配置更安全的https连接

使用Let’s Encrypt的免费证书 讲述了如何从Let’s Encrypt获取免费证书,配置nginx来支持用https方式访问站点。昨晚想到https安全性的问题,查阅资料后更新了配置,提高了本站的安全性。

使用使用Let’s Encrypt的免费证书中的nginx配置,在 ssl labs 上只能获得B级的评分,主要问题是存在弱密钥DH降级攻击风险,问题详情可参考 weakdh 网站。解决方案如下:

  1. 生成不低于2048位的dh对(推荐4096位):openssl dhparam -out dhparams.pem 4096
  2. 更改nginx配置,在ssl配置段的加密算法和dh参数配置如下:
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

ssl_dhparam {path to dhparams.pem}
  1. 重启nginx服务器: systemctl reload nginx

使用上述配置,再次到 ssl labs 上测试(如已有结果需清空缓存),可以看到得分为A,截图如下:

评分评分

目光转到 cipher list以及 molliza网站,其推荐的配置是完全禁用DH密钥交换。molliza wiki上的配置分为三类:前卫兼容(Modern compatibility),默认的中度兼容(Intermediate compatibility)以及旧式向后兼容。前卫兼容策略比较激进,需要现代化的浏览器才可正常访问:微软的浏览器需要IE 11或者Edge浏览器,IE 11以下的浏览器就不能正常访问。推荐使用默认的中度兼容策略,微软系的浏览器满足IE 7+即可,兼顾了兼容性和安全性。

配置好后,可在更严格策略的 ssl decoder 网站上测试https安全性。该网站中,DES-CBC3-SHA算法也被标记为不安全,建议移除。另外建议开启 HSTS 以及 OCSP Stapling 特性。

总结上述,安全的ssl段的配置如下:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';                  
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    ssl_dhparam /etc/nginx/conf.d/dhparams.pem;
    ssl_session_tickets off;
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;        # 如果页面需要被以frame方式加载,建议关闭
    add_header X-Content-Type-Options nosniff;

重启nginx后,在 ssl decoder以及 ssl labs 上检测服务端安全性,都是安全的绿色了。

参考

  1. ssllabs.com/ssltest/
  2. https://ssldecoder.org
  3. https://weakdh.org
  4. https://cipherli.st/
  5. https://wiki.mozilla.org/Security/Server_Side_TLS
  6. https://imququ.com/post/sth-about-switch-to-https.html#toc-2
留言评论

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注

Captcha Code

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select * from vps_autoblog_queue where is_running >0

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select count(*) from vps_autoblog_queue where task_id=6 and is_running>0

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select id,fetched,is_running,last_date_time from vps_autoblog_queue where task_id=6 and source_url_key='85f8e27ce55bd78fd33f47d2b1409198'

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
insert into vps_autoblog_queue(task_id,source_url,source_url_key,create_date_time,not_check_stoped,post_interval) values(6,'https://www.hijk.pw/post-sitemap.xml','85f8e27ce55bd78fd33f47d2b1409198',1750370799,0,0)

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select count(*) from vps_autoblog_queue where task_id=4 and is_running>0

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select id,fetched,is_running,last_date_time from vps_autoblog_queue where task_id=4 and source_url_key='54b1dccf98c13c81f546faf82132bc77'

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
insert into vps_autoblog_queue(task_id,source_url,source_url_key,create_date_time,not_check_stoped,post_interval) values(4,'https://ssr.tools/sitemap-posttype-post.2020.xml','54b1dccf98c13c81f546faf82132bc77',1750370799,0,0)

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select count(*) from vps_autoblog_queue where task_id=2 and is_running>0

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select id,fetched,is_running,last_date_time from vps_autoblog_queue where task_id=2 and source_url_key='91372ddcd9e4809b115feaa5b6f00815'

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
insert into vps_autoblog_queue(task_id,source_url,source_url_key,create_date_time,not_check_stoped,post_interval) values(2,'https://tlanyan.me/post-sitemap.xml','91372ddcd9e4809b115feaa5b6f00815',1750370799,0,0)

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select count(*) from vps_autoblog_queue where task_id=7 and is_running>0

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select id,fetched,is_running,last_date_time from vps_autoblog_queue where task_id=7 and source_url_key='569e17863f7693f1afa9e9256af9dcff'

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
insert into vps_autoblog_queue(task_id,source_url,source_url_key,create_date_time,not_check_stoped,post_interval) values(7,'https://aisoa.cn/sitemap.xml','569e17863f7693f1afa9e9256af9dcff',1750370799,0,0)

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select count(*) from vps_autoblog_queue where task_id=9 and is_running>0

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select id,fetched,is_running,last_date_time from vps_autoblog_queue where task_id=9 and source_url_key='cc9416f8df40d8c3a48e66856b1cd6fd'

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
insert into vps_autoblog_queue(task_id,source_url,source_url_key,create_date_time,not_check_stoped,post_interval) values(9,'https://www.v2rayssr.com/sitemap.xml','cc9416f8df40d8c3a48e66856b1cd6fd',1750370799,0,0)

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select count(*) from vps_autoblog_queue where task_id=10 and is_running>0

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select id,fetched,is_running,last_date_time from vps_autoblog_queue where task_id=10 and source_url_key='74714f67855820f0c701ce905b231f27'

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
insert into vps_autoblog_queue(task_id,source_url,source_url_key,create_date_time,not_check_stoped,post_interval) values(10,'https://doubibackup.com/sitemap.xml','74714f67855820f0c701ce905b231f27',1750370799,0,0)

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select id,is_running,last_post_time,post_interval,not_check_stoped from vps_autoblog_queue WHERE is_running>0 and fetched=0 order BY id ASC

WordPress数据库错误: [Table 'ssrvps.vps_autoblog_queue' doesn't exist]
select id,sn_id from vps_autoblog_queue WHERE is_running=0 and fetched=0 order BY id ASC LIMIT 1