Site icon 暗网下

为您的暗网洋葱onion域名配置TLS证书

很长一段时间,我(kushaldas.in)想为我的博客的onion域名创建一个HTTPS认证证书。Digicert是长期以来唯一提供暗网onion域名认证的CA,但是成本很高,只适合大的公司或者组织使用,但是我个人不适合,尤其是由于成本原因。

几天前,在IRC上,我发现 Harica为暗网洋葱站点提供Domain验证证书,费用约为每年30欧元。我就抢着去办了一个,同时, ahf也在弄他的证书,他帮助我进行了Nginx的配置。

如何获得自己的证书?

设置nginx

这一部分和其他标准的nginx配置一样。以下是我使用的配置。请在确定一切正常后,取消对Strict-Transport-Security头行的注释。

server {
	listen unix:/var/run/tor-hs-kushal.sock;
    server_name kushal76uaid62oup5774umh654scnu5dwzh4u2534qxhcbi4wbab3ad.onion;
    access_log /var/log/nginx/kushal_onion-access.log;
    location / {
	return 301 https://$host$request_uri;
    }

}

server {
    listen unix:/var/run/tor-hs-kushal-https.sock ssl http2;
    server_name kushal76uaid62oup5774umh654scnu5dwzh4u2534qxhcbi4wbab3ad.onion;
    access_log /var/log/nginx/kushal_onion-access.log;
    ssl_certificate /etc/pki/kushaldas.in.onion.chain.pem;
	ssl_certificate_key /etc/pki/kushaldas.in.onion.open.key;
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
    # Turn on OCSP stapling as recommended at
    # https://community.letsencrypt.org/t/integration-guide/13123
    # requires nginx version >= 1.3.7
    ssl_stapling on;
    ssl_stapling_verify on;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;
	index index.html;
	root /var/www/kushaldas.in;
	location / {
		try_files $uri $uri/ =404;
	}
}

我在/etc/tor/torrc文件中还具有以下配置以使用这些unix socket文件。

HiddenServiceDir /var/lib/tor/hs-kushal/
HiddenServiceVersion 3
HiddenServicePort 80 unix:/var/run/tor-hs-kushal-me.sock
HiddenServicePort 443 unix:/var/run/tor-hs-kushal-https.sock

如果您想进一步了解为什么需要为onion洋葱域名配置证书,Tor Project会有一个很好的解释

Exit mobile version