HTTPS的配置与部署教程

 

Question
1.HTTPS证书支持覆盖二级域名吗?

2.如何选择证书提供商(CA)?

3.如何申请免费的证书?

4.使用https后对原来的应用有哪些影响?

5.使用https后怎么通过charles抓包分析?

概念
https证书的类型:
DV SSL证书:域名型
OV SSL证书:企业型
EV SSL证书:增强型
1
2
3
DV SSL证书:指只验证网站域名所有权的简易型SSL证书,此类证书仅能起到网站机密信息加密的作用,无法向用户证明网站的真实身份。所以,不推荐在电子商务网站部署 DV SSL证书,因为电子商务首先需要的是在线信任,其次才是在线安全。

OV SSL 是 Organization Validation SSL 的缩写,指需要验证网站所有单位的真实身份的标准型SSL证书,此类证书也就是正常的SSL证书,不仅能起到网站机密信息加密的作用,而且能向用户证明网站的真实身份。所以,推荐在所有电子商务网站使用,因为电子商务需要的是在线信任和在线安全。从 SSL 证书的诞生史可以看出:标准型 SSL 证书就是 OV SSL证书(Organization Validation SSL)。

EV SSL 是 Extended Validation SSL 的缩写,指遵循全球统一的严格身份验证标准颁发的SSL证书,是目前业界最高安全级别的SSL证书。用户访问部署了EV SSL证书的网站,不仅浏览器地址栏会显示安全锁标志,而且浏览器地址栏会变成绿色。所以,推荐所有电子商务网站都部署EV SSL证书,因为电子商务首先需要的是在线信任,其次才是在线安全。EV SSL证书,绿色安全通道,增强在线信任,促成更多在线订单!

证书按覆盖范围分为:

单域名证书:只能用于单一域名
通配符证书:可以用于某个域名及其所有一级子域名。
多域名证书:可以用于多个域名
选择证书提供商(CA)

浏览器和操作系统支持程度(即公网受信)

证书类型

维护成本

申请免费的https证书

腾讯云免费证书

let’s encrypt:推荐比较多的,但是实际操作起来还是比较繁琐。

腾讯云的免费DV证书申请
申请地址:https://console.qcloud.com/ssl

免费证书是由亚洲诚信TrustAsia提供的免费版DVSSL证书,有效期是一年。

免费的DV证书只支持单域名,支持多域名和通配符的证书需要付费购买,所以如果有多个子域名,需要一个个的申请。

申请的流程也特别的简单,如果选择的是文件验证,添加文件后等待CA来验证就好了,大概几分钟左右验证通过后就会颁发证书,就可以在腾讯云的后台管理里下载证书了。

下载证书后怎么配置nginx呢,可以参考腾讯云的证书安装指引

Nginx配置https

server{
listen 443;
server_name xxx.xxx.com;
root /opt/https/;

ssl on;
ssl_certificate vhost/keys/xxx.xxx.com.crt;
ssl_certificate_key vhost/keys/xxx.xxx.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
ssl_prefer_server_ciphers on;

location / {
index index.html;
root /opt/https;
}
}

配置文件参数 说明
listen 443 SSL访问端口号为443
ssl on 启用SSL功能
ssl_certificate 证书文件
ssl_certificate_key 私钥文件
ssl_protocols 使用的协议
ssl_ciphers 配置加密套件,写法遵循openssl标准

使用全站加密,http自动跳转https
server{
listen 80;
server_name xxx.xxx.com;
rewrite ^(.*) https://$host$1 permanent;
}
1
2
3
4
5
使用HTTPS可能带来的问题
https网站中存在http外部接口
CDN静态资源使用了http
charles抓包调试

参考链接

SSL证书有哪几种?该如何识别这几种SSL证书

为您推荐

发表评论

电子邮件地址不会被公开。 必填项已用*标注

10条评论

  1. You’re so interesting! I don’t think I have read something like
    this before. So great to find somebody with some genuine
    thoughts on this subject matter. Really.. many thanks for starting this up.
    This web site is something that is required on the internet, someone with some originality!

  2. Terrific work! This is the kind of information that are meant to be shared across
    the internet. Shame on Google for no longer positioning this post upper!
    Come on over and seek advice from my site . Thank you =)

  3. Everything published was actually very logical.
    However, what about this? suppose you composed a catchier post title?
    I mean, I don’t want to tell you how to run your blog,
    but what if you added a headline that grabbed a person’s attention? I mean HTTPS的配置与部署教程 – 连长博客 is
    a little plain. You should look at Yahoo’s front page and watch how they
    create news headlines to get viewers to click. You might try
    adding a video or a pic or two to get readers interested
    about everything’ve got to say. Just my opinion, it could
    make your blog a little bit more interesting.

  4. Today, I went to the beach front with my children. I found a
    sea shell and gave it to my 4 year old daughter and said
    “You can hear the ocean if you put this to your ear.” She put the shell to her ear and screamed.
    There was a hermit crab inside and it pinched her ear. She never wants to go back!
    LoL I know this is totally off topic but I had to
    tell someone!