Ubuntu 18.04 服务器安装配置 Nginx（带有自签名证书 HTTPS ，TLS 1.3 及 HTTP/2 支持）

2020-02-11

Nginx 是一个高性能 Web 、反向代理服务器。Ubuntu 源提供了 Nginx 安装，为了启用 HTTP/2 TLS 1.3 等高级特性支持，仍然需要手动设置一下。

本文设置了一下默认服务器，使用的是自生成的自签名证书。在 Linux 上申请证书请参考 Linux 服务器安装配置 acme.sh 自动申请证书（Cloudflare DNS 验证、最小化权限要求）。为了使用由正常 CA 签发的证书，需要删除掉 include snippets/snakeoil.conf; 一行，并且设置好 ssl_certificate 和 ssl_certificate_key 。同时建议取消注释 # include snippets/ssl-params-ocsp.conf; ，来启用 OCSP Stapling。

Nginx 支持在同一个 server 块使用类型不同的证书来实现 ECC RSA 证书共存（推荐设置好 ECC 证书），但是不支持在一个 server 块下使用类型相同的多个证书（后一个证书会覆盖前一个）Can nginx stream work with multiple SSL certificates? 。但是 acme.sh 支持在一个证书下使用不同方式验证多个域名，如果有类似需求的可以仔细研究一下 acme.sh 的使用。

小贴士：如果 Chrome 浏览器提示证书错误，并且不给出按钮绕过错误页面的时候，可以输入 thisisunsafe 绕过。

使用 Cloudflare 等 CDN 为服务器加速、防 DDOS 的时候，可以设置 ServerName、 SSL 以及回源 IP 限制来防止源站暴露。（存在一种特殊的搜索引擎，平时会扫描全网 IP ，并且将服务器响应的 HTTP 头保留在数据库中供搜索）具体可以参考 How To Host a Website Using Cloudflare and Nginx on Ubuntu 16.04

# Install packages
apt update && apt install nginx ssl-cert -y

# Generate snakeoil cert (which is need at Ubuntu 18.04)
make-ssl-cert generate-default-snakeoil --force-overwrite

# Generate Diffie-Hellman Params
curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/ssl/dhparam.pem
# openssl dhparam -out /etc/ssl/dhparam.pem 2048

# Config SSL parameters
cat << 'EOF' > /etc/nginx/snippets/ssl-params.conf
# SSL Parameters following Mozilla Server Side TLS Guideline
# [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/)
# [Server Side TLS - Security - Mozilla Wiki](https://wiki.mozilla.org/Security/Server_Side_TLS)

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
ssl_session_tickets off;

ssl_dhparam /etc/ssl/dhparam.pem;
EOF

cat << 'EOF' > /etc/nginx/snippets/ssl-params-ocsp.conf
# SSL Parameters (OCSP Stapling) following Mozilla Server Side TLS Guideline
# [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/)
# [Server Side TLS - Security - Mozilla Wiki](https://wiki.mozilla.org/Security/Server_Side_TLS)

ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8 1.1.1.1 valid=300s;
resolver_timeout 5s;
EOF

cat << 'EOF' > /etc/nginx/snippets/ssl-params-hsts.conf
# SSL Parameters (HSTS) following Mozilla Server Side TLS Guideline
# [Mozilla SSL Configuration Generator](https://ssl-config.mozilla.org/)
# [Server Side TLS - Security - Mozilla Wiki](https://wiki.mozilla.org/Security/Server_Side_TLS)

if ($scheme = http) { # Redirect HTTP to HTTPS
  return 301 https://$server_name$request_uri;
}
add_header Strict-Transport-Security "max-age=63072000" always;
EOF

# Replace default config
cat << 'EOF' > /etc/nginx/sites-available/my-default
server {
  server_name _;

  listen 80 default_server;
  listen [::]:80 default_server; # Enable IPv6

  listen 443 ssl http2 default_server; # Enable HTTP/2
  listen [::]:443 ssl http2 default_server;

  include snippets/ssl-params.conf; # Enable TLS 1.3, Diffie-Hellman Key Exchange, SSL Session
  # include snippets/ssl-params-ocsp.conf; # Enable OCSP Stapling
  include snippets/ssl-params-hsts.conf; # Redirect http to https and set HSTS header
  include snippets/snakeoil.conf; # Use self-signed certificate
  # ssl_certificate /etc/ssl/certs/signed_cert_plus_intermediates; # Use normal certificate
  # ssl_certificate_key /etc/ssl/private/private_key;
  # ssl_trusted_certificate /etc/ssl/certs/root_CA_cert_plus_intermediates; # Specify trusted CA for OCSP Stapling. Set it only if ssl_certificate not include root and intermediate CA

  root /var/www/html;

  index index.html index.htm index.nginx-debian.html;

  location / {
    try_files $uri $uri/ =404;
  }
}
EOF

# Relink default config
rm /etc/nginx/sites-enabled/default
ln -s /etc/nginx/sites-available/my-default /etc/nginx/sites-enabled/

# Restart service
systemctl restart nginx

# Set up firewall
ufw allow 'Nginx Full'

# Uninstall
# Stop service
# systemctl stop nginx

# Remove package without any left
# apt purge nginx ssl-cert --autoremove -y

# Remove html folder generated by nginx
# rm -r /var/www/html

# Delete cert generated by make-ssl-cert
# rm /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/private/ssl-cert-snakeoil.key

• How To Install Nginx on Ubuntu 18.04
• How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu 18.04 - DigitalOcean
• agentzh 的 Nginx 教程
• Nginx 指令的执行顺序 - 莫Y兮的博客
• Mozilla SSL Configuration Generator
• Server Side TLS - Security - Mozilla Wiki
• Strong SSL Security on nginx - Raymii's Blog
• Configuring HTTPS servers - Nginx Documentation
• How do I create a self-signed SSL certificate?
• 配置样例 Best nginx configuration for improved security (and performance) - plentz's gist
• 配置样例 使用 acme.sh 给 Nginx 安装 Let’ s Encrypt 提供的免费 SSL 证书 - huacnlee 的帖子