩個文件,此處將生成的文件命名為

/etc/nginx/ssl/letsencrypt-ca-cert.pem

執行如下命令生成所需的證書

[[ ! -d /etc/nginx/ssl ]] && mkdir -pv /etc/nginx/ssl

wget -q -O - https://letsencrypt.org/certs/isrgrootx1.pem https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem | tee -a /etc/nginx/ssl/letsencrypt-ca-cert.pem  > /dev/null

證書生成後,在Nginx的server中添加如下內容

#OCSP Stapling Configuration
ssl_stapling on;
ssl_stapling_verify on; # Enables verification of OCSP responses by the server
#Let's Encrypt Root and Intermediate Certificates
ssl_trusted_certificate /etc/nginx/ssl/letsencrypt-ca-cert.pem;

執行

nginx -t && nginx -s reload

重新載入Nginx配置文件後,可執行如下命令檢測CSP Stapling是否工作正常

echo QUIT | openssl s_client -connect lemptest.tech:443 -status 2> /dev/null | sed -r -n '/^OCSP response/,/Next Update/p'

以下是測試過程

flying@lempstacker:~$ echo QUIT | openssl s_client -connect lemptest.tech:443 -status 2> /dev/null | sed -r -n '/^OCSP response/,/Next Update/p'
OCSP response:
======================================
OCSP Response Data:
    OCSP Response Status: successful (0x0)
    Response Type: Basic OCSP Response
    Version: 1 (0x0)
    Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Produced At: Dec 22 15:43:00 2016 GMT
    Responses:
    Certificate ID:
      Hash Algorithm: sha1
      Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
      Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
      Serial Number: 0386FC395B849992E157BDE69E3203C532BA
    Cert Status: good
    This Update: Dec 22 15:00:00 2016 GMT
    Next Update: Dec 29 15:00:00 2016 GMT
flying@lempstacker:~$

HTTP Public Key Pinning (HPKP)

關於HTTP Public Key Pinning,推薦閱讀Raymii的Blog HTTP Public Key Pinning Extension HPKP for Apache, NGINX and Lighttpd

通過研讀如下幾篇Blog * HTTP Public Key Pinning (HPKP) * HPKP: HTTP Public Key Pinning * HTTP Public Key Pinning Extension HPKP for Apache, NGINX and Lighttpd

經過測試,實現該功能,需要用到Let's Encrypt生成的文件

/etc/letsencrypt/live/lemptest.tech/cert.pem

Step1 Add Existing Certificate

添加已經存在的SSL證書,即

/etc/letsencrypt/live/lemptest.tech/cert.pem

執行如下操作生成base64形式字符串,有兩種方法,個人推薦第二種方法,可直接生成所需的字符串。

# Method 1 會生成臨時公鑰
openssl x509 -noout -in /etc/letsencrypt/live/lemptest.tech/cert.pem -pubkey | openssl asn1parse -noout -inform pem -out /tmp/public.key

openssl dgst -sha256 -binary /tmp/public.key | openssl enc -base64

rm -f /tmp/public.key

# Method 2 直接生成base64形式字符串
# 直接生成所需的
openssl x509 -pubkey < /etc/letsencrypt/live/lemptest.tech/cert.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

此處生成的第一個base64形式字符串是

iUUgoZuZgkGIbQ9x1lUQbvCJh+87iT1avjyzKKu7K3k=

Step2 Creating A Backup CSR

自定义生成

openssl genrsa -out /etc/nginx/ssl/lemptest.first.key 4096

openssl req -new -key /etc/nginx/ssl/lemptest.first.key -sha256 -out /etc/nginx/ssl/lemptest.first.csr

openssl req -pubkey < /etc/nginx/ssl/lemptest.first.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

生成.csr文件時會出現如下信息,根據個人情況填寫

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:LempTest
Organizational Unit Name (eg, section) []:LempTest
Common Name (eg, your name or your server's hostname) []:lemptest.tech
Email Address []:lemptest@lemptest.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

此處生成的第二個base64形式字符串是

F2gQEUpXylr1jmAr6f9WNlFAMxORt597saJMqGCcoks=

在Nginx中添加如下指令

add_header Public-Key-Pins 'pin-sha256="iUUgoZuZgkGIbQ9x1lUQbvCJh+87iT1avjyzKKu7K3k=";pin-sha256="F2gQEUpXylr1jmAr6f9WNlFAMxORt597saJMqGCcoks="; max-age=2592000; includeSubDomains';

ssl_dhparam

執行如下命令

[[ ! -d /etc/nginx/ssl ]] && mkdir -pv /etc/nginx/ssl

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

生成文件/etc/nginx/ssl/dhparam.pem

該生成過程過程耗時較長,取決於服務器配置,耗時從幾分鐘到幾十分鐘不等。

在Nginx中添加如下指令

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

ssl_session_ticket_key

執行如下命令

[[ ! -d /etc/nginx/ssl ]] && mkdir -pv /etc/nginx/ssl

openssl rand 48 -out /etc/nginx/ssl/ticket.key

生成文件/etc/nginx/ssl/ticket.key

在Nginx中添加如下指令

ssl_session_ticket_key /etc/nginx/ssl/ticket.key;

Nginx Configuration

Nginx配置文件參數修改,強烈建議在修改之前先對文件進行備份

執行如下文件進行備份

cp -p /etc/nginx/nginx.conf{,.bak}
mv /etc/nginx/conf.d/default.conf{,.bak}

/etc/nginx/nginx.conf


user  nginx;
# worker_processes 1 or N or auto
worker_processes 2;
worker_rlimit_nofile 65536;
pid /var/run/nginx.pid;
events {
    worker_connections   65536;
    use epoll;
    multi_accept on;
}
http {
    include /etc/nginx/mime.types;
    default_type  application/octet-stream;
    charset  utf-8;
    server_tokens off; #關閉版本信息顯示
    autoindex off; #禁止顯示目錄下文件,默認off
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    # [debug|info|notice|warn|error|crit|alert|emerg]
    error_log  /var/log/nginx/error.log warn;
    access_log /var/log/nginx/access.log combined if=$loggable;
    #Conditional Logging
    map $status $loggable {
        ~^[23]  0;
        default 1;
    }
    #log_format name string ...; default combined "...";
    log_format cpmpression '$remote_addr - $remote_user [$time_local] '
                           '"$request" $status $body_bytes_sent '
                           '"$http_referer" "$http_user_agent" "$gzip_ratio"';

    # Concurrency Connections
    # http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
    # limit_conn_zone $binary_remote_addr zone=addr:10m;
    limit_conn_zone $binary_remote_addr zone=perip:10m;
    limit_conn_zone $server_name zone=perserver:10m;
    # limit_conn perip 40;
    # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html


    #Keep Alive
    keepalive_timeout 50;
    keepalive_requests 100000;
    #Timeouts
    client_header_timeout  3m;
    client_body_timeout    3m;
    send_timeout 60s;
    #Buffer Size
    client_body_buffer_size      128k;
    client_max_body_size         2m;
    client_header_buffer_size    1k;
    large_client_header_buffers  4 4k;
    output_buffers               1 32k;
    postpone_output              1460;
    #Close connection on Missing Client Response
    reset_timedout_connection on;
    #Static Asset Serving
    open_file_cache max=1000 inactive=20s;
    open_file_cache_valid 30s;
    open_file_cache_min_uses 5;
    open_file_cache_errors off;
    # gzip compression
    gzip on;
    gzip_vary on;
    gzip_comp_level 5;
    gzip_buffers     16 8k;
    gzip_min_length 1000;
    gzip_proxied    expired no-cache no-store private auth;
    gzip_types      text/css application/javascript application/x-javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;
    gzip_disable    "MSIE [1-6]\.";
    gzip_static on;

    #http proxy
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    include /etc/nginx/conf.d/*.conf;

}

/etc/nginx/conf.d/ssl.conf

# redirect http to https
server {
    listen 80;
    server_name lemptest.tech;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl default_server;
	server_name lemptest.tech;
    #access_log  /var/log/nginx/log/host.access.log  main;
    root   /usr/share/nginx/html;

    ssl_certificate /etc/letsencrypt/live/lemptest.tech/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/lemptest.tech/privkey.pem;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_protocols TLSv1.2;
    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    #https://scotthelme.co.uk/doing-the-chacha-with-nginx/
    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH DHE-RSA-CHACHA20-POLY1305 EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SEED !CAMELLIA";

    #https://wiki.mozilla.org/Security/Server_Side_TLS
    #ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";  
    ssl_ecdh_curve secp384r1; # Specifies a curve for ECDHE ciphers.
    #ssl_ecdh_curve prime256v1:secp384r1; # openssl version >= 1.0.2
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets on;
    ssl_session_ticket_key /etc/nginx/ssl/ticket.key; #the list of certificates will not be sent to clients

    #OCSP Stapling Configuration
    ssl_stapling on;
    ssl_stapling_verify on; # Enables verification of OCSP responses by the server
    #Let's Encrypt Root and Intermediate Certificates
    ssl_trusted_certificate /etc/nginx/ssl/letsencrypt-ca-cert.pem;

    # Google DNS, Open DNS, Dyn DNS
    resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
    resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Content-Security-Policy 'default-src self';
    add_header X-Content-Type-Options "nosniff" always;
    # DENY、SAMEORIGIN、ALLOW-FROM https://example.com/;
    add_header X-Frame-Options "DENY";
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Public-Key-Pins 'pin-sha256="iUUgoZuZgkGIbQ9x1lUQbvCJh+87iT1avjyzKKu7K3k=";pin-sha256="F2gQEUpXylr1jmAr6f9WNlFAMxORt597saJMqGCcoks="; max-age=2592000; includeSubDomains';

    #if ($scheme = http) {
    #    return 301 https://$host$request_uri;
    #}

    #http://nginx.org/en/docs/http/ngx_http_stub_status_module.html
    location /nginx_status {
        stub_status on;
        access_log off;
        #allow xxx.xxx.xxx.xxx; # allowed accessing IP
        allow 127.0.0.1;
        deny all;
    }

    #check file exists or not
    #http://nginx.org/en/docs/http/ngx_http_core_module.html#try_files
    #http://stackoverflow.com/questions/17798457/how-can-i-make-this-try-files-directive-work#17800131
    #location / {
    #    try_files $uri $uri/ =404;
    #}

    # Disable unwanted HTTP methods
    # 405 A request was made of a resource using a request method not supported by that resource;
    if ($request_method !~ ^(GET|HEAD|POST)$ )
    {
        return 405;
    }

    # Deny Certain User-Agents or Bots:
    if ($http_user_agent ~* LWP::Simple|wget|curl|libwww-perl) {
        return 403;
    }

    if ($http_user_agent ~ (msnbot|Purebot|Baiduspider|Lipperhey|Mail.Ru|scrapbot) ) {
        return 403;
    }

    # Blocking Referral Spam
    #if ( $http_referer ~* #(jewelry|viagra|nude|girl|nudit|casino|poker|porn|sex|teen|babes) ) {
    # return 403;
    # }

    #  Stop Hotlinking 防盜鏈
    # location ~ .(gif|png|jpe?g)$ {
    #     valid_referers none blocked example.com *.example.com;
    #     if ($invalid_referer) {
    #         return   403;
    #     }
    # }

    # Deny execution of scripts
    # deny scripts inside writable directories
    # location ~* /(images|cache|media|logs|tmp)/.*.(php|pl|py|jsp|asp|sh|cgi)$ {
    #     return 403;
    #     error_page 403 /403_error.html;
    # }

    # file cache
    # location ~* .(woff|eot|ttf|svg|mp4|webm|jpg|jpeg|png|gif|bmp|ico|css|js)$ {
    #     expires 365d;
	# 	log_not_found off;
	# 	access_log off;
    # }
	# location ~ ^/favicon\.ico$ {
	# 	root /usr/share/nginx/html;
	# }

}

Nginx配置文件修改完成後,執行如下操作

#測試配置文件是否有語法錯誤
nginx -t

#重新載入Nginx配置文件,使修改生效
nginx -s reload

Firewall Setting

防火牆規則設置

iptables

使用如下命令查看現有rule

sudo iptables --line-numbers -nL

reject-with icmp-host-prohibited所在行之前添加規則(rule),此處假設該條規則為INPUT中第5條規則。

#input rule
sudo iptables -t filter -I INPUT 5 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT

#output rule
sudo iptables -t filter -I OUTPUT -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT

#simple block DDoS
#sudo iptables -t filter -I INPUT 5 -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-upto 5 -m limit --limit 10/minute --limit-burst 100 -m state --state NEW,ESTABLISHED -j ACCEPT

規則添加完成後,執行如下命令

sudo service iptables save

保存當前規則至文件/etc/sysconfig/iptables

Nginx Security Check

刷新瀏覽器,如果頁面自動跳轉為https,則說明SSL證書配置成功。可通過以下工具對SSL安全性進行檢測 * SSL Decoder * Analyse your HTTP response headers * SSL Server Test

Snapshots

SSL Test

SSL Decoder

Browser Viewing

Reference

HTTP Public Key Pinning

iptables

Change Logs

  • 2016.12.23 01:37 Fri Asia/Shanghai
    • 初稿完成
  • 2016.12.28 09:04 Wed Asia/Shanghai
    • 添加nginx -s signal操作說明
  • 2017.01.03 17:58 Tue Asia/Shanghai
    • 添加iptables規則
  • 2017.01.06 14:19 Fri Asia/Shanghai
    • 指令ssl_ecdh_curvessl_ciphers參數優化
  • 2017.07.18 09:16 Tue Asia/Shanghai
    • 添加reference Modern TLS with Nginx and LetsEncrypt