添加双证书配置

2026-02-04 13:52:26 +08:00 · 2017-06-24 16:11:28 +08:00
parent 54f5289d6b
commit 00456806bb
6 changed files with 61 additions and 59 deletions
--- a/conf/nginx/domain/blog.conf
+++ b/conf/nginx/domain/blog.conf
@@ -1,91 +1,90 @@
 server {
-    listen               443 ssl http2 fastopen=3 reuseport;
+    listen                       443 ssl http2 fastopen=3 reuseport;

-    server_name          www.deepzz.com deepzz.com;
-    server_tokens        off;
+    server_name                  www.deepzz.com deepzz.com;
+    server_tokens                off;

-    include              /data/eiblog/conf/nginx/ip.blacklist;
+    access_log                   /data/eiblog/logdata/nginx.log;

-    # 现在一般证书是内置的。可以注释该项
+    # ip 黑名单
+    include                      /data/eiblog/conf/nginx/ip.blacklist;
+
+    # 现在一般证书是内置的。letsencrypt 暂未
    # https://imququ.com/post/certificate-transparency.html#toc-2
-    # ssl_ct               on;
-    # ssl_ct_static_scts   /data/eiblog/conf/scts;
+    ssl_ct                      on;

-    # 中间证书 + 站点证书
-    ssl_certificate      /data/eiblog/conf/ssl/domain.pem;
+    # 中间证书 + 根证书
+    # https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html
+    ssl_trusted_certificate      /data/eiblog/conf/ssl/full_chained.pem;

-    # 创建 CSR 文件时用的密钥
-    ssl_certificate_key  /data/eiblog/conf/ssl/domain.key;
+    # 站点证书 + 中间证书，私钥
+    ssl_certificate              /data/eiblog/conf/ssl/domain.rsa.pem;
+    ssl_certificate_key          /data/eiblog/conf/ssl/domain.rsa.key;
+    ssl_ct_static_scts           /data/eiblog/conf/scts/rsa/;
+    # ssl_certificate              /data/eiblog/conf/ssl/domain.ecc.pem;
+    # ssl_certificate_key          /data/eiblog/conf/ssl/domain.ecc.key;
+    # ssl_ct_static_scts           /data/eiblog/conf/scts/ecc/;

    # openssl dhparam -out dhparams.pem 2048
    # https://weakdh.org/sysadmin.html
-    ssl_dhparam          /data/eiblog/conf/ssl/dhparams.pem;
-
-    # https://github.com/cloudflare/sslconfig/blob/master/conf
-    ssl_ciphers          EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
-
-    # 如果启用了 RSA + ECDSA 双证书，Cipher Suite 可以参考以下配置：
-    # ssl_ciphers              EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
-
-    ssl_prefer_server_ciphers  on;
-
-    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
-
-    ssl_session_cache          shared:SSL:50m;
-    ssl_session_timeout        1d;
-
-    ssl_session_tickets        on;
+    ssl_dhparam                  /data/eiblog/conf/ssl/dhparams.pem;

    # openssl rand 48 > session_ticket.key
    # 单机部署可以不指定 ssl_session_ticket_key
    # ssl_session_ticket_key     /data/eiblog/conf/ssl/session_ticket.key;

-    ssl_stapling               on;
-    ssl_stapling_verify        on;
+    # https://github.com/cloudflare/sslconfig/blob/master/conf
+    ssl_ciphers                  EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

-    # 根证书 + 中间证书
-    # https://imququ.com/post/why-can-not-turn-on-ocsp-stapling.html
-    ssl_trusted_certificate    /data/eiblog/conf/ssl/full_chained.pem;
+    # 如果启用了 RSA + ECDSA 双证书，Cipher Suite 可以参考以下配置：
+    # ssl_ciphers                 EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;

-    resolver                   114.114.114.114 8.8.8.8 valid=300s;
-    resolver_timeout           10s;
+    ssl_prefer_server_ciphers    on;
+    ssl_protocols                TLSv1 TLSv1.1 TLSv1.2;
+    ssl_session_cache            shared:SSL:50m;
+    ssl_session_timeout          1d;
+    ssl_session_tickets          on;

-    access_log                 /data/eiblog/logdata/nginx.log;
+    # ssl stapling
+    ssl_stapling                 on;
+    ssl_stapling_verify          on;
+    resolver                     114.114.114.114 8.8.8.8 valid=300s;
+    resolver_timeout             10s;

    if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
-        return           444;
+        return                   444;
    }

    if ($host != 'deepzz.com' ) {
-        rewrite          ^/(.*)$  https://deepzz.com/$1 permanent;
+        rewrite                  ^/(.*)$  https://deepzz.com/$1 permanent;
    }

    # webmaster 站点验证相关
    location ~* (robots\.txt|favicon\.ico|crossdomain\.xml|google4c90d18e696bdcf8\.html|BingSiteAuth\.xml)$ {
-        root             /data/eiblog/static;
-        expires          1d;
+        root                     /data/eiblog/static;
+        expires                  1d;
    }

    # imququ 的上传文件相关，未用到
    location ^~ /static/uploads/ {
-        root             /home/jerry/www/imququ.com/www;
-        add_header       Access-Control-Allow-Origin *;
+        root                     /home/jerry/www/imququ.com/www;
+        add_header               Access-Control-Allow-Origin *;

-        set              $expires_time max;
+        set                      $expires_time max;

-        valid_referers   blocked none server_names *.qgy18.com *.inoreader.com feedly.com *.feedly.com www.udpwork.com theoldreader.com digg.com *.feiworks.com *.newszeit.com r.mail.qq.com yuedu.163.com *.w3ctech.com;
+        valid_referers           blocked none server_names *.qgy18.com *.inoreader.com feedly.com *.feedly.com www.udpwork.com theoldreader.com digg.com *.feiworks.com *.newszeit.com r.mail.qq.com yuedu.163.com *.w3ctech.com;
        if ($invalid_referer) {
-            set          $expires_time -1;
-            return       403;
+            set                  $expires_time -1;
+            return               403;
        }

-        expires          $expires_time;
+        expires                  $expires_time;
    }

    location ^~ /static/ {
-        root             /data/eiblog;
-        add_header       Access-Control-Allow-Origin *;      
-        expires          max;
+        root                     /data/eiblog;
+        add_header               Access-Control-Allow-Origin *;
+        expires                  max;
    }

    location ^~ /admin/ {
@@ -96,7 +95,7 @@ server {
        # deny 将完全不允许页面被嵌套，可能会导致一些异常。如果遇到这样的问题，建议改成 SAMEORIGIN
        # https://imququ.com/post/web-security-and-response-header.html#toc-1
        add_header               X-Frame-Options deny;
-
+        add_header               X-Powered-By eiblog/1.2.1;
        add_header               X-Content-Type-Options nosniff;

        proxy_set_header         Connection       "";
@@ -114,7 +113,7 @@ server {
        add_header               X-Frame-Options deny;
        add_header               X-Content-Type-Options nosniff;
        # 改deepzz相关的
-        add_header               Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: https://st.deepzz.com; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net";
+        add_header               Content-Security-Policy "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval' blob: https:; img-src data: https: https://st.deepzz.com; media-src https://st.deepzz.com; style-src 'unsafe-inline' https:; child-src https:; connect-src 'self' https://translate.googleapis.com; frame-src https://disqus.com https://www.slideshare.net";
        # 中间证书证书指纹
        # https://imququ.com/post/http-public-key-pinning.html
        add_header               Public-Key-Pins 'pin-sha256="lnsM2T/O9/J84sJFdnrpsFp3awZJ+ZZbYpCWhGloaHI="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=2592000; includeSubDomains';
@@ -137,21 +136,22 @@ server {
 }

 server {
-    server_name       www.deepzz.com deepzz.com;
-    server_tokens     off;
+    server_name                  www.deepzz.com deepzz.com;
+    server_tokens                off;

-    access_log        /dev/null;
+    access_log                   /dev/null;

-    if ($request_method !~ ^(GET|HEAD|POST)$ ) {
-        return        444;
+    if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) {
+        return                   444;
    }

+    # letsencrypt file verify
    location ^~ /.well-known/acme-challenge/ {
-        alias         /data/letsencrypt/challenges/;
-        try_files     $uri =404;
+        alias                    /data/letsencrypt/challenges/;
+        try_files                $uri =404;
    }

    location / {
-        rewrite       ^/(.*)$ https://deepzz.com/$1 permanent;
+        rewrite                  ^/(.*)$ https://deepzz.com/$1 permanent;
    }
 }
--- a/conf/nginx/ip.blacklist
+++ b/conf/nginx/ip.blacklist
@@ -0,0 +1,2 @@
+# example black list
+#deny 195.154.211.220;
--- a/conf/scts/ecc/aviator.sct
+++ b/conf/scts/ecc/aviator.sct
--- a/conf/scts/ecc/digicert.sct
+++ b/conf/scts/ecc/digicert.sct
--- a/conf/scts/rsa/aviator.sct
+++ b/conf/scts/rsa/aviator.sct
--- a/conf/scts/rsa/digicert.sct
+++ b/conf/scts/rsa/digicert.sct