Https 인증서 발급
Let's Encrypt를 사용하면 무료로 발급이 가능합니다.
Certbot으로 무료 HTTPS 인증서 발급받기
Let’s Encrypt - Free SSL/TLS CertificatesLet’s Encrypt is a free, automated,andopen certificate authority brought to you by the nonprofit Internet SecurityResearch Group (ISRG).Free SSL/TLS Certificates [https://letsencrypt.org/]Let’sEncrypt라는 비영리 기관을 통해 무료로 TLS인증서를 발급받을수 있습니다. 루트 도매인, 서브 도매인, …

Https 설정
Https연결을 하도록 설정합니다.
server {
#### 제거 or 주석처리 ####
# listen [::]:80; # http 비활성화
# listen 80; # http 비활성화
#### 추가 ####
listen 443 ssl; # https 활성화
listen [::]:443 ssl; # https 활성화
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # 인증서 경로
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # 키 경로
server_name example.com www.example.com;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8000;
}
}
Http 접속시 리다이렉트 설정
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name example.com www.example.com;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8000;
}
}
#### 추가 ####
server {
#### 1. 리다이렉트
if ($host = example.com) {
return 301 https://$host$request_uri;
}
if ($host = www.example.com) {
return 301 https://$host$request_uri;
}
####################
#### 2. 정규식 사용 예
if ($host ~ ^[^.]+\.example\.com$) {
return 301 https://$host$request_uri;
}
####################
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 404;
}
추가적인 보안조치
다음을 참고하면 좋습니다.
Mozilla SSL Configuration Generator
An easy-to-use secure configuration generator for web, database, and mail software. Simply select the software you are using and receive a configuration file that is both safe and compatible.
dhparam 추가
디피 헬만 파라미터
openssl
이 필요합니다.
sudo apt install openssl
dhparam 생성
openssl dhparam -out dhparam.pem 4096
dhparam 추가
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name example.com www.example.com;
#### 추가 ####
ssl_dhparam /etc/nginx/dhparam.pem; # 생성한 dhparam.pem의 경로
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8000;
}
}
server {
if ($host ~ ^[^.]+\.example\.com$) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 404;
}
SSL 프로토콜 버전 설정
보안상 최신버전의 TLS만 사용하도록 설정합니다.
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name example.com www.example.com;
ssl_dhparam /etc/nginx/dhparam.pem;
#### 추가 ####
ssl_protocols TLSv1.2 TLSv1.3;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8000;
}
}
server {
if ($host ~ ^[^.]+\.example\.com$) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 404;
}
SSl Ciphers 수정
견고한 알고리즘만 사용하도록 설정합니다.
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name example.com www.example.com;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
#### 추가 ####
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8000;
}
}
server {
if ($host ~ ^[^.]+\.example\.com$) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 404;
}
ssl_prefer_server_ciphers off;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
HSTS 기간설정
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name example.com www.example.com;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
#### 추가 ####
add_header Strict-Transport-Security "max-age=63072000" always;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://127.0.0.1:8000;
}
}
server {
if ($host ~ ^[^.]+\.example\.com$) {
return 301 https://$host$request_uri;
}
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 404;
}