Nginx HTTPS部署与安全性能优化指南

一、基础HTTPS部署

1. 获取SSL证书

• 推荐证书来源：
  • Let's Encrypt (免费)
  • 商业CA (DigiCert, GlobalSign等)
  • 企业自签证书(仅限内部使用)

2. 安装证书

# 假设证书文件为：
# - domain.crt (证书文件)
# - domain.key (私钥文件)
# - domain.ca-bundle (中间证书链)

mkdir -p /etc/nginx/ssl
cp domain.crt domain.key domain.ca-bundle /etc/nginx/ssl/
chmod 600 /etc/nginx/ssl/domain.key

3. 基础HTTPS配置

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/nginx/ssl/domain.crt;
    ssl_certificate_key /etc/nginx/ssl/domain.key;

    # 启用SSL会话缓存
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # 其他配置...
}

二、安全强化配置

1. 协议与加密套件优化

ssl_protocols TLSv1.2 TLSv1.3;  # 禁用不安全的TLS 1.0/1.1
ssl_prefer_server_ciphers on;

# TLS 1.2加密套件
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';

# TLS 1.3默认使用安全套件，无需特别配置

2. 安全头部配置

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none'";

3. OCSP Stapling配置

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/ssl/domain.ca-bundle;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;

三、性能优化

1. SSL会话复用

ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets on;

2. TLS记录大小优化

ssl_buffer_size 4k;  # 初始记录大小设为4K，适合大多数现代网络

3. 启用HTTP/2

listen 443 ssl http2;

4. 证书链优化

# 合并证书链
cat domain.crt domain.ca-bundle > /etc/nginx/ssl/domain.chained.crt

ssl_certificate /etc/nginx/ssl/domain.chained.crt;

四、自动化与维护

1. Let's Encrypt自动续期

# 使用certbot示例
certbot renew --nginx --post-hook "systemctl reload nginx"

2. 定期检查配置

nginx -t  # 测试配置语法

3. 安全扫描工具

推荐定期使用以下工具扫描： - Qualys SSL Labs (https://www.ssllabs.com/ssltest/) - Mozilla Observatory (https://observatory.mozilla.org/)

五、高级配置

1. 多域名SNI支持

server {
    listen 443 ssl http2;
    server_name example.com;
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    # ...
}

server {
    listen 443 ssl http2;
    server_name sub.example.com;
    ssl_certificate /etc/nginx/ssl/sub.example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/sub.example.com.key;
    # ...
}

2. 0-RTT配置(TLS 1.3)

ssl_early_data on;

3. 密钥轮换策略

ssl_certificate /etc/nginx/ssl/current.crt;
ssl_certificate_key /etc/nginx/ssl/current.key;
ssl_certificate /etc/nginx/ssl/old.crt;
ssl_certificate_key /etc/nginx/ssl/old.key;

六、常见问题排查

1. 证书链不完整：

   openssl s_client -connect example.com:443 -showcerts
   

2. 协议/加密套件不匹配：

   nmap --script ssl-enum-ciphers -p 443 example.com
   

3. OCSP Stapling验证：

   openssl s_client -connect example.com:443 -status -servername example.com
   

4. HTTP/2支持检查：

   curl -I --http2 https://example.com
   

通过以上配置和优化，您的Nginx HTTPS服务将具备高安全性和良好性能。建议定期检查SSL/TLS最佳实践，保持配置更新。