开源中国

我们不支持 IE 10 及以下版本浏览器

It appears you’re using an unsupported browser

为了获得更好的浏览体验,我们强烈建议您使用较新版本的 Chrome、 Firefox、 Safari 等,或者升级到最新版本的IE浏览器。 如果您使用的是 IE 11 或以上版本,请关闭“兼容性视图”。
现在就启用 HTTPS,免费的! - 开源中国社区
当前位置:技术翻译 »  系统及网络管理 »  中英文对照

现在就启用 HTTPS,免费的!

英文原文:Switch to HTTPS Now, For Free

From now on, you should see a delightful lock next to https://konklone.com in your browser’s URL bar, because I’ve switched this site to use HTTPS. I paid $0 for the trouble.

Why you should bother doing the same:

This post shows how to do your part in building a surveillance-resistant Internet by switching your site to HTTPS. Though it takes a bunch of steps, each one is very simple, and you should be able to finish this in under an hour.

译者信息

译者信息

Railgun
Railgun
翻译于 4年前

5 此译文

其它翻译版本:1(点击译者名切换)
阿_信

现在,你应该能在访问https://konklone.com的时候,在地址栏里看到一个漂亮的小绿锁了,因为我把这个网站换成了HTTPS协议。一分钱没花就搞定了。

为什么要使用HTTPS协议:

本文将为您说明,如何通过开启您网站上的HTTPS协议来为构建和谐、安全的互联网添砖加瓦。尽管步骤有些多,但是每个步骤都很简单,聪明的你应该能在1个小时之内搞定这个事情。

A quick overview: to use HTTPS on the web today, you need to obtain a certificate file that’s signed by a company that browsers trust. Once you have it, you tell your web server where it is, where your associated private key is, and open up port 443 for business. You don’t necessarily have to be a professional software developer to do this, but you do need to be okay with the command line, and comfortable configuring a web server you control.

Most certificates cost money, but at Micah Lee’s suggestion, I used StartSSL. They’re who the EFF uses, and their basic certificates for individuals are free. (They’ll ask you to pay for a higher level certificate if your site is commercial in nature.) The catch is that their website is difficult to use at first — especially if you’re new to the concepts and terminology behind SSL certificates (like me). Fortunately, it’s not actually that hard; it’s just a lot of small steps.

Below, we’ll go step by step through signing up with StartSSL and creating your certificate. We’ll also cover installing it via nginx, but you can use the certificate with whatever web server you want.

译者信息

译者信息

maverickpuss
maverickpuss
翻译于 4年前

2 此译文

其它翻译版本:1(点击译者名切换)
polarisxxm

概要: 目前想在 web 上使用 HTTPS 的话, 你需要获得一个证书文件, 该证书由一个受浏览器信任的公司所签署. 一旦你获得了它, 你就在你的 web 服务器上指定其所在的位置, 以及与你关联的私钥的位置, 并开启 443 端口准备使用. 你不需要是一个专业级软件开发人员来做这个, 但是你需要 熟练使用命令行操作, 并能熟练的配置 你操控的服务器.

大部分的证书都是要钱的, 但是我听从了 Micah Lee 的 建议 后用了 StartSSL. 那也是 EFF 正在使用的, 而且 他们针对个人的基础型证书是免费的. (他们会要求你去支付一个更高级的证书如果你的站点实际上是商业站点的话.) 值得注意的是他们的网站在一开始使用的时候很难用 — 尤其是如果你对于潜藏在 SSL 幕后的概念和术语还很陌生的话(就像我一样). 幸运的是, 其实并不像想象中的那么难, 只是会有很多细微的步骤而已.

下面, 我们将一步步的从注册开始直到创建属于你的证书. 我们也会覆盖在 nginx 环境下的安装知识, 但是你可以在任何你希望使用的 web 服务器上使用该证书.

Register with StartSSL

To get started, visit their signup page and enter your information.

They’ll email you a verification code. They tell you to not close the tab or navigate away from it, so just keep it open until you get the code, and can paste it in.

You’ll need to wait for certification, but it should only take a few minutes. Once you’re approved, they’ll email you a special link and a verification code to type in.

That’ll bring you to a screen to generate a private key. Yes, they’re generating a private key on their servers, but this doesn’t have to be the key you use to make your SSL certificate. They’re using it to generate you a separate “authentication certificate” that you will use to log in to StartSSL’s control panel going forward. You’ll make a separate certificate for your website later.

Finally, they’ll ask you to “Install” the certificate:

Which installs your authentication certificate directly into your browser.

If you’re in Chrome, you should see this at the top of your browser window:

Again, this is just the certificate that identifies you by your email address and lets you log in to StartSSL going forward.

译者信息

译者信息

你要爪子
你要爪子
翻译于 4年前

1 此译文

注册StartSSL

开始,访问注册页面 输入你的信息

他们会通过email发给你个验证码。在这期间不要关闭选项卡或浏览器 , 所以你只要保持打开状态,知道获得验证码并贴上它。

等待几分钟就能获得整数了。一旦通过申请,他们会发送一封带有特殊连接和验证码的email给你 

完成之后会给你一个私人密钥,在他们的服务器上生成的私人密钥,但这不是你创建SSL 证书的密钥.他们用这个私人密钥生成一个单独的"认证证书",以后你可以用它来登录StartSSL的控制面板,下面你将要为你的网站创建一个整数了。

最后他们会叫你安装证书

在你的浏览器上安装验证证书

要是你用的的Chrome 你将会在浏览器头看到下面信息

再次,这只是证明你在登录StartSSL 以后通过你的邮件里的地址跳转到这个页面

Now, we need to get StartSSL to believe we own the domain name we want to generate a new certificate for. From the control panel, click the “Validations Wizard” tab, and select “Domain Name Validation” from the dropdown.

Enter your domain name.

Next, you’ll select an email address that StartSSL will use to verify you own the domain name.

As you can see, StartSSL will believe you own the domain if you control webmaster@, postmaster@, or hostmaster@ with the domain name, OR if you own the email address listed as part of the domain’s registrant information (in my case, that’s currentlykonklone@gmail.com). Choose an email address where you can receive mail.

They’ll email you a validation code, which you can enter into the field to validate the domain.

译者信息

译者信息

阿_信
阿_信
翻译于 4年前

1 此译文

现在,我们需要使得StartSSL相信我们拥有自己的域名,我们想要为他生成一个新的证书。从控制面板中,点击“Validations Wizard”,然后在下拉表单中选择”Domain Name Validation“选项。

输入你的域名。

接下来,你要选择一个email地址,StartSSL将要用它来核实你的域名地址。正如你所见的,StartSSL将会相信你是拥有这个域名的,如果你能用域名控制 webmaster@,postmaster@, orhostmaster@或者是你的email地址已被列为域名注册人信息的一部分(就我而言,就是当前的这个konklone@gmail.com)。然后选择一个你可以收到邮箱的邮箱地址。

他们会给你发送一个验证码,你可以把它输入到文本框中来验证你的域名。

Generating the certificate

Now that StartSSL knows who you are, and knows you own a domain, you can generate your certificate using a private key.

While StartSSL can generate a private key for you — and their FAQ assures you they use only the highest quality random numbers and don’t hold onto the key afterwards — it’s also easy to create your own.

This guide will cover creating your own via the command line. If you choose to let StartSSL’s wizard do it, you can pick back up with this guide a couple steps down, where you choose the domain the certificate should apply to.

To create a new 2048-bit RSA key, open up your terminal and run:

openssl genrsa -aes256 -out my-private-encrypted.key 2048

You’ll be asked to choose a pass phrase. Pick a good one, and remember it. This will generate an encrypted private key. If you ever need to transfer your key, via the network or anything else, use the encrypted version.

译者信息

译者信息

你要爪子
你要爪子
翻译于 4年前

3 此译文

生成证书

现在 StartSSL知道你是谁了,知道了你的域名,你可以用你的私人密钥来生成证书了。

这时StartSSL能为你生成一个私人密钥— 在他们常见问题中(FAQ)像你保证他们只生成高质量的随机密钥,并且以后不会作为其他的密钥 — 你也可以自己创建一个,很简单。

这将会引导你通过命令行创建via。当你选择 StartSSL的引导,你可以按引导步奏进行备份,在你为域名申请证书的地方。

打开终端,创建一个新的 2048-bit RSA 密钥

openssl genrsa -aes256 -out my-private-encrypted.key 2048

会让你输入一个密码. 选择一个,并记住它 .这会产生一个加密的私钥 ,如果你需要通过网络转移你的密钥,就可以用这个加密的版本..

The next step is to decrypt it so that you can generate a “certificate signing request” with it. To decrypt your private key:

openssl rsa -in my-private-encrypted.key -out my-private-decrypted.key

Now, generate a certificate signing request:

openssl req -new -key my-private-decrypted.key -out mydomain.com.csr

Go back to StartSSL’s control panel and click the “Certificates Wizard” tab, and select “Web Server SSL/TLS Certificate” from the dropdown.

Since we generated our own private key, you can hit “Skip” here.

Then, paste in the contents of the .csr file we generated earlier.

If all goes well, it should say it received your certificate signing request.

Now, choose the domain you validated earlier which you plan to use with the certificate.

It requires you to add a subdomain. I added “www” for mine.

It will ask you to confirm. If it looks right, hit “Continue”.

Note: It's possible you'll get hit with a "Additional Check Required!" step here, where you wait for approval by email. It didn't happen to me the first time, but did the second time, and my approval arrived in ~30 minutes. Upon approval, you'll need to visit the "Tool Box" tab and visit "Retrieve Certificate" to get your cert.

That should do it — your certificate will appear in a text field for you to copy and paste into a file. Call it whatever you want, but the rest of the guide will refer to it asmydomain.com.crt.

译者信息

译者信息

maverickpuss
maverickpuss
翻译于 4年前

1 此译文

其它翻译版本:1(点击译者名切换)
旋转360

下一步是将其解码, 从而通过它生成一个“证书签发请求”. 使用如下命令来解码你的私钥:

openssl rsa -in my-private-encrypted.key -out my-private-decrypted.key

然后, 生成一个证书签发请求:

openssl req -new -key my-private-decrypted.key -out mydomain.com.csr

回到 StartSSL 的控制面板并单击 “Certificates Wizard” 标签, 然后在下拉列表里选择 “Web Server SSL/TLS Certificate”.

由于我们已经生成了自己的私钥, 所以你可以在此单击 “Skip”.

然后, 在文本框内粘贴入我们之前生成的 .csr 文件里面的内容.

如果一切正常的话, 它就会提示你说已经收到了你发出的证书签发请求.

现在, 选择你之前已经验证过的计划使用证书的域名.

它会要求你添加一个子域, 我给自己的添加的是 “www”.

它会要求你进行确认, 如果看上去没错的话, 单击 “Continue”.

注意: 在你等待通过邮件获得许可的那儿, 你有可能会遇到一个 "需要额外的验证!" 的步骤, 第一次的时候我没有遇到, 但是第二次的时候遇到了, 然后我的许可在大概30分钟左右被批准, 一旦经过许可, 你需要去单击 "Tool Box" 标签页并通过 "Retrieve Certificate" 来获取你的证书.

然后应该会是这样 — 你的证书将出现在一个文本域里面供你去复制并粘贴到一个文件里去, 给这个文件随便起个你想叫的名字就行, 但是在本指南接下来的部分里将以 mydomain.com.crt 这个名字去引用它(译者注, 原文为 asmydomain.com.crt, 参照下文 mydomain.com.crt 名称来看, 应为as后未加空格导致的拼写错误).

Installing the certificate in nginx

First, make sure port 443 is open on your web server. Many web hosts automatically keep this port open for you. If you’re using Amazon AWS, you’ll need to make sure your instance’s Security Group has port 443 open.

Next, we’re going to create the “certificate chain” that your web server will use. It contains your certificate, and StartSSL’s intermediary certificate. (Including StartSSL’s root cert is not necessary, because browsers ship with it already.) Download the intermediate certificate from StartSSL:

wget http://www.startssl.com/certs/sub.class1.server.ca.pem

Then concatenate your certificate with theirs:

cat mydomain.com.crt sub.class1.server.ca.pem > unified.crt

Finally, tell your web server about your unified certificate, and your decrypted private key. I use nginx — below is the bare minimum nginx configuration you need. It redirects all HTTP requests to HTTPS requests using a 301 permanent redirect, and points the server to the certificate and key.

server {
    listen 80;
    server_name konklone.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name konklone.com;

    ssl_certificate /path/to/unified.crt;
    ssl_certificate_key /path/to/my-private-decrypted.key;
}

# for a more complete, secure config: 
#   https://gist.github.com/konklone/6532544
You can also check out a more complete HTTPS nginx configuration that turns on SPDY, HSTS, SSL session resumption, and enables Perfect Forward Secrecy.

Qualys' SSL Labs offers an excellent SSL testing tool you can use to see how you're doing.

Now, ensure your nginx configuration is okay (this also verifies that the key and certificate are in working order):

sudo nginx -t

Then restart nginx:

sudo service nginx restart

Cross your fingers and try it out in your browser! If all goes well, the will be yours.

译者信息

译者信息

fanhang
fanhang
翻译于 4年前

1 此译文

在nginx中安装证书

首先, 确认443端口在你的web服务器中已经打开。许多web托管已经默认为你打开了该端口。如果你使用Amazon AWS,你需要确在你的实例安全组中443端口是开放的。 

下一步,我们将要创建web服务器要使用的“证书链”。它包含你的证书和StartSSL中介证书(将StartSSL的跟证书包含进来不是必要的,因为浏览器已经包含了该证书)StartSSL下载中介证书:

wget http://www.startssl.com/certs/sub.class1.server.ca.pem

然后将你的证书和他们的证书连接起来:

cat mydomain.com.crt sub.class1.server.ca.pem > unified.crt

最后,告诉你的Web服务器你的统一证书和你的解密密钥。 我使用nginx——下面是你需要的nginx的最要配置。它使用301永久重定向将所有的HTTP请求从定向为HTTPS 请求,然后指引服务器使用证书要密钥。 

server {
    listen 80;
    server_name konklone.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name konklone.com;

    ssl_certificate /path/to/unified.crt;
    ssl_certificate_key /path/to/my-private-decrypted.key;
}

# for a more complete, secure config: 
#   https://gist.github.com/konklone/6532544
你可以获得一个 更全面的nigix配置 ,他打开了   SPDY, HSTS, SSL session resumption, 和  Perfect Forward Secrecy.

Qualys' SSL 实验室提供了完美的 SSL 测试工具, 你可以通过它看到你正在做的事情.

现在, 检验你对nginx的配置是正确的 (这也检验密钥和证书工作正常):

sudo nginx -t

然后启动 nginx:

sudo service nginx restart

稍等片刻,在你的浏览器中测试。如果进展顺利,会在你的浏览器中出现

Mixed Content Warnings

If your site is running on HTTPS, it’s important to make sure all linked resources — images, stylesheets, JavaScript, etc. — are HTTPS too. If they’re not, users’ browsers will complain. Newer versions of Firefox will outright block insecure content on a secure page.

Fortunately, pretty much every major service with embed code has an HTTPS version, and most (including Google Analytics and Typekit) handle it automatically. For others, you’ll need to figure it out on a case by case basis.

译者信息

译者信息

你要爪子
你要爪子
翻译于 4年前

1 此译文

混合内容警告

如果你的网站在https协议中运行,你要确保所有链接资源 — 图片,样式表CSS, JavaScript等,都是HTTPS协议链接.如果你不这样做,用户的浏览器将无法正常访问。比较新的火狐浏览器,将确保不安全的内容出现在一个安全页面。

幸运的是几乎每一个主要服务代码都会嵌入一个https版本,大多数情况下它会自动处理(包括 Google Analytics and Typekit). 你应该为其他人考虑一些个别的情况。

Back up your keys and certificates

Don’t forget to back up your SSL certificate, and its encrypted private key. I put them in a private git repository, and included a brief text file describing each other file and the process or command that created it.

You should also back up your authentication certificate that you use to log in to StartSSL. StartSSL’s FAQ has instructions — it’s a .p12 file containing a cert + key that you export from your browser.

译者信息

译者信息

纳兰融雪
纳兰融雪
翻译于 4年前

1 此译文

备份您的密钥和证书

不要忘记备份您的 SSL 证书,和它的加密私钥。我把它们放在一个私有的 git 库里面,并放一个说明文本文件来描述每个文件以及创建该文件的程序或者命令。

您应当也备份您的认证证书,您用这些证书在 StartSSL 上登录。StartSSL 的 FAQ 页面 已经说明 — 它是您从自己的浏览器中导出的一个包含了证书和密钥的 .p12 文件。

顶部