memo.xight.org

日々のメモ

カテゴリ : nginx

1ページ目 / 全1ページ

nginx で HTTPS

Summary

1. 秘密鍵の作成 (server.key)
2. 公開鍵の作成 (server.csr)
3. 証明書発行機関に申請
4. 証明書付き公開鍵の配置 (server.crt)
5. 中間証明書の配置 (sub.class1.server.ca.pem)
6. PFS用の鍵を作成 (dhparam.pem)
7. nginxの設定、設定確認、再起動
8. SSLの設定確認 (verisign, GeoTrust, Qualys SSL Labs等)
9. HTSTプリロードに登録

秘密鍵作成、公開鍵作成

% openssl genrsa -des3 -out /etc/nginx/ssl/server.key 2048 -sha256
% openssl req -new -sha256 -key /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.csr
Enter pass phrase for /etc/nginx/ssl/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Tokyo-to
Locality Name (eg, city) []:Itabashi-ku
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example inc
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:user@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


PFS (Perfect Forward Secrecy) 用の鍵 dhparam.pem を作成

% openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam.pem 2048


/etc/nginx/site-available/example.com

server {
	listen 443 default ssl;
	server_name example.com
	
	ssl on;
	# サーバ証明書
	ssl_certificate      /etc/nginx/ssl/server.cer;
	# 秘密鍵
	ssl_certificate_key  /etc/nginx/ssl/server.key;
	
	# allow Nginx to send OCSP results during the connection process
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/ssl/sub.class1.server.ca.pem;
	
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	
	# recommended cipher suite
	ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC    3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !EXP !PSK !SRP !CAMELLIA !SEED';
	
	# make the server choose the best cipher instead of the browser
	# Perfect Forward Secrecy(PFS) is frequently compromised without this
	ssl_prefer_server_ciphers on;
	
	# Use 2048 bit Diffie-Hellman RSA key parameters
	# (otherwise Nginx defaults to 1024 bit, lowering the strength of encryption # when using PFS)
	# Generated by OpenSSL with the following command:
	# openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
	ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
	
	# Cache SSL Sessions for up to 10 minutes
	# This improves performance by avoiding the costly session negotiation process where possible
	ssl_session_cache builtin:1000 shared:SSL:10m;
	
	# enable HSTS including subdomains
	add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
	
	...
}

設定の評価

QUALYS SSL LABS - SSL Server Test
https://www.ssllabs.com/ssltest/

GeoTrust CryptoReport
https://cryptoreport.geotrust.com/checker/

HSTS Preloadに登録

HSTS Preload にドメインを登録する。

Reference

Strong SSL Security on nginx - Raymii.org
https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

POSTD - NginxでHTTPS : ゼロから始めてSSLの評価をA+にするまで Part 1
http://postd.cc/https-on-nginx-from-zero-to-a-plus-part-1/

POSTD - NginxでHTTPS : ゼロから始めてSSLの評価をA+にするまで Part 2
http://postd.cc/https-on-nginx-from-zero-to-a-plus-part-2-configuration-ciphersuites-and-performance/

HSTS Preload
https://hstspreload.appspot.com/

nginx の導入

Summary

Apache2 + PHP + mod_php から移行。

aptitude install nginx
aptitude install php5-fpm


nginx の設定


php5-fpm の設定