Nginx SSL/TLS 配置教程:从 Let's Encrypt 证书生成到高级 HTTPS 配置
以下是一份完整的 Nginx SSL/TLS 配置指南,涵盖证书生成、基础配置、优化技巧和实战场景示例。
一、生成 Let's Encrypt 证书(Certbot)
1. 安装 Certbot
bash
# Ubuntu/Debian
sudo apt update
sudo apt install certbot python3-certbot-nginx
# CentOS/RHEL
sudo yum install epel-release
sudo yum install certbot python3-certbot-nginx2. 生成证书
单域名证书(自动配置Nginx)
bash
sudo certbot --nginx -d example.com多域名证书
bash
sudo certbot --nginx -d example.com -d www.example.com泛域名证书(需DNS验证)
bash
sudo certbot certonly --manual --preferred-challenges=dns -d *.example.comWebroot模式(Nginx运行时)
bash
sudo certbot certonly --webroot -w /var/www/html -d example.com3. 自动续期
bash
# 测试续期
sudo certbot renew --dry-run
# 添加定时任务(每月续期)
sudo crontab -e
# 添加行:
0 3 * * * /usr/bin/certbot renew --quiet二、Nginx HTTPS 基础配置
1. 基本 SSL 配置模板
nginx
server {
listen 443 ssl http2;
server_name example.com;
# 证书路径
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# 协议配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
# 密码套件
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
# 会话缓存
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
# 其他安全头
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
# 网站根目录
root /var/www/html;
index index.html;
}三、场景化配置示例
1. 单域名配置
nginx
server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
# ... SSL配置同上 ...
}2. 多域名配置
nginx
# 主域名
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /path/to/example.com/fullchain.pem;
ssl_certificate_key /path/to/example.com/privkey.pem;
# ...
}
# 子域名
server {
listen 443 ssl http2;
server_name blog.example.com;
ssl_certificate /path/to/blog.example.com/fullchain.pem;
ssl_certificate_key /path/to/blog.example.com/privkey.pem;
# ...
}3. 泛域名配置
nginx
server {
listen 443 ssl http2;
server_name *.example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# ...
}四、高级优化配置
1. OCSP Stapling(提升SSL握手速度)
nginx
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;2. 会话恢复(减少TLS握手)
nginx
ssl_session_tickets on;
ssl_session_timeout 1d;3. 安全增强配置
nginx
# 禁用弱加密算法
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_ecdh_curve secp384r1;
# 启用TLS 1.3 0-RTT(谨慎使用)
ssl_early_data on;五、安全检测与调试
1. 测试命令
bash
# 检查配置语法
sudo nginx -t
# SSL检测(Qualys SSL Labs)
openssl s_client -connect example.com:443 -servername example.com -tlsextdebug 2>&1 | grep -i "certificate\|protocol"2. 日志分析
nginx
error_log /var/log/nginx/ssl_error.log debug;六、常见问题处理
1. 证书续期失败
- 检查Nginx配置是否占用80/443端口
- 验证DNS解析是否正确
- 确保
.well-known目录可访问
2. 混合内容问题
- 使用浏览器开发者工具检查
Mixed Content警告 - 将所有HTTP资源替换为HTTPS
3. 配置错误排查
bash
# 查看SSL握手详情
openssl s_client -connect example.com:443 -status建议定期使用 SSL Labs Test 检测服务器安全性。