我已经有一段时间不需要 ServerFault 了,希望有人能帮助我。我正在尝试使用 LetsEncrypt 免费 SSL 保护在 Amazon Linux 上运行的 Laravel (PHP) 应用程序。
使用certbot-auto,我已成功生成 SSL 证书,如下所示:
./certbot-auto --debug -v --serverhttps://acme-v01.api.letsencrypt.org/directorycertonly -d example.com -d www.example.com
dhparam我也使用此命令生成了:
openssl dhparam -dsaparam -out /etc/nginx/dhparam.pem 4096;
这是我的/etc/nginx/nginx.conf配置:
user www-data;
worker_processes 1;
worker_rlimit_nofile 100000;
error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;
events
{
worker_connections 1024;
use epoll;
multi_accept on;
}
http
{
# SSL Security
ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
// ... other settings omitted out
# Load vHosts
include /etc/nginx/conf.d/*.conf;
}
PS 我从以下网址获取了 nginx 安全配置https://cipherli.st
这是我的服务器(虚拟主机)/etc/nginx/conf.d/example.com.conf配置:
## Nginx php-fpm upstream
upstream php73-fpm {
server localhost:9001 max_fails=3 fail_timeout=30;
server localhost:9002 max_fails=3 fail_timeout=30;
}
## Redirect insecure traffic to secure site
server {
listen 80;
server_name example.com www.example.com;
return 302 https://www.example.com$request_uri;
}
## Web Server Config
server
{
## Server info
listen 443 default_server ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name example.com www.example.com;
root /home/www-data/example/src/public;
index index.html index.php;
## DocumentRoot setup
location / {
try_files $uri $uri/ /index.php?$query_string;
expires 30d;
}
## Disable .htaccess and other hidden files
location /. {
return 404;
}
## Execute php scripts
location ~ \.php$ {
fastcgi_index index.php;
fastcgi_pass php73-fpm;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.+\.(?:php))(/.*)$;
fastcgi_intercept_errors on;
include fastcgi_params;
try_files $uri = 404;
expires off;
}
}
设置这些后,我重新启动了我的nginx,php-fpm当我访问我的网站时,它无法在 Chrome 中加载并出现以下错误:
This site can’t be reached
The connection was reset.
我检查了 nginx 是否正在运行,它似乎是:
[root@server nginx]# service nginx status
nginx (pid 11781) is running...
[root@server nginx]# netstat -tlpn | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 11781/nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 11781/nginx
我没有发现任何明显的错误/var/log/nginx。有什么想法吗?
答案1
好的,我已经设法自己解决了这个问题。
看来将 TLS 协议设置为仅 v1.3 似乎不起作用,即使我的 nginx 版本确实是> 1.13.0。
经过一番研究,我发现了为什么 TLS v1.3 无法在 Amazon Linux 上运行。这是因为运行此功能所需的 OpenSSL 版本是,1.1.1而 Amazon Linux 有OpenSSL 1.0.2k-fips 26 Jan 2017(在撰写此答案时)。
另外,由于我已经ssl_stapling打开,我忘记指向我的domain.com.conf中的有效证书文件。
经过必要的修改后,我已经测试过了https://www.ssllabs.com/ssltest我得到了A+分数,所以现在这样就可以了。
以下是我的工作配置:
nginx.conf
user www-data;
worker_processes 1;
worker_rlimit_nofile 100000;
error_log /var/log/nginx/error.log crit;
pid /var/run/nginx.pid;
events
{
worker_connections 1024;
use epoll;
multi_accept on;
}
http
{
# SSL Security
ssl_protocols TLSv1.2 TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
// ... other http configs
}
域名.com.conf
## Nginx php-fpm upstream
upstream php73-fpm {
server localhost:9001 max_fails=3 fail_timeout=30;
server localhost:9002 max_fails=3 fail_timeout=30;
}
## Redirect insecure traffic to secure site
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 302 https://www.example.com$request_uri;
}
## Web Server Config
server
{
## Server info
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
server_name example.com www.example.com;
root /home/www-data/example/src/public;
index index.html index.php;
## DocumentRoot setup
location / {
try_files $uri $uri/ /index.php?$query_string;
expires 30d;
}
## Disable .htaccess and other hidden files
location /. {
return 404;
}
## Execute php scripts
location ~ \.php$ {
fastcgi_index index.php;
fastcgi_pass php73-fpm;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.+\.(?:php))(/.*)$;
fastcgi_intercept_errors on;
include fastcgi_params;
try_files $uri = 404;
expires off;
}
}