nginx 配置https 自簽ssl憑證

1.建立憑證

建立xxx.key 與 xxx.crt 檔 (如果多網站,這邊最好給上your_domain.key 與 your_domain.crt)

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

Country Name (2 letter code) [AU]:CN    ##國家
State or Province Name (full name) [Some-State]:ShangHai  #國名
Locality Name (eg, city) []:ShangHai  ##地名
Organization Name (eg, company) [Internet Widgits Pty Ltd]:   ##組織單位名稱
Organizational Unit Name (eg, section) []:          ##部門名稱
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com   
Email Address []:admin@your_domain.com

2.配置 Nginx

sudo nano /etc/nginx/sites-available/default

server {
    listen 80 ;
    listen [::]:80 ssl ipv6only=on; 
    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on;

    root /usr/share/nginx/www;
    index index.php index.html index.htm;

    server_name your_domain.com;
    ssl on;
    ssl_certificate /etc/nginx/ssl/nginx.crt;    ##剛剛憑證檔案位子
    ssl_certificate_key /etc/nginx/ssl/nginx.key;  ##剛剛憑證檔案位子
}

但是這麼做並不安全,默認是SHA-1形式,而現在主流的方案應該都避免SHA-1,為了確保更強的安全性,我們可以採取迪菲-赫爾曼密鑰交換(Diffie–Hellman key exchange)

首先,進入 /etc/ssl/certs 建立 dhparam.pem

cd /etc/ssl/certs  
openssl dhparam -out dhparam.pem 2048 #如果機器夠強 可以使用4096

生成完畢後,在Nginx 的SSL 配置後面加入

 ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
        keepalive_timeout 70;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m; 

保存修改,重新啟動nginx

service nginx restart
## 開啟443 port
sudo ufw allow 443/tcp  # 如果有防火墙

3.測試

https://server_domain_or_IP

瀏覽器會提示不信任

4.drupal沒經過設定,直接使用https,會導致css js 不載入

nano drupal settings.php

$base_url = 'https://my.domain.name';

Facebook 功能: