Personal blog http to HTTPS

When you build a personal blog, you'll see articles about free certificate applications and blogs that use HTTPS. Using HTTPS is much more secure than HTTP, at least in a country where the average traffic hijacking attack is much less. Free to have nothing to do, test your own personal blog also upgraded to HTTPS.

Using HTTPS encryption first requires the application of a personal blog certificate, a fee for the certification authority at home and abroad there are many. Personal blog recommended to use now more popular let's Encrypt. The application process is simple and uses the official Automation script:

1. Configure Git environment : # yum install git

2. Download the automation script to the local

# git clone Https://github.com/certbot/certbot

# CD Certbot

3. Generate certificate

./certbot-auto certonly--standalone--email [email protected]-D iorisun.com-d www.iorisun.com

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M00/9A/D1/wKiom1lbCyiyAPPEAAEJw2vg_Q4085.jpg "title=" Screenshot3939.jpg "alt=" Wkiom1lbcyiyappeaaejw2vg_q4085.jpg "/>

The following packages will be installed

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M00/9A/D1/wKiom1lbC1zha2-9AACOj719T3A383.jpg "title=" Screenshot3940.jpg "alt=" Wkiom1lbc1zha2-9aacoj719t3a383.jpg "/>

installation process, you need to manually confirm whether the installation, enter Y confirmation. Also need to accept the official agreement, enter a return.

Note: The firewall needs to open HTTPS port when applying

# firewall-cmd--permanent--zone=public--add-service=https

# Firewall-cmd--reload

After successful application, there are the following tips:

650) this.width=650; "src=" Https://s1.51cto.com/wyfs02/M01/9A/D2/wKiom1lbDxCTGYtKAAB2LMq11s0658.jpg "title=" Screenshot3942.jpg "alt=" Wkiom1lbdxctgytkaab2lmq11s0658.jpg "/>

Can be viewed through the tree command: # tree/etc/letsencrypt/live/

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M02/9A/D2/wKiom1lbEFXyG-DwAABORTvp_1k863.jpg "title=" Screenshot3943.jpg "alt=" Wkiom1lbefxyg-dwaabortvp_1k863.jpg "/>

4. Modify Nginx configuration file

# vim/etc/nginx/conf.d/default.conf

Add the SSL parameter definition to the Nginx configuration file, redirect http to https

As follows: Modify and add the following content

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M01/9A/DC/wKiom1lbVoTAW3yyAABaVJvvTig874.jpg "title=" Screenshot3951.jpg "alt=" Wkiom1lbvotaw3yyaabavjvvtig874.jpg "/>

After restarting the service, you can see the small green lock when you open the website.

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M00/9A/DD/wKioL1lbVkOAwDgEAAAO8MdVwp0808.jpg "title=" Screenshot3950.jpg "alt=" Wkiol1lbvkoawdgeaaao8mdvwp0808.jpg "/>

5, set the certificate automatic extension

Let's encrypt certificates are valid for only 90 days and need to be updated periodically:

Develop a scheduled task through Crontab, updated every 2 months.

* * * 2 * root/root/certbot/certbot-auto renew--standalone--pre-hook "service nginx Stop"--post-hook "service Nginx St Art "--force-renewal

Or you can use the./certbot-auto renew-v command.

6. Modify the blog site address

650) this.width=650; "src=" Https://s4.51cto.com/wyfs02/M02/9A/DD/wKioL1lbVzuBEizwAAA1j3qNceQ145.jpg "title=" Screenshot3945.jpg "alt=" Wkiol1lbvzubeizwaaa1j3qnceq145.jpg "/>

Optimizing HTTPS Security:

1. Generate DHPARAM.PEM

# cd/etc/ssl/certs/

# OpenSSL Dhparam-out Dhparam.pem 2048

650) this.width=650; "src=" Https://s2.51cto.com/wyfs02/M02/9A/DD/wKioL1lbWf6i9PdGAAAs95nCKbw091.jpg "title=" Screenshot3952.jpg "alt=" Wkiol1lbwf6i9pdgaaas95nckbw091.jpg "/>

2. Generate HTTP public Key pinning

# cd/etc/letsencrypt/live/iorisun.com/

# OpenSSL rsa-in privkey.pem-outform der-pubout | OpenSSL dgst-sha256-binary | OpenSSL enc-base64

Writing RSA Key

9rcncxvnzws62mpkx5nujpks5jagahnxeqanv0hx7vo=

# OpenSSL x509-in chain.pem-pubkey-noout | OpenSSL Rsa-pubin-outform der | OpenSSL dgst-sha256-binary | OpenSSL enc-base64

Writing RSA Key

ylh1dur9y6kja30rran7jknbqg/uetlmkbgff2fuihg=

3. Modify Nginx configuration file:

# vim /etc/nginx/conf.d/default.conf server {    listen 80;     listen 443 ssl http2;    server_name www.iorisun.com  iorisun.com;    root         /usr/share /nginx/html/;    index        index.html  index.php index.htm;    if  ($scheme  = http)  {         return 301 https://$server _name$request_uri;    }     ssl_certificate /etc/letsencrypt/live/iorisun.com/fullchain.pem;     ssl_certificate_key /etc/letsencrypt/live/iorisun.com/privkey.pem;    ssl _protocols tlsv1 tlsv1.1 tlsv1.2;    ssl_ciphers  " Ecdhe-rsa-aes256-gcm-sha384:ecdhe-rsa-aes128-gcm-sha256:dhe-rsa-aes256-gcm-sha384:dhe-rsa-aes128-gcm-sha256:ecdhe-rsa-aes256-sha384: ecdhe-rsa-aes128-sha256:ecdhe-rsa-aes256-sha:ecdhe-rsa-aes128-sha:dhe-rsa-aes256-sha256:dhe-rsa-aes128-sha256 :D he-rsa-aes256-sha:dhe-rsa-aes128-sha:ecdhe-rsa-des-cbc3-sha:edh-rsa-des-cbc3-sha:aes256-gcm-sha384: aes128-gcm-sha256:aes256-sha256:aes128-sha256:aes256-sha:aes128-sha:des-cbc3-sha:high:!anull:!enull:! export:! Des:! md5:! Psk:! RC4 ";    ssl_prefer_server_ciphers on;    ssl_session_cache  Shared:ssl:10m;    ssl_session_timeout  10m;    ssl_session_ Tickets off;    ssl_stapling on;    ssl_stapling_verify  on;    ssl_trusted_certificate /etc/letsencrypt/live/iorisun.com/chain.pem;     ssl_dhparam /etc/ssl/certs/dhparam.pem;    server_tokens  off;    resolver 8.8.4.4 8.8.8.8 valid=300s;    resolver_timeout 10s;     fastcgi_hide_header X-Powered-By;    add_header  strict-transport-security  "Max-age=63072000; includesubdomains; preload";     add_header Public-Key-Pins  ' pin-sha256= ' 9rcncxvnzws62mpkx5nujpks5jagahnxeqanv0hx7vo= ";  Pin-sha256= "ylh1dur9y6kja30rran7jknbqg/uetlmkbgff2fuihg=";  max-age=2592000; includesubdomains '   Always;    add_header x-frame-options deny;    add_header  X-Content-Type-Options nosniff;

Once configured, you can test your site's security level: https://www.ssllabs.com/ssltest/

650) this.width=650; "src=" Https://s3.51cto.com/wyfs02/M01/9A/DF/wKiom1lbZETx_EtTAADZXXRzzx8611.jpg "title=" Screenshot3953.jpg "alt=" Wkiom1lbzetx_ettaadzxxrzzx8611.jpg "/>

Personal blog http to HTTPS