用 Let’s encrypt 把 HTTPS 架起來

之前就有在留意 gslin 提到的 Let’s Encrypt 這個免費的 SSL Certificate。不過因為忙，也不想當白老鼠，所以一直等到 Public Beta才開始拿一個網域測，測完覺得不錯後又悄悄地把 blog 升上 https。

升上https後又觀察了一陣子，一方面也怕不穩定或是對web server效能影響太大就拉下來，不過科技日新月異，比我想像的好多了。趁這個機會就把一些設定跟筆記丟上來。

SSL install (Letsencrypt)

• http://thehackernews.com/2015/12/How-to-Install-Lets-Encrypt-SSL-Certificate.html
• https://letsencrypt.readthedocs.org/en/latest/index.html
• https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

增強安全性 / 移除 sslv3 and sha1:

• https://juliansimioni.com/blog/https-on-nginx-from-zero-to-a-plus-part-1/
• https://juliansimioni.com/blog/https-on-nginx-from-zero-to-a-plus-part-2-configuration-ciphersuites-and-performance/
• https://github.com/orangejulius/https-on-nginx/blob/master/ssl.conf
• 記得先產生 dhparam2048.pem

        ssl on;
        ssl_certificate /etc/letsencrypt/live/[site domain]/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/[site domain]/privkey.pem;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        # ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
        ssl_prefer_server_ciphers on;

    # support only believed secure ciphersuites using the following priority:
    # 1.) prefer PFS enabled ciphers
    # 2.) prefer AES128 over AES256 for speed (AES128 has completely adequate security for now)
    # 3.) Support DES3 for IE8 support
    #
    # disable the following ciphersuites completely
    # 1.) null ciphers
    # 2.) ciphers with low security
    # 3.) fixed ECDH cipher (does not allow for PFS)
    # 4.) known vulnerable cypers (MD5, RC4, etc)
    # 5.) little-used ciphers (Camellia, Seed)
    ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';

    # Use 2048 bit Diffie-Hellman RSA key parameters
    # (otherwise Nginx defaults to 1024 bit, lowering the strength of encryption # when using PFS)
    # Generated by OpenSSL with the following command:
    # openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
    ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;

    # allow Nginx to send OCSP results during the connection process
    ssl_stapling on;

    # Cache SSL Sessions for up to 10 minutes
    # This improves performance by avoiding the costly session negotiation process where possible
    ssl_session_cache builtin:1000 shared:SSL:10m;

升級 NGINX 到支援 HTTP2 的版本：

add-apt-repository ppa:nginx/development
apt-get update
apt-get dist-upgrade

這樣就可以安心加上

server {
        listen 443 http2;

HSTS 的相關資訊和筆記：

• https://mozilla.github.io/server-side-tls/ssl-config-generator/
• https://larryli.cn/2015/02/644866http://www.ghacks.net/2015/10/16/how-to-prevent-hsts-tracking-in-firefox/

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    # 先使用 max-age=43200 測試，正式再上 15768000
    # 注意 HSTS 只能叫瀏覽器記住未來要用 https，但第一次仍需從 http 導引至 https
        add_header Strict-Transport-Security max-age=43200;

• 清除 browser 的HSTS

Chrome: 
  chrome://net-internals/#hsts
firefox:
Firefox saves HSTS information to the file SiteSecurityServiceState.txt which you find in the root of your Firefox profile folder.
The easiest way to open it is to load about:support in Firefox's address bar and to click on the "show folder" button on the page after it has loaded. This opens the profile folder of Firefox in the default system file browser.

  Editing SiteSecurityServiceState.txt works

WordPress 改 https 及解mixed content

Setting-> General -> WordPress Address 及 Site Address

Plugin:

• SSL Insecure Content Fixer (設定我開 simple)
• HTTPS Mixed Content Detector
• Insert Headers and Footers

在  head 加上這一行。

 <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

當然還有土法煉鋼的方式，用 search & replace 把文章中 http 的連結找出來，可以換的就換成 https。這類苦工就有空慢慢做吧。

喔對了，要找時間把 renew 丟進 crontab。

你也許會喜歡

用 Letsencrypt.sh 來自動 renew 跳船到 DigitalOcean VPS Flickr圖床造成 Instant Article 解析錯誤 Gallery