Nginx反向代理HTTPS配置指南

基础HTTPS配置

要配置Nginx作为反向代理并启用HTTPS加密传输，您需要以下基本配置：

server {
    listen 443 ssl;
    server_name example.com;

    # SSL证书配置
    ssl_certificate /path/to/your/certificate.crt;
    ssl_certificate_key /path/to/your/private.key;

    # SSL协议配置
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

    # 反向代理配置
    location / {
        proxy_pass http://backend_server;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

完整安全配置建议

1. 获取SSL证书

推荐使用Let's Encrypt免费证书：

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com

2. 增强安全配置

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # 启用HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # 禁用不安全的TLS版本
    ssl_protocols TLSv1.2 TLSv1.3;

    # 优化SSL会话
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # 现代加密套件
    ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # 反向代理设置
    location / {
        proxy_pass http://backend_server;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # 安全相关头部
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-Content-Type-Options "nosniff";
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
    }
}

3. HTTP重定向到HTTPS

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

常见问题解决

1. 证书验证失败：

   • 确保证书路径正确
   • 检查证书和私钥是否匹配：openssl x509 -noout -modulus -in certificate.crt | openssl md5 和 openssl rsa -noout -modulus -in private.key | openssl md5 应该输出相同的哈希值

2. 混合内容警告：

   • 确保网站所有资源(图片、CSS、JS)都使用HTTPS链接
   • 使用内容安全策略(CSP)头限制非HTTPS资源

3. 性能优化：

   • 启用HTTP/2：listen 443 ssl http2;
   • 启用SSL会话缓存和会话票据
   • 考虑使用TLS 1.3以获得更好的性能

4. 代理头部问题：

   • 确保后端服务器能正确处理X-Forwarded-*头部
   • 对于WebSocket连接，需要额外的Upgrade和Connection头部

定期维护

1. 设置证书自动续期：

sudo certbot renew --dry-run
# 然后添加到crontab
0 12 * * * /usr/bin/certbot renew --quiet

2. 定期检查SSL配置安全性：
   • 使用SSL Labs测试工具
   • 检查Nginx错误日志：tail -f /var/log/nginx/error.log

通过以上配置，您的Nginx反向代理将提供安全的HTTPS加密传输，保护用户数据在传输过程中的安全性。