{"id":98,"date":"2026-06-02T02:54:10","date_gmt":"2026-06-02T02:54:10","guid":{"rendered":"https:\/\/blog.joezhou.top\/https\/"},"modified":"2026-06-22T23:40:28","modified_gmt":"2026-06-22T15:40:28","slug":"https","status":"publish","type":"post","link":"https:\/\/www.joezhou.top\/?p=98","title":{"rendered":"HTTPS \u52a0\u5bc6\u5168\u89e3\u6790\uff1a\u4ece\u8bc1\u4e66\u539f\u7406\u5230\u5b9e\u6218\u914d\u7f6e"},"content":{"rendered":"<h1 id=\"https\">HTTPS \u52a0\u5bc6\u5168\u89e3\u6790\uff1a\u4ece\u8bc1\u4e66\u539f\u7406\u5230\u5b9e\u6218\u914d\u7f6e<\/h1>\n<h2 id=\"https_1\">\u4e3a\u4ec0\u4e48\u9700\u8981 HTTPS\uff1f<\/h2>\n<p>HTTP \u662f\u660e\u6587\u4f20\u8f93\u7684\u2014\u2014\u4f60\u5728\u6d4f\u89c8\u5668\u91cc\u8f93\u5165\u7684\u5bc6\u7801\u3001\u63d0\u4ea4\u7684\u8868\u5355\u3001\u670d\u52a1\u5668\u8fd4\u56de\u7684\u5185\u5bb9\uff0c\u7406\u8bba\u4e0a\u90fd\u80fd\u88ab\u4e2d\u95f4\u4eba\uff08ISP\u3001\u516c\u5171 WiFi \u63d0\u4f9b\u5546\u3001\u9ed1\u5ba2\uff09\u5b8c\u6574\u770b\u5230\u3002HTTPS \u5728 HTTP \u4e4b\u4e0a\u53e0\u52a0\u4e86 TLS\/SSL \u52a0\u5bc6\u5c42\uff0c\u786e\u4fdd\uff1a<\/p>\n<ul>\n<li><strong>\u673a\u5bc6\u6027<\/strong>\uff1a\u6570\u636e\u52a0\u5bc6\uff0c\u7b2c\u4e09\u65b9\u65e0\u6cd5\u7a83\u542c<\/li>\n<li><strong>\u5b8c\u6574\u6027<\/strong>\uff1a\u9632\u6b62\u4f20\u8f93\u8fc7\u7a0b\u4e2d\u6570\u636e\u88ab\u7be1\u6539<\/li>\n<li><strong>\u8eab\u4efd\u8ba4\u8bc1<\/strong>\uff1a\u786e\u8ba4\u4f60\u8bbf\u95ee\u7684\u5c31\u662f\u771f\u6b63\u7684\u76ee\u6807\u7f51\u7ad9\uff08\u9632\u9493\u9c7c\uff09<\/li>\n<\/ul>\n<h2 id=\"ssltls\">SSL\/TLS \u5de5\u4f5c\u539f\u7406\uff08\u901a\u4fd7\u7248\uff09<\/h2>\n<p>\u60f3\u8c61\u4e00\u4e0b\u4f60\u53bb\u94f6\u884c\u529e\u4e8b\uff1a<\/p>\n<pre class=\"codehilite\"><code>1. \u5ba2\u6237\u7aef\u8bf4\uff1a&quot;\u4f60\u597d\uff0c\u6211\u60f3\u5efa\u7acb\u5b89\u5168\u8fde\u63a5&quot;\uff08ClientHello\uff09\n   \u2192 \u544a\u8bc9\u670d\u52a1\u7aef\u81ea\u5df1\u652f\u6301\u54ea\u4e9b\u52a0\u5bc6\u7b97\u6cd5\u548cTLS\u7248\u672c\n\n2. \u670d\u52a1\u7aef\u56de\u590d\uff1a&quot;\u597d\u7684\uff0c\u7528\u8fd9\u4e2a\u7b97\u6cd5\uff0c\u8fd9\u662f\u6211\u7684\u8eab\u4efd\u8bc1\uff08\u8bc1\u4e66\uff09&quot;\n   \uff08ServerHello + Certificate\uff09\n   \u2192 \u8bc1\u4e66\u5305\u542b\u516c\u94a5\uff0c\u7531\u53d7\u4fe1\u4efb\u7684 CA\uff08\u8bc1\u4e66\u9881\u53d1\u673a\u6784\uff09\u7b7e\u540d\n\n3. \u5ba2\u6237\u7aef\u9a8c\u4e00\u4e0b\uff1a\n   - \u8fd9\u4e2a\u8bc1\u4e66\u662f\u6b63\u89c4 CA \u7b7e\u53d1\u7684\u5417\uff1f\n   - \u57df\u540d\u5bf9\u4e0d\u5bf9\uff1f\u6709\u6ca1\u6709\u8fc7\u671f\uff1f\n   \u2192 \u9a8c\u8bc1\u901a\u8fc7\u540e\uff0c\u7528\u670d\u52a1\u7aef\u516c\u94a5\u52a0\u5bc6\u4e00\u4e2a&quot;\u4f1a\u8bdd\u5bc6\u94a5&quot;\u53d1\u8fc7\u53bb\n\n4. \u4e4b\u540e\u53cc\u65b9\u5c31\u7528\u8fd9\u4e2a\u5bf9\u79f0\u7684\u4f1a\u8bdd\u5bc6\u94a5\u52a0\u89e3\u5bc6\u901a\u4fe1\n   \u2192 \u5bf9\u79f0\u52a0\u5bc6\u6bd4\u975e\u5bf9\u79f0\u52a0\u5bc6\u5feb\u5f97\u591a\n<\/code><\/pre>\n<p><strong>\u4e00\u53e5\u8bdd\u603b\u7ed3<\/strong>\uff1a\u975e\u5bf9\u79f0\u52a0\u5bc6\u7528\u4e8e\u63e1\u624b\u9636\u6bb5\u4ea4\u6362\u5bc6\u94a5\uff0c\u5bf9\u79f0\u52a0\u5bc6\u7528\u4e8e\u5b9e\u9645\u6570\u636e\u4f20\u8f93\u3002<\/p>\n<h2 id=\"_1\">\u8bc1\u4e66\u7c7b\u578b\u5bf9\u6bd4<\/h2>\n<table>\n<thead>\n<tr>\n<th>\u7c7b\u578b<\/th>\n<th>\u9002\u7528\u573a\u666f<\/th>\n<th>\u4ef7\u683c<\/th>\n<th>\u9a8c\u8bc1\u7ea7\u522b<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>DV\uff08\u57df\u540d\u9a8c\u8bc1\uff09<\/strong><\/td>\n<td>\u4e2a\u4eba\u535a\u5ba2\u3001\u6d4b\u8bd5\u73af\u5883<\/td>\n<td>\u514d\u8d39~\u51e0\u5341\u5143<\/td>\n<td>\u4ec5\u9a8c\u8bc1\u57df\u540d\u6240\u6709\u6743<\/td>\n<\/tr>\n<tr>\n<td><strong>OV\uff08\u7ec4\u7ec7\u9a8c\u8bc1\uff09<\/strong><\/td>\n<td>\u4f01\u4e1a\u5b98\u7f51\u3001\u7535\u5546\u5e73\u53f0<\/td>\n<td>\u51e0\u767e~\u51e0\u5343\u5143\/\u5e74<\/td>\n<td>\u9a8c\u8bc1\u4f01\u4e1a\u771f\u5b9e\u5b58\u5728<\/td>\n<\/tr>\n<tr>\n<td><strong>EV\uff08\u6269\u5c55\u9a8c\u8bc1\uff09<\/strong><\/td>\n<td>\u91d1\u878d\u3001\u652f\u4ed8\u7b49\u9ad8\u5b89\u5168\u573a\u666f<\/td>\n<td>\u4e0a\u5343\u5143\/\u5e74<\/td>\n<td>\u6700\u4e25\u683c\u5ba1\u6838\uff0c\u6d4f\u89c8\u5668\u5730\u5740\u680f\u663e\u793a\u516c\u53f8\u540d<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"_2\">\u514d\u8d39\u8bc1\u4e66\u63a8\u8350<\/h2>\n<table>\n<thead>\n<tr>\n<th>\u670d\u52a1\u5546<\/th>\n<th>\u7279\u70b9<\/th>\n<th>\u6709\u6548\u671f<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Let&#8217;s Encrypt<\/strong><\/td>\n<td>\u6700\u6d41\u884c\u7684\u514d\u8d39 CA\uff0cACME \u534f\u8bae\u81ea\u52a8\u7eed\u671f<\/td>\n<td>90 \u5929<\/td>\n<\/tr>\n<tr>\n<td><strong>ZeroSSL<\/strong><\/td>\n<td>\u7c7b\u4f3c Let&#8217;s Encrypt\uff0c\u63d0\u4f9b Web \u63a7\u5236\u53f0<\/td>\n<td>90 \u5929<\/td>\n<\/tr>\n<tr>\n<td><strong>Cloudflare<\/strong><\/td>\n<td>\u6258\u7ba1\u5728 CF \u7684\u57df\u540d\u53ef\u514d\u8d39\u5f00\u542f<\/td>\n<td>\u81ea\u5b9a\u4e49<\/td>\n<\/tr>\n<tr>\n<td><strong>\u963f\u91cc\u4e91\/\u817e\u8baf\u4e91\u514d\u8d39\u8bc1\u4e66<\/strong><\/td>\n<td>\u56fd\u5185\u8bbf\u95ee\u53cb\u597d\uff0c\u63a7\u5236\u53f0\u64cd\u4f5c\u7b80\u5355<\/td>\n<td>1 \u5e74<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2 id=\"nginx\">Nginx \u914d\u7f6e\u793a\u4f8b<\/h2>\n<pre class=\"codehilite\"><code class=\"language-nginx\">server {\n    listen 443 ssl http2;\n    server_name example.com;\n\n    ssl_certificate     \/etc\/nginx\/certs\/fullchain.pem;\n    ssl_certificate_key \/etc\/nginx\/certs\/privkey.pem;\n\n    # \u5b89\u5168\u53c2\u6570\uff08\u63a8\u8350\uff09\n    ssl_protocols TLSv1.2 TLSv1.3;\n    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';\n    ssl_prefer_server_ciphers on;\n    ssl_session_cache shared:SSL:10m;\n    ssl_session_timeout 1d;\n\n    # HSTS\uff1a\u5f3a\u5236\u6d4f\u89c8\u5668\u540e\u7eed\u53ea\u7528 HTTPS\n    add_header Strict-Transport-Security &quot;max-age=63072000; includeSubDomains&quot; always;\n\n    location \/ {\n        proxy_pass http:\/\/127.0.0.1:3000;\n        proxy_set_header Host $host;\n        proxy_set_header X-Real-IP $remote_addr;\n        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;\n        proxy_set_header X-Forwarded-Proto $scheme;\n    }\n}\n\n# HTTP \u2192 HTTPS \u81ea\u52a8\u8df3\u8f6c\nserver {\n    listen 80;\n    server_name example.com;\n    return 301 https:\/\/$host$request_uri;\n}\n<\/code><\/pre>\n<h2 id=\"certbot\">\u7528 Certbot \u81ea\u52a8\u7533\u8bf7\u548c\u7eed\u671f<\/h2>\n<p>Let&#8217;s Encrypt \u7684\u5b98\u65b9\u5de5\u5177 <a href=\"https:\/\/certbot.eff.org\/\">Certbot<\/a> \u4e00\u6761\u547d\u4ee4\u641e\u5b9a\uff1a<\/p>\n<pre class=\"codehilite\"><code class=\"language-bash\"># \u5b89\u88c5 certbot\napt install certbot python3-certbot-nginx -y\n\n# \u81ea\u52a8\u7533\u8bf7\u5e76\u914d\u7f6e Nginx\ncertbot --nginx -d example.com -d www.example.com\n\n# \u6d4b\u8bd5\u81ea\u52a8\u7eed\u671f\u662f\u5426\u6b63\u5e38\ncertbot renew --dry-run\n\n# \u7eed\u671f\u7531 systemd timer \u6216 cron \u81ea\u52a8\u6267\u884c\n# \u65e0\u9700\u624b\u52a8\u5e72\u9884\n<\/code><\/pre>\n<h2 id=\"_3\">\u5e38\u89c1\u5751\u4e0e\u6392\u9519<\/h2>\n<p><strong>1. \u6df7\u5408\u5185\u5bb9\u8b66\u544a<\/strong><br \/>\n\u9875\u9762\u901a\u8fc7 HTTPS \u8bbf\u95ee\uff0c\u4f46\u91cc\u9762\u7684\u56fe\u7247\/CSS\/JS \u8fd8\u662f <code>http:\/\/<\/code> \u5f00\u5934 \u2192 \u6d4f\u89c8\u5668\u62e6\u622a\u6216\u663e\u793a\u4e0d\u5b89\u5168\u56fe\u6807\u3002<br \/>\n\u2192 \u89e3\u51b3\uff1a\u628a\u6240\u6709\u8d44\u6e90\u5f15\u7528\u6539\u6210\u76f8\u5bf9\u534f\u8bae <code>\/\/<\/code> \u6216\u5f3a\u5236 <code>https:\/\/<\/code>\u3002<\/p>\n<p><strong>2. \u8bc1\u4e66\u94fe\u4e0d\u5b8c\u6574<\/strong><br \/>\n\u53ea\u4e0a\u4f20\u4e86\u57df\u540d\u8bc1\u4e66\uff0c\u7f3a\u5c11\u4e2d\u95f4\u8bc1\u4e66 \u2192 \u90e8\u5206\u8bbe\u5907\u65e0\u6cd5\u9a8c\u8bc1\u3002<br \/>\n\u2192 \u89e3\u51b3\uff1a\u4f7f\u7528 CA \u63d0\u4f9b\u7684 fullchain\uff08\u8bc1\u4e66+\u4e2d\u95f4\u8bc1\u4e66\u94fe\uff09\u6587\u4ef6\u3002<\/p>\n<p><strong>3. SNI \u4e0d\u517c\u5bb9\u7684\u65e7\u7cfb\u7edf<\/strong><br \/>\n\u67d0\u4e9b\u65e7\u7248 Windows XP \/ IE6 \u4e0d\u652f\u6301 SNI\uff08Server Name Indication\uff09\uff0c\u4e00\u53f0 IP \u53ea\u80fd\u653e\u4e00\u4e2a\u8bc1\u4e66\u3002<br \/>\n\u2192 \u5f71\u54cd\u9762\u6781\u5c0f\uff0c\u73b0\u5728\u53ef\u4ee5\u5ffd\u7565\u3002<\/p>\n<p><strong>4. \u8bc1\u4e66\u8fc7\u671f\u5bfc\u81f4\u7f51\u7ad9\u4e0d\u53ef\u8bbf\u95ee<\/strong><br \/>\n\u514d\u8d39\u8bc1\u4e66\u6709\u6548\u671f\u77ed\uff0c\u5fd8\u8bb0\u7eed\u671f\u3002<br \/>\n\u2192 \u89e3\u51b3\uff1a\u8bbe\u7f6e cron\/systemd timer \u81ea\u52a8\u7eed\u671f + \u5230\u671f\u544a\u8b66\u3002<\/p>\n<h2 id=\"_4\">\u6027\u80fd\u4e0e\u5b89\u5168\u7684\u5e73\u8861<\/h2>\n<p>\u5f88\u591a\u4eba\u62c5\u5fc3 HTTPS \u4f1a\u62d6\u6162\u901f\u5ea6\u3002\u5b9e\u9645\u4e0a\uff1a<\/p>\n<ul>\n<li><strong>TLS 1.3<\/strong> \u628a\u63e1\u624b\u4ece 2-RTT \u51cf\u5230 1-RTT\uff0c\u51e0\u4e4e\u65e0\u611f\u77e5\u5ef6\u8fdf<\/li>\n<li><strong>Session Resumption \/ Session Tickets<\/strong> \u8ba9\u91cd\u590d\u8bbf\u95ee\u8df3\u8fc7\u5b8c\u6574\u63e1\u624b<\/li>\n<li><strong>OCSP Stapling<\/strong> \u8ba9\u5ba2\u6237\u7aef\u4e0d\u7528\u989d\u5916\u8bf7\u6c42\u68c0\u67e5\u8bc1\u4e66\u72b6\u6001<\/li>\n<li>HTTP\/2 \u7684\u591a\u8def\u590d\u7528\u53ea\u5728 HTTPS \u4e0b\u542f\u7528\uff0c\u53cd\u800c\u6bd4 HTTP\/1.1 \u66f4\u5feb<\/li>\n<\/ul>\n<h2 id=\"_5\">\u5c0f\u7ed3<\/h2>\n<p>HTTPS \u5df2\u7ecf\u4e0d\u662f&#8221;\u53ef\u9009\u529f\u80fd&#8221;\uff0c\u800c\u662f\u4e92\u8054\u7f51\u57fa\u7840\u8bbe\u65bd\u7684\u57fa\u672c\u8981\u6c42\u3002\u641c\u7d22\u5f15\u64ce\u964d\u6743\u672a\u52a0\u5bc6\u7ad9\u70b9\u3001\u6d4f\u89c8\u5668\u6807\u6ce8&#8221;\u4e0d\u5b89\u5168&#8221;\u3001\u82f9\u679c ATS \u5f3a\u5236\u8981\u6c42\u2014\u2014\u8fd9\u4e9b\u90fd\u5728\u63a8\u52a8\u5168\u7f51\u52a0\u5bc6\u3002<\/p>\n<p>\u4ece\u96f6\u5f00\u59cb\u642d\u5efa HTTPS \u6210\u672c\u6781\u4f4e\uff1aLet&#8217;s Encrypt \u514d\u8d39 + Certbot \u81ea\u52a8\u5316 + Nginx \u6807\u51c6\u914d\u7f6e\uff0c\u534a\u5c0f\u65f6\u5185\u641e\u5b9a\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>HTTPS \u52a0\u5bc6\u5168\u89e3\u6790\uff1a\u4ece\u8bc1\u4e66\u539f\u7406\u5230\u5b9e\u6218\u914d\u7f6e \u4e3a\u4ec0\u4e48\u9700\u8981 HTTPS\uff1f HTTP \u662f\u660e\u6587\u4f20\u8f93\u7684\u2014\u2014\u4f60\u5728\u6d4f\u89c8\u5668\u91cc [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[34,35,36,33,37,32],"class_list":["post-98","post","type-post","status-publish","format-standard","hentry","category-iso","tag-34","tag-35","tag-36","tag-33","tag-37","tag-32"],"_links":{"self":[{"href":"https:\/\/www.joezhou.top\/index.php?rest_route=\/wp\/v2\/posts\/98","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.joezhou.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.joezhou.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.joezhou.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.joezhou.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=98"}],"version-history":[{"count":1,"href":"https:\/\/www.joezhou.top\/index.php?rest_route=\/wp\/v2\/posts\/98\/revisions"}],"predecessor-version":[{"id":258,"href":"https:\/\/www.joezhou.top\/index.php?rest_route=\/wp\/v2\/posts\/98\/revisions\/258"}],"wp:attachment":[{"href":"https:\/\/www.joezhou.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.joezhou.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.joezhou.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}