Nginx 安全加固与 HTTPS 部署实战

3.2 带宽限制

# 1. 限制下载速度
http {
    # 定义限制区域
    limit_rate_zone $binary_remote_addr zone=rate_limit:10m;
    server {
        listen 80;
        # 2. 全局速度限制
        location /download/ {
            # 每个连接限速 200KB/s
            limit_rate 200k;
            # 超过 1MB 后开始限速
            limit_rate_after 1m;
            root /data/downloads;
            autoindex on;
        }
        # 3. 不同用户不同速度
        location /files/ {
            if ($http_user_agent ~* "mobile") {
                set $limit_rate 100k; # 移动用户限速 100KB/s
            }
            if ($http_user_agent ~* "bot") {
                set $limit_rate 50k; # 爬虫限速 50KB/s
            }
            limit_rate $limit_rate;
            root /data/files;
        }
        # 4. 大文件下载限速
        location /bigfile/ {
            alias /data/bigfiles/;
            # 限制总带宽
            limit_conn conn_limit 5;
            limit_rate 500k;
            # 大文件分段下载支持
            add_header Accept-Ranges bytes;
        }
    }
}

3.3 CC 攻击防御综合配置

# /etc/nginx/conf.d/cc_defense.conf
http {
    # 1. 定义多个限制区域
    # 基于 IP 的请求限制
    limit_req_zone $binary_remote_addr zone=per_ip:10m rate=10r/s;
    # 基于 User-Agent 的限制
    limit_req_zone $http_user_agent zone=agent:10m rate=20r/s;
    # 基于 URI 的限制
    limit_req_zone $request_uri zone=uri:10m rate=30r/s;
    # 连接数限制
    limit_conn_zone $binary_remote_addr zone=addr:10m;
    # 2. 动态黑名单
    # 使用 map 定义黑名单条件
    map $remote_addr $limit_ip {
        default 1;
        192.168.1.0/24 0; # 内网不限制
        10.0.0.0/8 0;
    }
    server {
        listen 80;
        server_name example.com;
        # 3. 综合限制
        location / {
            # IP 请求限制
            limit_req zone=per_ip burst=20 delay=5;
            # 连接数限制
            limit_conn addr 20;
            # 异常请求判断
            if ($http_user_agent ~* (bot|spider|crawler)) {
                set $bot_limit 1;
            }
            # 高频访问 IP 记录
            access_log /var/log/nginx/access.log combined;
            proxy_pass http://backend;
        }
        # 4. 验证码验证（需要第三方模块）
        location /captcha {
            captcha on;
            captcha_secret your_secret_key;
            captcha_mode image;
            if ($http_cookie !~* "captcha_pass") {
                return 302 /captcha?return=$request_uri;
            }
        }
        # 5. JS 挑战（防 CC）
        location /challenge {
            js_challenge on;
            js_challenge_secret your_secret;
            if ($http_cookie !~* "js_pass") {
                return 302 /challenge?return=$request_uri;
            }
        }
        # 6. 记录攻击 IP
        location @blocked {
            access_log /var/log/nginx/blocked.log combined;
            return 503;
        }
        # 7. 封禁 IP 列表
        include /etc/nginx/blockips.conf;
    }
}

3.4 动态黑名单配置

#!/bin/bash
# dynamic_blacklist.sh - 动态黑名单管理脚本
# 配置
BLOCK_LOG="/var/log/nginx/blocked.log"
BLOCK_CONF="/etc/nginx/blockips.conf"
NGINX_CONF="/etc/nginx/nginx.conf"
THRESHOLD=100 # 阈值：100 次请求
INTERVAL=300 # 时间窗口：5 分钟

# 分析日志，找出攻击 IP
analyze_log() {
    local time_ago=$(date -d "$INTERVAL seconds ago" +"%Y-%m-%d %H:%M:%S")
    # 找出在时间窗口内请求次数超过阈值的 IP
    awk -v time="$time_ago" -v threshold="$THRESHOLD" '
        $4 >= time {count[$1]++}
        END { for (ip in count) { if (count[ip] > threshold) { print ip, count[ip] } } }
    ' $BLOCK_LOG | sort -k2 -nr
}

# 生成封禁配置
generate_block_conf() {
    local tmp_conf="${BLOCK_CONF}.tmp"
    # 写入头部
    cat > $tmp_conf << EOF
# 自动生成的 IP 黑名单
# 更新时间：$(date)
EOF
    # 添加封禁规则
    while read ip count; do
        echo "deny $ip; # 请求数：$count" >> $tmp_conf
    done < <(analyze_log)
    # 比较变化
    if [ -f $BLOCK_CONF ]; then
        if ! cmp -s $BLOCK_CONF $tmp_conf; then
            mv $tmp_conf $BLOCK_CONF
            return 0 # 有变化
        else
            rm -f $tmp_conf
            return 1 # 无变化
        fi
    else
        mv $tmp_conf $BLOCK_CONF
        return 0
    fi
}

# 重载 Nginx
reload_nginx() {
    nginx -t && systemctl reload nginx
    echo "$(date): 黑名单已更新，Nginx 重载完成" >> /var/log/blacklist.log
}

# 主函数
main() {
    if generate_block_conf; then
        reload_nginx
    else
        echo "$(date): 黑名单无变化" >> /var/log/blacklist.log
    fi
}

# 定时任务
# crontab -e
# */5 * * * * /bin/bash /usr/local/bin/dynamic_blacklist.sh main

二、高级防护

1. 防止 DDoS 攻击

# /etc/nginx/conf.d/ddos_protection.conf
http {
    # 1. SYN Flood 防护（需要内核配合）
    # sysctl -w net.ipv4.tcp_syncookies=1
    # 2. 连接限制
    limit_conn_zone $binary_remote_addr zone=ddos_conn:10m;
    limit_req_zone $binary_remote_addr zone=ddos_req:10m rate=50r/s;
    # 3. 缓冲区大小限制
    client_body_buffer_size 8k;
    client_header_buffer_size 1k;
    large_client_header_buffers 4 8k;
    client_max_body_size 10m;
    # 4. 超时设置
    client_body_timeout 10s;
    client_header_timeout 10s;
    keepalive_timeout 10s;
    send_timeout 10s;
    server {
        listen 80;
        server_name example.com;
        # 5. DDoS 防护配置
        location / {
            # 连接数限制
            limit_conn ddos_conn 10;
            # 请求速率限制
            limit_req zone=ddos_req burst=100 nodelay;
            # 限制特定 User-Agent
            if ($http_user_agent ~* (slowhttptest|python|perl|ruby)) {
                return 403;
            }
            # 限制空 User-Agent
            if ($http_user_agent = "") {
                return 403;
            }
            # 限制特定 Referer
            if ($http_referer ~* (spam|bot|crawler)) {
                return 403;
            }
            proxy_pass http://backend;
        }
        # 6. 验证码保护
        location /captcha/ {
            # 需要安装第三方模块
            captcha on;
            captcha_secret your_secret;
            captcha_mode image;
            captcha_expire 300;
        }
    }
}

2. 防止慢速攻击

# /etc/nginx/conf.d/slow_attack.conf
http {
    # 1. 限制请求头大小
    client_header_buffer_size 1k;
    large_client_header_buffers 4 8k;
    # 2. 限制请求体大小
    client_body_buffer_size 8k;
    client_max_body_size 10m;
    # 3. 超时设置（防止慢速连接）
    client_body_timeout 10s; # 读取请求体超时
    client_header_timeout 10s; # 读取请求头超时
    keepalive_timeout 10s; # keepalive 超时
    send_timeout 10s; # 发送响应超时
    # 4. 限制每个连接的数据量
    limit_rate 100k; # 每个连接限速 100KB/s
    server {
        listen 80;
        # 5. 针对慢速攻击的防护
        location / {
            # 如果请求头太大，直接拒绝
            if ($http_content_length > 10485760) {
                return 413;
            }
            # 限制请求时间
            fastcgi_read_timeout 30s;
            proxy_read_timeout 30s;
            proxy_pass http://backend;
        }
        # 6. 监控慢速连接
        location /nginx_status {
            stub_status on;
            access_log off;
            allow 127.0.0.1;
            deny all;
        }
    }
}

3. 防止 HTTP 走私攻击

# /etc/nginx/conf.d/smuggling_protection.conf
http {
    # 1. 清理请求头
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # 2. 规范化请求
    # 删除重复的 Transfer-Encoding 头
    set $transfer_encoding $http_transfer_encoding;
    if ($http_transfer_encoding ~* "chunked") {
        set $transfer_encoding "";
    }
    # 3. 限制 HTTP 版本
    if ($server_protocol !~* "HTTP/1\.(0|1)" ) {
        return 405;
    }
    server {
        listen 80;
        # 4. 检查 Content-Length
        location / {
            # 如果同时存在 Transfer-Encoding 和 Content-Length
            if ($http_transfer_encoding ~* "chunked") {
                if ($http_content_length) {
                    return 400;
                }
            }
            # 检查 Content-Length 格式
            if ($http_content_length !~ "^[0-9]+$") {
                return 400;
            }
            proxy_pass http://backend;
        }
    }
}

4. 防止 DNS Rebinding 攻击

# /etc/nginx/conf.d/dns_rebinding.conf
http {
    # 1. 验证 Host 头
    server {
        listen 80;
        server_name example.com www.example.com;
        # 2. 拒绝无效 Host
        if ($host !~* ^(example\.com|www\.example\.com)$) {
            return 444;
        }
        # 3. 检查 Host 头长度
        if ($http_host) {
            if ($http_host ~ "^.{255,}") {
                return 400;
            }
        }
    }
    # 4. 防止 IP 直接访问
    server {
        listen 80 default_server;
        server_name _;
        # 如果是 IP 访问，返回 444
        if ($host ~* "^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$") {
            return 444;
        }
        return 444;
    }
}

三、Nginx HTTPS 配置

1. HTTPS 概念

HTTPS（Hypertext Transfer Protocol Secure） 是 HTTP 的安全版本，通过 SSL/TLS 协议提供加密通信。

text
HTTP (80) → 明文传输
HTTPS (443) → 加密传输

2. HTTP 为什么不安全

HTTP 协议存在以下安全问题：

text
1. 明文传输
   ├── 数据可被窃听（抓包）
   ├── 数据可被篡改（中间人攻击）
   └── 身份可被伪造（钓鱼网站）
2. 无身份验证
   ├── 无法确认服务器身份
   └── 无法确认客户端身份
3. 无完整性校验
   ├── 无法检测数据是否被修改
   └── 无法防止重放攻击

3. 安全通信的四大原则

text
1. 机密性（Confidentiality）
   ├── 数据加密，防止窃听
   └── 使用对称加密算法（AES、ChaCha20）
2. 完整性（Integrity）
   ├── 数据不可篡改
   └── 使用消息认证码（MAC）
3. 身份验证（Authentication）
   ├── 验证通信双方身份
   └── 使用数字证书（CA 签发）
4. 不可否认性（Non-repudiation）
   ├── 无法否认已发送的数据
   └── 使用数字签名

4. HTTPS 通信原理简述

text
HTTPS 握手过程：
1. TCP 三次握手
   Client → Server: SYN
   Server → Client: SYN+ACK
   Client → Server: ACK
2. TLS 握手（以 TLS 1.3 为例）
   Client → Server: ClientHello (支持的加密套件、随机数)
   Server → Client: ServerHello (选择的加密套件、随机数)
   Server → Client: Certificate (服务器证书)
   Server → Client: ServerFinished (握手完成)
3. 密钥交换
   Client → Server: ClientFinished (加密的握手消息)
   Server → Client: 应用数据 (加密传输)
4. 加密通信
   Client ↔ Server: 加密的应用数据

5. HTTPS 证书准备

# 1. 自签名证书（测试用）
# 生成私钥
openssl genrsa -out example.com.key 2048
# 生成 CSR（证书签名请求）
openssl req -new -key example.com.key -out example.com.csr
# 填写信息：
# Country Name: CN
# State: Beijing
# Locality: Beijing
# Organization Name: Example Inc
# Common Name: example.com
# 生成自签名证书
openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt

# 2. 生成带 SAN 的自签名证书
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout example.com.key \
  -out example.com.crt \
  -subj "/C=CN/ST=Beijing/L=Beijing/O=Example/CN=example.com" \
  -addext "subjectAltName=DNS:example.com,DNS:www.example.com"

# 3. Let's Encrypt 免费证书（推荐）
# 安装 certbot
# CentOS yum install certbot python3-certbot-nginx
# Ubuntu apt install certbot python3-certbot-nginx
# 获取证书
certbot --nginx -d example.com -d www.example.com
# 自动续期
certbot renew --dry-run

# 4. 查看证书信息
openssl x509 -in example.com.crt -text -noout

# 5. 检查证书有效期
openssl x509 -in example.com.crt -noout -enddate

6. 基础 HTTPS 配置

# /etc/nginx/conf.d/example.com-ssl.conf
server {
    listen 443 ssl http2;
    server_name example.com www.example.com;
    # 证书路径
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    # 网站根目录
    root /var/www/example.com;
    index index.html index.php;
    # 访问日志
    access_log /var/log/nginx/example.com-ssl_access.log main;
    error_log /var/log/nginx/example.com-ssl_error.log warn;
    location / {
        try_files $uri $uri/ /index.php?$args;
    }
    location ~ \.php$ {
        fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
    # 静态资源缓存
    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
        expires 30d;
        add_header Cache-Control "public, immutable";
        access_log off;
    }
}

# HTTP 重定向到 HTTPS
server {
    listen 80;
    server_name example.com www.example.com;
    # 永久重定向
    return 301 https://$server_name$request_uri;
    # 或者保留请求方法的重定向
    # return 308 https://$server_name$request_uri;
}

7. 强化 HTTPS 配置

# /etc/nginx/conf.d/ssl_hardening.conf
server {
    listen 443 ssl http2;
    server_name example.com;
    # 证书配置
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    ssl_trusted_certificate /etc/nginx/ssl/chain.crt;
    # 1. SSL 协议和加密套件
    # 禁用旧版协议，只启用 TLS 1.2 和 1.3
    ssl_protocols TLSv1.2 TLSv1.3;
    # 加密套件（推荐配置）
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
    # 优先使用服务器端加密套件
    ssl_prefer_server_ciphers on;
    # 2. DH 参数（提高安全性）
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    # 生成 DH 参数
    # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
    # 3. 会话缓存
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    # 4. OCSP Stapling（提高性能和安全）
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/ssl/chain.crt;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # 5. HSTS（强制 HTTPS）
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
    # 6. 安全响应头
    # 防止 XSS 攻击
    add_header X-XSS-Protection "1; mode=block" always;
    # 防止 MIME 类型嗅探
    add_header X-Content-Type-Options "nosniff" always;
    # 点击劫持防护
    add_header X-Frame-Options "SAMEORIGIN" always;
    # 内容安全策略
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:; font-src 'self' https:; connect-src 'self' https:;" always;
    # 限制引用策略
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    # 7. 特征移除
    # 隐藏 Nginx 版本
    server_tokens off;
    # 移除 X-Powered-By
    proxy_hide_header X-Powered-By;
    fastcgi_hide_header X-Powered-By;
    # 8. 证书透明度
    # 如果需要，可以添加 SCT（Signed Certificate Timestamps）
    # ssl_ct on;
    location / {
        proxy_pass http://backend;
        include /etc/nginx/proxy_params;
    }
}

8. HTTPS 性能优化

# /etc/nginx/conf.d/ssl_performance.conf
http {
    # 1. SSL 会话复用
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 4h;
    # 2. SSL 缓冲区大小
    ssl_buffer_size 4k;
    server {
        listen 443 ssl http2;
        server_name example.com;
        # HTTP/2 优化
        http2_max_concurrent_streams 128;
        http2_idle_timeout 300s;
        # 3. OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        # 4. 减少 TLS 握手
        ssl_session_tickets on;
        # 5. 启用压缩（注意：压缩可能带来安全风险，谨慎使用）
        gzip on;
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
        # 6. 静态资源优化
        location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
            expires 365d;
            add_header Cache-Control "public, immutable";
            access_log off;
            # 开启 sendfile
            sendfile on;
            tcp_nopush on;
        }
        # 7. 代理优化
        location / {
            proxy_pass http://backend;
            # 启用缓存
            proxy_cache my_cache;
            proxy_cache_valid 200 302 60m;
            proxy_cache_valid 404 1m;
            # 减少数据拷贝
            proxy_buffering on;
            proxy_buffer_size 4k;
            proxy_buffers 8 8k;
            # 保持连接
            proxy_http_version 1.1;
            proxy_set_header Connection "";
        }
    }
}

9. 多域名 HTTPS 配置

# /etc/nginx/conf.d/multi-domain.conf
# 1. 多证书配置（传统方式）
server {
    listen 443 ssl http2;
    server_name domain1.com www.domain1.com;
    ssl_certificate /etc/nginx/ssl/domain1.com.crt;
    ssl_certificate_key /etc/nginx/ssl/domain1.com.key;
    root /var/www/domain1;
    # ... 其他配置
}
server {
    listen 443 ssl http2;
    server_name domain2.com www.domain2.com;
    ssl_certificate /etc/nginx/ssl/domain2.com.crt;
    ssl_certificate_key /etc/nginx/ssl/domain2.com.key;
    root /var/www/domain2;
    # ... 其他配置
}

# 2. SNI（Server Name Indication）配置
# Nginx 自动支持 SNI，可以一个 IP 多个证书

# 3. 通配符证书
server {
    listen 443 ssl http2;
    server_name *.example.com;
    ssl_certificate /etc/nginx/ssl/wildcard.example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/wildcard.example.com.key;
    # 根据域名分发到不同后端
    location / {
        if ($host ~* ^api\.example\.com$) {
            proxy_pass http://api_backend;
            break;
        }
        if ($host ~* ^admin\.example\.com$) {
            proxy_pass http://admin_backend;
            break;
        }
        proxy_pass http://default_backend;
    }
}

10. HTTPS 监控和调试

#!/bin/bash
# ssl_monitor.sh - SSL 证书监控脚本
# 配置
DOMAINS="example.com www.example.com api.example.com"
EMAIL="[email protected]"
WARN_DAYS=30
SSL_DIR="/etc/nginx/ssl"

# 检查证书过期
check_expiry() {
    local domain=$1
    local cert_file="${SSL_DIR}/${domain}.crt"
    if [ ! -f "$cert_file" ]; then
        echo "证书文件不存在：$cert_file"
        return 1
    fi
    # 获取过期时间
    expiry_date=$(openssl x509 -in "$cert_file" -noout -enddate | cut -d= -f2)
    expiry_timestamp=$(date -d "$expiry_date" +%s)
    current_timestamp=$(date +%s)
    days_left=$(( ($expiry_timestamp - $current_timestamp) / 86400 ))
    echo "域名：$domain"
    echo "过期时间：$expiry_date"
    echo "剩余天数：$days_left"
    if [ $days_left -lt $WARN_DAYS ]; then
        echo "警告：证书即将过期！"
        return 1
    elif [ $days_left -lt 0 ]; then
        echo "错误：证书已过期！"
        return 2
    fi
    return 0
}

# 检查证书链
check_chain() {
    local domain=$1
    local cert_file="${SSL_DIR}/${domain}.crt"
    echo "验证证书链..."
    openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt "$cert_file"
}

# 检查 OCSP
check_ocsp() {
    local domain=$1
    echo "检查 OCSP Stapling..."
    echo QUIT | openssl s_client -connect ${domain}:443 -status 2>/dev/null | grep -A 20 "OCSP response"
}

# SSL Labs 测试（需要网络）
test_ssllabs() {
    local domain=$1
    echo "SSL Labs 评分：https://www.ssllabs.com/ssltest/analyze.html?d=$domain"
}

# 发送告警
send_alert() {
    local subject="SSL 证书监控告警"
    local message="$1"
    echo "$message" | mail -s "$subject" "$EMAIL"
}

# 主函数
main() {
    for domain in $DOMAINS; do
        echo "================================="
        echo "检查域名：$domain"
        echo "================================="
        check_expiry $domain
        if [ $? -ne 0 ]; then
            send_alert "域名 $domain 证书即将过期，请及时更新"
        fi
        check_chain $domain
        check_ocsp $domain
        echo ""
    done
}

# 定时检查
# crontab -e
# 0 9 * * * /bin/bash /usr/local/bin/ssl_monitor.sh main

11. 自动化证书更新

#!/bin/bash
# auto_renew_ssl.sh - 自动更新 Let's Encrypt 证书
# 配置
DOMAINS="example.com www.example.com"
EMAIL="[email protected]"
WEBROOT="/var/www/html"
LE_PATH="/usr/bin/certbot"
NGINX_SERVICE="nginx"

# 更新证书
renew_cert() {
    $LE_PATH certonly --webroot -w $WEBROOT \
      --email $EMAIL \
      --agree-tos \
      --no-eff-email \
      --force-renewal \
      -d ${DOMAINS// / -d }
    if [ $? -eq 0 ]; then
        echo "$(date): 证书更新成功" >> /var/log/ssl-renew.log
        # 重载 Nginx
        systemctl reload $NGINX_SERVICE
        # 发送成功通知
        echo "SSL 证书已更新" | mail -s "SSL Renewal Success" $EMAIL
    else
        echo "$(date): 证书更新失败" >> /var/log/ssl-renew.log
        # 发送失败通知
        echo "SSL 证书更新失败，请手动检查" | mail -s "SSL Renewal Failed" $EMAIL
    fi
}

# 检查是否需要更新
check_needs_renewal() {
    for domain in $DOMAINS; do
        cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"
        if [ -f "$cert_file" ]; then
            # 如果证书将在 30 天内过期，则更新
            if ! openssl x509 -in "$cert_file" -checkend 2592000 > /dev/null; then
                return 0 # 需要更新
            fi
        else
            return 0 # 证书不存在
        fi
    done
    return 1 # 不需要更新
}

# 主函数
main() {
    if check_needs_renewal; then
        renew_cert
    else
        echo "$(date): 证书仍在有效期内，无需更新" >> /var/log/ssl-renew.log
    fi
}

# 每天检查一次
# crontab -e
# 0 3 * * * /bin/bash /usr/local/bin/auto_renew_ssl.sh main

12. HTTPS 常见问题排查

# 1. 检查证书
openssl x509 -in /etc/nginx/ssl/example.com.crt -text -noout
# 2. 检查私钥
openssl rsa -in /etc/nginx/ssl/example.com.key -check
# 3. 检查证书和私钥是否匹配
openssl x509 -noout -modulus -in example.com.crt | openssl md5
openssl rsa -noout -modulus -in example.com.key | openssl md5
# 两个输出应该相同
# 4. 测试 SSL 连接
openssl s_client -connect example.com:443 -servername example.com
# 5. 测试 TLS 1.2
openssl s_client -connect example.com:443 -tls1_2
# 6. 测试 TLS 1.3
openssl s_client -connect example.com:443 -tls1_3
# 7. 检查证书链
openssl s_client -connect example.com:443 -showcerts
# 8. 检查 OCSP
openssl s_client -connect example.com:443 -status
# 9. 使用 curl 测试
curl -vI https://example.com
curl --http2 -I https://example.com
# 10. SSL Labs 测试
# 访问 https://www.ssllabs.com/ssltest/analyze.html?d=example.com
# 11. 检查配置错误
nginx -t
# 12. 查看错误日志
tail -f /var/log/nginx/error.log
tail -f /var/log/nginx/access.log | grep SSL

四、综合安全配置示例

# /etc/nginx/nginx.conf
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    use epoll;
    worker_connections 10240;
    multi_accept on;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    # 隐藏版本号
    server_tokens off;
    # 日志格式
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
    log_format security '$remote_addr - $remote_user [$time_local] '
                        '"$request" $status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent" '
                        '$request_time $upstream_response_time';
    access_log /var/log/nginx/access.log main buffer=32k flush=5s;
    # 基础优化
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    # 客户端设置
    client_max_body_size 20m;
    client_body_buffer_size 128k;
    client_header_buffer_size 1k;
    large_client_header_buffers 4 8k;
    # 超时设置
    client_body_timeout 10s;
    client_header_timeout 10s;
    send_timeout 10s;
    # 限制区域
    limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
    limit_req_zone $binary_remote_addr zone=req_limit:10m rate=10r/s;
    # 代理设置
    proxy_connect_timeout 30s;
    proxy_send_timeout 30s;
    proxy_read_timeout 30s;
    proxy_buffer_size 4k;
    proxy_buffers 8 8k;
    proxy_busy_buffers_size 16k;
    # Gzip 压缩
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_min_length 1000;
    gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
    # SSL 配置
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    # 安全头
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    # 包含站点配置
    include /etc/nginx/conf.d/*.conf;
}