Shulou(Shulou.com)06/03 Report--

When I set up my personal blog, I read some free certificate application articles and browsed some blogs that use Https. Using Https is much more secure than Http, at least traffic hijacking which is very common in China will be greatly reduced. Have nothing to do, test to upgrade your personal blog to Https.

To use Https encryption, you first need to apply for a personal blog certificate, and there are many certificate authorities that charge for it both at home and abroad. The popular Let's Encrypt is recommended for personal blogs. The application process is relatively simple, using the official automation script:

1. Configure git environment: # yum install git

2. Download the automation script to the local

# git clone https://github.com/certbot/certbot

# cd certbot

3. Generate a certificate

. / certbot-auto certonly-- standalone-- email loryxxx@hotmail.com-d iorisun.com-d www.iorisun.com

The following software packages will be installed

During the installation process, you need to confirm the installation manually and enter Y to confirm. In addition, you also need to accept the official agreement and enter A to enter.

Note: when applying, the firewall needs to open the https port

# firewall-cmd-permanent-zone=public-add-service=https

# firewall-cmd-reload

After the application is successful, you will be prompted as follows:

You can view it through the tree command: # tree / etc/letsencrypt/live/

4. Modify nginx configuration file

# vim / etc/nginx/conf.d/default.conf

Add the SSL parameter definition to the Nginx configuration file to redirect http to https

As follows: modify and add the following (in order to avoid changes to the home page after upgrading nginx, it is best to put index.php in the first place)

After restarting the service, you can see the green lock when you open the website.

5. Set up automatic extension of certificate

The certificate of Let's Encrypt is only valid for 90 days and needs to be renewed regularly:

Develop a scheduled task through crontab, which is updated every 2 months (that is, 02:00, January, 3, 5, 7, 9, November 15).

0 215 * / 2 * root/ root/certbot/certbot-auto renew-standalone-pre-hook "service nginx stop"-post-hook "service nginx start"-force-renewal

Or you can use the. / certbot-auto renew-v command (note: you need to shut down the nginx service before running, otherwise you will report an error).

6. Modify the address of the blog site

Note: you need to synchronously change the image address http to https (such as modifying the database, etc.)

Optimize Https security:

1. Generate dhparam.pem

# cd / etc/ssl/certs/

# openssl dhparam-out dhparam.pem 2048

2. Generate HTTP Public Key Pinning (https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning)

# cd / etc/letsencrypt/live/iorisun.com/# openssl rsa-in privkey.pem-outform der-pubout | openssl dgst-sha256-binary | openssl enc-base64writing RSA key9rcncxVnzws62MPkX5nUJPKs5jAGAhnxeqANv0Hx7Vo= or: # openssl s_client-servername www.iorisun.com-connect www.iorisun.com:443 | openssl x509-pubkey-noout | openssl rsa-pubin-outform der | openssl dgst-sha256-binary | openssl enc-base64depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3verify return:1depth=1 C = US, O = Let's Encrypt CN = Let's Encrypt Authority X3verify return:1depth=0 CN = iorisun.comverify return:1writing RSA key9rcncxVnzws62MPkX5nUJPKs5jAGAhnxeqANv0Hx7Vo=# openssl x509-in chain.pem-pubkey-noout | openssl rsa-pubin-outform der | openssl dgst-sha256-binary | openssl enc-base64writing RSA keyYLh2dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= generates a backup certificate fingerprint (official standby): # curl https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem | openssl x509-pubkey | openssl pkey-pubin-outform der | openssl dgst-sha256-binary | base64% Total % Received% Xferd Average Speed Time Current Dload Upload Total Spent Left Speed100 1647 1647 00 1968 0 -:-1967sRHdihwgkaib1P1gxX8HFszlDust 7ampTfNvuAybgLPNis=

3. Modify the nginx configuration file:

# vim / etc/nginx/conf.d/default.conf server {listen 80; listen 443 ssl http2; server_name www.iorisun.com iorisun.com; root / usr/share/nginx/html/; index index.html index.php index.htm; if ($scheme = http) {return 301 https://$server_name$request_uri;} ssl_certificate / etc/letsencrypt/live/iorisun.com/fullchain.pem Ssl_certificate_key / etc/letsencrypt/live/iorisun.com/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 Ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA: EDHMurRSAAfter DES3FE256GCMMQN SHA384AES128MU GCMMWSHA256AES256MA256MA256MAS256MAE256MAE256FUBC3MUBC3MFor SHAHRMODESLAVE CBC3Mays, SHAHRV DESMORCBC3 colors SHAHpurA, null, eNULL, EXPORTU, DESule, MD5MOS, PSKMOS, RC4 " Ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate / etc/letsencrypt/live/iorisun.com/chain.pem; ssl_dhparam / etc/ssl/certs/dhparam.pem; server_tokens off; resolver 8.8.4.4 8.8.8.8 valid=300s; resolver_timeout 10s Fastcgi_hide_header Xmuri powerhouse by; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header Public-Key-Pins' pin-sha256= "9rcncxVnzws62MPkX5nUJPKs5jAGAhnxeqANv0Hx7Vo="; pin-sha256= "YLh2dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256= "sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; max-age=2592000; includeSubDomains'; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff

After configuration, you can test the security level of the website: https://www.ssllabs.com/ssltest/

Reference: https://blog.kuoruan.com/71.html

Https://imququ.com/post/http-public-key-pinning.html

Https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

Https://ithenrik.com/blog/posts/activating-http-public-key-pinning-hpkp-on-lets-encrypt

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.