Back to Details

ssl-helper

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SSL/TLS Configuration Helper

SSL/TLS配置助手

Quick Start

快速开始

Configure nginx with SSL/TLS certificates, modern security protocols, and recommended security headers.
为Nginx配置SSL/TLS证书、现代安全协议及推荐的安全标头。

Instructions

操作步骤

Step 1: Obtain SSL certificate

步骤1:获取SSL证书

Option A: Let's Encrypt (recommended for production)
bash
undefined
选项A:Let's Encrypt(生产环境推荐)
bash
undefined

Install certbot

Install certbot

apt-get install certbot python3-certbot-nginx
apt-get install certbot python3-certbot-nginx

Obtain certificate

Obtain certificate

certbot --nginx -d example.com -d www.example.com
certbot --nginx -d example.com -d www.example.com

Auto-renewal is configured automatically

Auto-renewal is configured automatically


**Option B: Self-signed certificate (development only)**
```bash

**选项B:自签名证书(仅用于开发环境)**
```bash

Generate self-signed certificate

Generate self-signed certificate

openssl req -x509 -nodes -days 365 -newkey rsa:2048
-keyout /etc/nginx/ssl/selfsigned.key
-out /etc/nginx/ssl/selfsigned.crt
-subj "/C=US/ST=State/L=City/O=Organization/CN=example.com"
openssl req -x509 -nodes -days 365 -newkey rsa:2048
-keyout /etc/nginx/ssl/selfsigned.key
-out /etc/nginx/ssl/selfsigned.crt
-subj "/C=US/ST=State/L=City/O=Organization/CN=example.com"

Generate DH parameters

Generate DH parameters

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

**Option C: Commercial certificate**
```bash
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

**选项C:商业证书**
```bash

Generate CSR

Generate CSR

openssl req -new -newkey rsa:2048 -nodes
-keyout /etc/nginx/ssl/example.com.key
-out /etc/nginx/ssl/example.com.csr
openssl req -new -newkey rsa:2048 -nodes
-keyout /etc/nginx/ssl/example.com.key
-out /etc/nginx/ssl/example.com.csr

Submit CSR to certificate authority

Submit CSR to certificate authority

Download certificate and intermediate certificates

Download certificate and intermediate certificates

Place in /etc/nginx/ssl/

Place in /etc/nginx/ssl/

undefined
undefined

Step 2: Configure SSL in nginx

步骤2:在Nginx中配置SSL

Basic SSL configuration:
nginx
server {
    listen 443 ssl http2;
    server_name example.com www.example.com;
    
    # SSL certificate files
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # SSL protocols and ciphers
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    
    # SSL session cache
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    
    location / {
        # Your application configuration
        proxy_pass http://backend;
    }
}
基础SSL配置:
nginx
server {
    listen 443 ssl http2;
    server_name example.com www.example.com;
    
    # SSL certificate files
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # SSL protocols and ciphers
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    
    # SSL session cache
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
    
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    
    location / {
        # Your application configuration
        proxy_pass http://backend;
    }
}

Redirect HTTP to HTTPS

Redirect HTTP to HTTPS

server { listen 80; server_name example.com www.example.com; return 301 https://$server_name$request_uri; }
undefined
server { listen 80; server_name example.com www.example.com; return 301 https://$server_name$request_uri; }
undefined

Step 3: Test SSL configuration

步骤3:测试SSL配置

bash
undefined
bash
undefined

Test nginx configuration

Test nginx configuration

nginx -t
nginx -t

Reload nginx

Reload nginx

nginx -s reload
nginx -s reload

Test SSL with curl

Test SSL with curl

curl -I https://example.com
curl -I https://example.com

Check SSL certificate

Check SSL certificate

openssl s_client -connect example.com:443 -servername example.com
undefined
openssl s_client -connect example.com:443 -servername example.com
undefined

Step 4: Verify security

步骤4:验证安全性

Online tools:
Command line:
bash
undefined
在线工具:
命令行工具:
bash
undefined

Check certificate expiration

Check certificate expiration

echo | openssl s_client -connect example.com:443 2>/dev/null |
openssl x509 -noout -dates
echo | openssl s_client -connect example.com:443 2>/dev/null |
openssl x509 -noout -dates

Test TLS versions

Test TLS versions

openssl s_client -connect example.com:443 -tls1_2 openssl s_client -connect example.com:443 -tls1_3
undefined
openssl s_client -connect example.com:443 -tls1_2 openssl s_client -connect example.com:443 -tls1_3
undefined

Modern SSL Configuration

现代SSL配置

Mozilla Modern profile (recommended for new sites):
nginx
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
Mozilla Modern配置文件(新站点推荐):
nginx
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;

OCSP stapling

OCSP stapling

ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s;

**Mozilla Intermediate profile (broader compatibility):**
```nginx
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s;

**Mozilla Intermediate配置文件(兼容性更广):**
```nginx
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;

DH parameters

DH parameters

ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

OCSP stapling

OCSP stapling

ssl_stapling on; ssl_stapling_verify on;
undefined
ssl_stapling on; ssl_stapling_verify on;
undefined

Security Headers

安全标头

Essential security headers:
nginx
undefined
必备安全标头:
nginx
undefined

HSTS (HTTP Strict Transport Security)

HSTS (HTTP Strict Transport Security)

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

Prevent clickjacking

Prevent clickjacking

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Frame-Options "SAMEORIGIN" always;

Prevent MIME type sniffing

Prevent MIME type sniffing

add_header X-Content-Type-Options "nosniff" always;
add_header X-Content-Type-Options "nosniff" always;

XSS protection (legacy browsers)

XSS protection (legacy browsers)

add_header X-XSS-Protection "1; mode=block" always;
add_header X-XSS-Protection "1; mode=block" always;

Referrer policy

Referrer policy

add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

Content Security Policy (customize for your site)

Content Security Policy (customize for your site)

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;

Permissions policy

Permissions policy

add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
undefined
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
undefined

Common Patterns

常见配置模式

Multiple domains with separate certificates

多域名独立证书配置

nginx
server {
    listen 443 ssl http2;
    server_name example.com www.example.com;
    
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # ... rest of configuration
}

server {
    listen 443 ssl http2;
    server_name api.example.com;
    
    ssl_certificate /etc/letsencrypt/live/api.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.example.com/privkey.pem;
    
    # ... rest of configuration
}
nginx
server {
    listen 443 ssl http2;
    server_name example.com www.example.com;
    
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # ... rest of configuration
}

server {
    listen 443 ssl http2;
    server_name api.example.com;
    
    ssl_certificate /etc/letsencrypt/live/api.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.example.com/privkey.pem;
    
    # ... rest of configuration
}

Wildcard certificate

通配符证书配置

nginx
server {
    listen 443 ssl http2;
    server_name *.example.com;
    
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # ... rest of configuration
}
nginx
server {
    listen 443 ssl http2;
    server_name *.example.com;
    
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # ... rest of configuration
}

Client certificate authentication

客户端证书认证

nginx
server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    
    # Client certificate verification
    ssl_client_certificate /etc/nginx/ssl/ca.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;
    
    location / {
        # Pass client certificate info to backend
        proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
        proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
        proxy_pass http://backend;
    }
}
nginx
server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    
    # Client certificate verification
    ssl_client_certificate /etc/nginx/ssl/ca.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;
    
    location / {
        # Pass client certificate info to backend
        proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
        proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
        proxy_pass http://backend;
    }
}

SSL termination for load balancing

负载均衡SSL终止配置

nginx
upstream backend {
    server backend1.example.com:8080;
    server backend2.example.com:8080;
}

server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    
    location / {
        # Terminate SSL at nginx, use HTTP to backends
        proxy_pass http://backend;
        
        # Tell backend about original protocol
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
nginx
upstream backend {
    server backend1.example.com:8080;
    server backend2.example.com:8080;
}

server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate /etc/nginx/ssl/example.com.crt;
    ssl_certificate_key /etc/nginx/ssl/example.com.key;
    
    location / {
        # Terminate SSL at nginx, use HTTP to backends
        proxy_pass http://backend;
        
        # Tell backend about original protocol
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

Certificate Management

证书管理

Let's Encrypt auto-renewal

Let's Encrypt自动续期

bash
undefined
bash
undefined

Test renewal

Test renewal

certbot renew --dry-run
certbot renew --dry-run

Renewal is automatic via systemd timer

Renewal is automatic via systemd timer

systemctl status certbot.timer
systemctl status certbot.timer

Manual renewal

Manual renewal

certbot renew
certbot renew

Reload nginx after renewal

Reload nginx after renewal

certbot renew --deploy-hook "nginx -s reload"
undefined
certbot renew --deploy-hook "nginx -s reload"
undefined

Certificate monitoring

证书监控

bash
undefined
bash
undefined

Check expiration dates

Check expiration dates

for cert in /etc/letsencrypt/live/*/cert.pem; do echo "Certificate: $cert" openssl x509 -in "$cert" -noout -enddate done
for cert in /etc/letsencrypt/live/*/cert.pem; do echo "Certificate: $cert" openssl x509 -in "$cert" -noout -enddate done

Alert if certificate expires soon

Alert if certificate expires soon

#!/bin/bash CERT="/etc/letsencrypt/live/example.com/cert.pem" DAYS_UNTIL_EXPIRY=$(( ($(date -d "$(openssl x509 -in $CERT -noout -enddate | cut -d= -f2)" +%s) - $(date +%s)) / 86400 ))
if [ $DAYS_UNTIL_EXPIRY -lt 30 ]; then echo "Certificate expires in $DAYS_UNTIL_EXPIRY days!" fi
undefined
#!/bin/bash CERT="/etc/letsencrypt/live/example.com/cert.pem" DAYS_UNTIL_EXPIRY=$(( ($(date -d "$(openssl x509 -in $CERT -noout -enddate | cut -d= -f2)" +%s) - $(date +%s)) / 86400 ))
if [ $DAYS_UNTIL_EXPIRY -lt 30 ]; then echo "Certificate expires in $DAYS_UNTIL_EXPIRY days!" fi
undefined

Advanced

进阶内容

For detailed information, see:
  • Certificate Types - Different certificate types and when to use them
  • TLS Protocols - TLS version comparison and configuration
  • Security Headers - Comprehensive security header guide
如需详细信息,请参阅:
  • 证书类型 - 不同证书类型及适用场景
  • TLS协议 - TLS版本对比与配置指南
  • 安全标头 - 安全标头全面指南