注意,ECH的前提是DNSSEC或者DoH/DoT,没有的就没有必要使用了!!
编译带ECH支持的nginx
1.配置安装环境
2.下载带ECH支持的nginx与openssl
3.编译openssl与nginx
4.使用并测试ECH支持
1.配置安装环境
sudo apt install build-essential libpcre2-dev zlib1g-dev
2.下载带ECH支持的nginx与openssl
mkdir ~/src cd ~/src git clone https://github.com/sftcd/openssl.git cd openssl git checkout ECH-draft-13c
cd ~/src git clone https://github.com/sftcd/nginx.git cd nginx git checkout ECH-experimental
3.编译nginx与openssl
cd ~/src/nginx<br> ./auto/configure --with-debug --prefix=/opt/ech --with-http_ssl_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-openssl=~/openssl --with-openssl-opt="--debug '-Wl,--enable-new-dtags,-rpath,$(LIBRPATH)'" --with-http_v2_module<br> make & make install
4.使用以及测试ECH支持
nginx配置如下
worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; ssl_echkeydir ech_keys; sendfile on; keepalive_timeout 65; # HTTP server { listen 80 default_server; server_name localhost; location / { root html; ssi on; index index.html index.htm; keepalive_timeout 0; # Force non-cache add_header Last-Modified $date_gmt; add_header Cache-Control 'no-store, no-cache'; if_modified_since off; expires off; etag off; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } # HTTPS server { listen 443 ssl; server_name _; ssl_certificate /path/to/your/cert; ssl_certificate_key /path/to/your/key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; ssi on; index index.html index.htm; keepalive_timeout 0; # Force non-cache add_header Last-Modified $date_gmt; add_header Cache-Control 'no-store, no-cache'; if_modified_since off; expires off; etag off; } } }
签署ECH证书并配置DNS服务器
服务器可以从let’s encrypt获得证书,这里主要讲的是签署ECH相关的证书
cd /opt/ech/conf/ech_keys sudo /opt/ech/bin/openssl ech -public_name cover.domain -pemout config1.ech
配置DNS的话要向dns服务器添加https记录,如果dns服务器不支持添加此记录的话则无法继续配置ECH ECHCONFIG 可以在config1.ech里面找到
-----BEGIN PRIVATE KEY----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END PRIVATE KEY----- -----BEGIN ECHCONFIG----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -----END ECHCONFIG-----添加如下记录
your.domain IN HTTPS 1 . alpn="h2" ech="your ECHCONFIG"
测试ECH支持
向nginx添加测试网页
更改nginx默认网页代码成为
<pre>
HTTP host: <!--# echo var="http_host" -->
ALPN protocol: <!--# echo var="ssl_alpn_protocol" -->
SSL cipher: <!--# echo var="ssl_cipher" -->
SSL protocol: <!--# echo var="ssl_protocol" -->
SNI: <!--# echo var="ssl_server_name" -->
ECH status: <!--# echo var="ssl_ech_status" -->
Outer SNI (public name): <!--# echo var="ssl_ech_outer_sni" -->
Inner SNI: <!--# echo var="ssl_ech_inner_sni" -->
</pre>
需要在浏览器内打开ech支持
Chrome的操作办法,在网址框内输入chrome://flags
搜索Encrypted ClientHello,将其设置成Enable即可
接着在你访问你的网页时就会显示相关信息
一般来说看到一下输出就ok
HTTP host: your domain ALPN protocol: h2 SSL cipher: TLS_AES_256_GCM_SHA384 SSL protocol: TLSv1.3 SNI: your domain ECH status: success Outer SNI (public name): cover domain Inner SNI: your domain
本文参考一下文章进行写作
“https://cujo.com/blog/set-up-ech-website/”
Apache-2.0