给Nginx设置Https时遇到的问题

试图给个人网页设置https访问,权限问题搞了好多个小时,下面给出真正的问题是什么:

From Permissions for SSL key?
I had an issue getting nginx setup and came across this question. The other answer here has already directly answered the question but I thought a little more information would be helpful.
Normally, nginx is started as the root user by init scripts / systemd. However, nginx also has the ability to switch to a less privileged user for normal operations. So my question was which user is used to load the ssl certificate/key? The initial privileged user or the one that is switched to?
Fortunately, nginx uses the initial permissions to read the certificate and key into memory before switching users. So, normally, you really can leave the keys with very restricted permissions as they are loaded by nginx when it's still running as root.
The problem that I was running into that landed me here was that I was defining ssl_certificate only in my server blocks in nginx.conf. I was getting errors like [error] 18606#18606: *311 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking when I knew darn good and well that my keys were in the right place. That issue was that I didn't have a ssl_certificate at the http level of nginx.conf.

真是吐血了，搞了好几个小时，原来实在http里面加这个内容就好了.
然后就可以设置Certificate和private key的权限了

Private keys should have reading heavily restricted. Setting permissions to 600 and owned by root should work. However, there are other secure permissions settings - Ubuntu stores keys in a directory with owner root and group ssl-cert and permissions 710. This means that only members of ssl-cert can access any files in that directory. Private keys then have group ssl-cert, owner root, and permissions 640.

一些其他资料

1. How to manage Linux permissions for users, groups, and others
2. ArchLinux Nginx Document
3. Linux Permission Control

另外一个问题是: Oracle的ingress rules没开放正确的规则给Cloudflare,所以一直在试什么样的规则可以让Cloudflare访问Certificate files.后来发现不是这个问题，有80/443的HTTP/HTTPS端口就行了,是服务器防火墙端口没打卡,真是无语了.解决方法来自ChatGPT(高兴地太早了，后来发现这样还是解决不了):

The use of Cloudflare Origin CA involves issuing a certificate for your origin server, so Cloudflare can securely connect to it. When you set up Cloudflare for your site, visitors to your site will first connect to a Cloudflare edge server, and that server will connect to your origin server to fetch the actual site data.

This communication from the Cloudflare edge server to your origin server is done over HTTP or HTTPS, using standard web ports: port 80 for HTTP and port 443 for HTTPS. If you are using the Origin CA certificate to secure this communication, it will be over HTTPS, so you should ensure that your server allows incoming connections on port 443.

The certificate and key files you generate for Cloudflare Origin CA are used to set up an SSL server on your origin server, which Cloudflare can then connect to securely. Cloudflare does not actually "request" the certificate and key files from your server. Instead, your server uses the private key to set up a secure SSL server, and the certificate is used to prove to Cloudflare that your server is who it says it is. The certificate itself does not need to be kept secret, and in fact, it is sent to any client (including the Cloudflare edge servers) that connects to your server.

Here is how to set up a firewall rule to allow incoming connections on port 443 in Oracle Linux using firewalld:

1. Check the status of firewalld:

sudo systemctl status firewalld

1. If firewalld is not running, you can start it with:

sudo systemctl start firewalld

1. Then, add a rule to allow incoming connections on port 443:

sudo firewall-cmd --permanent --add-port=443/tcp

1. Reload firewalld to apply the changes:

sudo firewall-cmd --reload

Remember, Cloudflare will connect to your server from a variety of IP addresses corresponding to their edge servers. If you want to restrict incoming connections to only those coming from Cloudflare, you would need to add allow rules for each of Cloudflare's IP ranges, and block all other incoming connections. The current Cloudflare IP ranges can be found on their website. Be aware that these can change, so you would need to keep your rules up-to-date.

高兴地太早了，后来发现这样还是解决不了.所以我又做了如下操作:

1. Cloudflare我把最低TLS访问版本设置为1.1
2. 在Nginx的Server以及http配置里面加上了TLSv1.3
3. 在Oracle里面的ingress rule加上了TCP的3389端口访问以及IPv6和IPv6-route的支持

这里看了一下Nginx的SSL配置Doc

但是好像还是不行，欸。。。。今天先不开所有端口的权限了,明天还是有问题就只能把ingress rule的权限全开了.

还是基础知识不牢固，改天复习一下:

1. 计算机网络及协议方面的知识 What is SSL?
2. Linux的权限系统的知识
3. Nginx等服务器的知识
4. Cloudflare与CDN与域名系统的知识
5. 网络安全的知识: CTF比赛
6. linux防火墙的知识(这里有一篇如何开启防火墙Denied Logging的教程)

这里有一篇写的非常详细的Nginx与Cloudflare配置的文章V2Ray (WebSocket + TLS + Web + Cloudflare) 手动配置详细说明.原文设置的服务是V2Ray代理，但是不同的Service配置起来原理都差不多.