本文討論如何為Nginx配置SSL證書,並通過設置Nginx相關指令將安全等級提升至A+。此處不涉及內核參數優化,該部分可參考本人Blog LEMP Installation and Nginx Optimization

Preparation

準備工作包含準備VPS主機、初始化操作、通過包管理器安裝Nginx

VPS Host

本文所有操作都在Digital Ocean的VPS上進行

item detail
OS Version CentOS Linux release 7.3.1611 (Core)
Kernel Version 3.10.0-514.2.2.el7.x86_64

以下是IP和域名信息

item detail
IP Address 138.197.80.35
Test Domian lemptest.tech

初始化操作包括

  • 更新系統
  • 重啟後移除舊內核
  • 安裝Vim編輯器
  • 更改時區,安裝chrony服務同步網路時間

Nginx Installation

Nginx的安裝通過Shell Script實現,腳本已經上傳至GitHub autoInstallNginxWebServerViaPackageManager.sh

執行如下命令進行安裝

1
curl -s https://raw.githubusercontent.com/LempStacker/personalShellScriptCollection/master/shellScripts/autoInstallNginxWebServerViaPackageManager.sh | bash

安裝完成後啟動Nginx服務

1
2
3
4
# 啟動服務
systemctl start nginx
# 設置為開機啟動
systemctl enable nginx

可通過命令nginx -s signal對Nginx服務進行啟動、關閉、重載配置文件等操作,具體見官方文檔Starting, Stopping, and Reloading Configuration。以下為具體命令:

1
2
3
4
5
6
7
8
9
10
11
#fast shutdown
sudo nginx -s stop
#graceful shutdown(推薦方式)
sudo nginx -s quit
#reloading the configuration file
sudo nginx -s reload
# reopening the log files
sudo nginx -s reopen

Nginx Info

Nginx相關信息

執行如下命令查詢Nginx安裝包相關信息

1
2
3
4
5
6
7
8
9
10
# 查詢安裝包信息
rpm -qi nginx
# 查詢生成的文件路徑
rpm -ql nginx
# 配置文件路徑
rpm -qc nginx
# man文檔路徑
rpm -qd nginx
# 依賴的庫文件
rpm -qR nginx

執行如下命令查看Nginx具體版本信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 通過nginx -v
sudo nginx -v 2>&1 | awk -v FS='/' '{print $NF}'
sudo nginx -v 2>&1 | sed -r -n 's@.*/(.*)@\[email protected]'
# 通過nginx -V
sudo nginx -V 2>&1 | awk -v FS='/' '{print $NF;exit}'
sudo nginx -V 2>&1 | sed -r -n '1 s@.*/(.*)@\[email protected]'
# - Bash 4+
sudo nginx -v |& awk -v FS='/' '{print $NF}'
sudo nginx -v |& sed -r -n 's@.*/(.*)@\[email protected]'
sudo nginx -V |& awk -v FS='/' '{print $NF;exit}'
sudo nginx -V |& sed -r -n '1 s@.*/(.*)@\[email protected]'

執行如下命令查看Nginx配置文件

1
sudo nginx -V 2>&1 | sed -r -n 's@.*conf-path=(.*) --error.*@\[email protected]'

本次安裝的Nginx

  • 版本 1.10.2;
  • 配置文件路徑 /etc/nginx/nginx.conf;
  • Web路徑 /usr/share/nginx/html;

與證書相關的文件放置在目錄/etc/nginx/ssl/中,執行如下命令創建該目錄

1
[[ ! -d /etc/nginx/ssl ]] && mkdir -pv /etc/nginx/ssl

Generating SSL Certificate

使用Let’s Encrypt生成免費的SSL證書,為方便部署,使用certbot生成SSL證書。在CentOS中,certbot依賴EPEL,須先安裝epel-release

Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates. – https://certbot.eff.org/

執行如下命令安裝epel、cerbot

1
2
yum install -y epel-release
yum install -y certbot

certbot在生成SSL證書時使用Webroot插件,Nginx默認的Web路徑為/usr/share/nginx/htm,故有如下格式的命令

1
certbot certonly --webroot -w /usr/share/nginx/html -d lemptest.tech -d www.lemptest.tech -d gitlab.lemptest.tech

參數說明

  • certonly Obtain cert, but do not install it (aka “auth”)
  • --webroot Place files in a server’s webroot folder for authentication
  • -d domain 指定域名地址,可同時指定多個

命令執行後會跳出彈框

根據各自實際情況進行填寫,SSL證書成功生成後,出現如下信息

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/lemptest.tech/fullchain.pem. Your cert will
    expire on 2017-03-22. To obtain a new or tweaked version of this
    certificate in the future, simply run certbot again. To
    non-interactively renew all of your certificates, run “certbot
    renew”
  • If you lose your account credentials, you can recover through
    e-mails sent to [email protected]
  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

根據提示生成的證書的路徑是

1
/etc/letsencrypt/live/lemptest.tech/

其中有4個文件,都是符號鏈接

1
2
3
4
lrwxrwxrwx 1 root root 37 Dec 22 23:43 cert.pem -> ../../archive/lemptest.tech/cert1.pem
lrwxrwxrwx 1 root root 38 Dec 22 23:43 chain.pem -> ../../archive/lemptest.tech/chain1.pem
lrwxrwxrwx 1 root root 42 Dec 22 23:43 fullchain.pem -> ../../archive/lemptest.tech/fullchain1.pem
lrwxrwxrwx 1 root root 40 Dec 22 23:43 privkey.pem -> ../../archive/lemptest.tech/privkey1.pem

文件說明

  • fullchain.pem 合併cert.pem和chian.pem後的文件
  • cert.pem 域名證書
  • privkey.pem 證書私鑰
  • chain.pem Let’s Encrypt chain證書

配置Nginx時,須用到文件fullchain.pemprivkey.pem,格式如下

1
2
ssl_certificate /etc/letsencrypt/live/lemptest.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lemptest.tech/privkey.pem;

在設置HTTP Public Key Pinning(HPKP)時會用到文件cert.pem

Security Optimization

以下是提高Nginx安全係數的操作

OCSP Stapling Configuration

OCSP stapling is a TLS/SSL extension which aims to improve the performance of SSL negotiation while maintaining visitor privacy.

OCSP (Online Certificate Status Protocol) is a protocol for checking if a SSL certificate has been revoked. It was created as an alternative to CRL to reduce the SSL negotiation time. With CRL (Certificate Revocation List) the browser downloads a list of revoked certificate serial numbers and verifies the current certificate, which increases the SSL negotiation time. In OCSP the browser sends a request to a OCSP URL and receives a response containing the validity status of the certificate.

操作過程參考How To Configure OCSP Stapling on Apache and Nginx。操作需要用到根證書(root CA)和中間證書(intermediate CA),因此處選擇使用Let’s Encrypt生成SSL證書,故需獲取Let's Encrypt的根證書和中間證書。

通過瀏覽Let's Encrypt官網相關頁面

獲取到如下信息

1
2
3
4
5
6
7
8
# Let's Encrypt Root and Intermediate Certificates
#Active Root Certificates (ISRG Root X1)
https://letsencrypt.org/certs/isrgrootx1.pem
#Active Intermediate Certificates
#Let’s Encrypt Authority X3 (IdenTrust cross-signed)
https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem

生成所需的證書需要使用到這兩個文件,此處將生成的文件命名為

1
/etc/nginx/ssl/letsencrypt-ca-cert.pem

執行如下命令生成所需的證書

1
2
3
[[ ! -d /etc/nginx/ssl ]] && mkdir -pv /etc/nginx/ssl
wget -q -O - https://letsencrypt.org/certs/isrgrootx1.pem https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem | tee -a /etc/nginx/ssl/letsencrypt-ca-cert.pem > /dev/null

證書生成後,在Nginx的server中添加如下內容

1
2
3
4
5
#OCSP Stapling Configuration
ssl_stapling on;
ssl_stapling_verify on; # Enables verification of OCSP responses by the server
#Let's Encrypt Root and Intermediate Certificates
ssl_trusted_certificate /etc/nginx/ssl/letsencrypt-ca-cert.pem;

執行

1
nginx -t && nginx -s reload

重新載入Nginx配置文件後,可執行如下命令檢測CSP Stapling是否工作正常

1
echo QUIT | openssl s_client -connect lemptest.tech:443 -status 2> /dev/null | sed -r -n '/^OCSP response/,/Next Update/p'

以下是測試過程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[email protected]:~$ echo QUIT | openssl s_client -connect lemptest.tech:443 -status 2> /dev/null | sed -r -n '/^OCSP response/,/Next Update/p'
OCSP response:
======================================
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Produced At: Dec 22 15:43:00 2016 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
Serial Number: 0386FC395B849992E157BDE69E3203C532BA
Cert Status: good
This Update: Dec 22 15:00:00 2016 GMT
Next Update: Dec 29 15:00:00 2016 GMT
[email protected]:~$

HTTP Public Key Pinning (HPKP)

關於HTTP Public Key Pinning,推薦閱讀Raymii的Blog HTTP Public Key Pinning Extension HPKP for Apache, NGINX and Lighttpd

通過研讀如下幾篇Blog

經過測試,實現該功能,需要用到Let's Encrypt生成的文件

1
/etc/letsencrypt/live/lemptest.tech/cert.pem

Step1 Add Existing Certificate

添加已經存在的SSL證書,即

1
/etc/letsencrypt/live/lemptest.tech/cert.pem

執行如下操作生成base64形式字符串,有兩種方法,個人推薦第二種方法,可直接生成所需的字符串。

1
2
3
4
5
6
7
8
9
10
# Method 1 會生成臨時公鑰
openssl x509 -noout -in /etc/letsencrypt/live/lemptest.tech/cert.pem -pubkey | openssl asn1parse -noout -inform pem -out /tmp/public.key
openssl dgst -sha256 -binary /tmp/public.key | openssl enc -base64
rm -f /tmp/public.key
# Method 2 直接生成base64形式字符串
# 直接生成所需的
openssl x509 -pubkey < /etc/letsencrypt/live/lemptest.tech/cert.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

此處生成的第一個base64形式字符串是

1
iUUgoZuZgkGIbQ9x1lUQbvCJh+87iT1avjyzKKu7K3k=

Step2 Creating A Backup CSR

自定义生成

1
2
3
4
5
openssl genrsa -out /etc/nginx/ssl/lemptest.first.key 4096
openssl req -new -key /etc/nginx/ssl/lemptest.first.key -sha256 -out /etc/nginx/ssl/lemptest.first.csr
openssl req -pubkey < /etc/nginx/ssl/lemptest.first.csr | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

生成.csr文件時會出現如下信息,根據個人情況填寫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:LempTest
Organizational Unit Name (eg, section) []:LempTest
Common Name (eg, your name or your server's hostname) []:lemptest.tech
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

此處生成的第二個base64形式字符串是

1
F2gQEUpXylr1jmAr6f9WNlFAMxORt597saJMqGCcoks=

在Nginx中添加如下指令

1
add_header Public-Key-Pins 'pin-sha256="iUUgoZuZgkGIbQ9x1lUQbvCJh+87iT1avjyzKKu7K3k=";pin-sha256="F2gQEUpXylr1jmAr6f9WNlFAMxORt597saJMqGCcoks="; max-age=2592000; includeSubDomains';

ssl_dhparam

執行如下命令

1
2
3
[[ ! -d /etc/nginx/ssl ]] && mkdir -pv /etc/nginx/ssl
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

生成文件/etc/nginx/ssl/dhparam.pem

該生成過程過程耗時較長,取決於服務器配置,耗時從幾分鐘到幾十分鐘不等。

在Nginx中添加如下指令

1
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

ssl_session_ticket_key

執行如下命令

1
2
3
[[ ! -d /etc/nginx/ssl ]] && mkdir -pv /etc/nginx/ssl
openssl rand 48 -out /etc/nginx/ssl/ticket.key

生成文件/etc/nginx/ssl/ticket.key

在Nginx中添加如下指令

1
ssl_session_ticket_key /etc/nginx/ssl/ticket.key;

Nginx Configuration

Nginx配置文件參數修改,強烈建議在修改之前先對文件進行備份

執行如下文件進行備份

1
2
cp -p /etc/nginx/nginx.conf{,.bak}
mv /etc/nginx/conf.d/default.conf{,.bak}

/etc/nginx/nginx.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
user nginx;
# worker_processes 1 or N or auto
worker_processes 2;
worker_rlimit_nofile 65536;
pid /var/run/nginx.pid;
events {
worker_connections 65536;
use epoll;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset utf-8;
server_tokens off; #關閉版本信息顯示
autoindex off; #禁止顯示目錄下文件,默認off
sendfile on;
tcp_nopush on;
tcp_nodelay on;
# [debug|info|notice|warn|error|crit|alert|emerg]
error_log /var/log/nginx/error.log warn;
access_log /var/log/nginx/access.log combined if=$loggable;
#Conditional Logging
map $status $loggable {
~^[23] 0;
default 1;
}
#log_format name string ...; default combined "...";
log_format cpmpression '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" "$gzip_ratio"';
# Concurrency Connections
# http://nginx.org/en/docs/http/ngx_http_limit_conn_module.html
# limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;
# limit_conn perip 40;
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
#Keep Alive
keepalive_timeout 50;
keepalive_requests 100000;
#Timeouts
client_header_timeout 3m;
client_body_timeout 3m;
send_timeout 60s;
#Buffer Size
client_body_buffer_size 128k;
client_max_body_size 2m;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
output_buffers 1 32k;
postpone_output 1460;
#Close connection on Missing Client Response
reset_timedout_connection on;
#Static Asset Serving
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
# gzip compression
gzip on;
gzip_vary on;
gzip_comp_level 5;
gzip_buffers 16 8k;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/css application/javascript application/x-javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;
gzip_disable "MSIE [1-6]\.";
gzip_static on;
#http proxy
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
include /etc/nginx/conf.d/*.conf;
}

/etc/nginx/conf.d/ssl.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# redirect http to https
server {
listen 80;
server_name lemptest.tech;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl default_server;
server_name lemptest.tech;
#access_log /var/log/nginx/log/host.access.log main;
root /usr/share/nginx/html;
ssl_certificate /etc/letsencrypt/live/lemptest.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lemptest.tech/privkey.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1.2;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#https://scotthelme.co.uk/doing-the-chacha-with-nginx/
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH DHE-RSA-CHACHA20-POLY1305 EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !SEED !CAMELLIA";
#https://wiki.mozilla.org/Security/Server_Side_TLS
#ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
ssl_ecdh_curve secp384r1; # Specifies a curve for ECDHE ciphers.
#ssl_ecdh_curve prime256v1:secp384r1; # openssl version >= 1.0.2
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets on;
ssl_session_ticket_key /etc/nginx/ssl/ticket.key; #the list of certificates will not be sent to clients
#OCSP Stapling Configuration
ssl_stapling on;
ssl_stapling_verify on; # Enables verification of OCSP responses by the server
#Let's Encrypt Root and Intermediate Certificates
ssl_trusted_certificate /etc/nginx/ssl/letsencrypt-ca-cert.pem;
# Google DNS, Open DNS, Dyn DNS
resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 216.146.35.35 216.146.36.36 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Content-Security-Policy 'default-src self';
add_header X-Content-Type-Options "nosniff" always;
# DENY、SAMEORIGIN、ALLOW-FROM https://example.com/;
add_header X-Frame-Options "DENY";
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Public-Key-Pins 'pin-sha256="iUUgoZuZgkGIbQ9x1lUQbvCJh+87iT1avjyzKKu7K3k=";pin-sha256="F2gQEUpXylr1jmAr6f9WNlFAMxORt597saJMqGCcoks="; max-age=2592000; includeSubDomains';
#if ($scheme = http) {
# return 301 https://$host$request_uri;
#}
#http://nginx.org/en/docs/http/ngx_http_stub_status_module.html
location /nginx_status {
stub_status on;
access_log off;
#allow xxx.xxx.xxx.xxx; # allowed accessing IP
allow 127.0.0.1;
deny all;
}
#check file exists or not
#http://nginx.org/en/docs/http/ngx_http_core_module.html#try_files
#http://stackoverflow.com/questions/17798457/how-can-i-make-this-try-files-directive-work#17800131
#location / {
# try_files $uri $uri/ =404;
#}
# Disable unwanted HTTP methods
# 405 A request was made of a resource using a request method not supported by that resource;
if ($request_method !~ ^(GET|HEAD|POST)$ )
{
return 405;
}
# Deny Certain User-Agents or Bots:
if ($http_user_agent ~* LWP::Simple|wget|curl|libwww-perl) {
return 403;
}
if ($http_user_agent ~ (msnbot|Purebot|Baiduspider|Lipperhey|Mail.Ru|scrapbot) ) {
return 403;
}
# Blocking Referral Spam
#if ( $http_referer ~* #(jewelry|viagra|nude|girl|nudit|casino|poker|porn|sex|teen|babes) ) {
# return 403;
# }
# Stop Hotlinking 防盜鏈
# location ~ .(gif|png|jpe?g)$ {
# valid_referers none blocked example.com *.example.com;
# if ($invalid_referer) {
# return 403;
# }
# }
# Deny execution of scripts
# deny scripts inside writable directories
# location ~* /(images|cache|media|logs|tmp)/.*.(php|pl|py|jsp|asp|sh|cgi)$ {
# return 403;
# error_page 403 /403_error.html;
# }
# file cache
# location ~* .(woff|eot|ttf|svg|mp4|webm|jpg|jpeg|png|gif|bmp|ico|css|js)$ {
# expires 365d;
# log_not_found off;
# access_log off;
# }
# location ~ ^/favicon\.ico$ {
# root /usr/share/nginx/html;
# }
}

Nginx配置文件修改完成後,執行如下操作

1
2
3
4
5
#測試配置文件是否有語法錯誤
nginx -t
#重新載入Nginx配置文件,使修改生效
nginx -s reload

Firewall Setting

防火牆規則設置

iptables

使用如下命令查看現有rule

1
sudo iptables --line-numbers -nL

reject-with icmp-host-prohibited所在行之前添加規則(rule),此處假設該條規則為INPUT中第5條規則。

1
2
3
4
5
6
7
8
#input rule
sudo iptables -t filter -I INPUT 5 -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
#output rule
sudo iptables -t filter -I OUTPUT -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT
#simple block DDoS
#sudo iptables -t filter -I INPUT 5 -p tcp -m multiport --dports 80,443 -m connlimit --connlimit-upto 5 -m limit --limit 10/minute --limit-burst 100 -m state --state NEW,ESTABLISHED -j ACCEPT

規則添加完成後,執行如下命令

1
sudo service iptables save

保存當前規則至文件/etc/sysconfig/iptables

Nginx Security Check

刷新瀏覽器,如果頁面自動跳轉為https,則說明SSL證書配置成功。可通過以下工具對SSL安全性進行檢測

Snapshots

SSL Test

SSL Decoder

Browser Viewing

Reference

HTTP Public Key Pinning

iptables

Change Logs

  • 2016.12.23 01:37 Fri Asia/Shanghai
    • 初稿完成
  • 2016.12.28 09:04 Wed Asia/Shanghai
    • 添加nginx -s signal操作說明
  • 2017.01.03 17:58 Tue Asia/Shanghai
    • 添加iptables規則
  • 2017.01.06 14:19 Fri Asia/Shanghai
    • 指令ssl_ecdh_curvessl_ciphers參數優化
  • 2017.07.18 09:16 Tue Asia/Shanghai
    • 添加reference Modern TLS with Nginx and LetsEncrypt