SSL 證書安裝於 Nginx

參考 SSL 憑證服務 操作手冊
參考 檢查 HTTPS 伺服器加密協定版本
參考 https on nginx and python flask
參考 https Client and Server

取得三個證書
1. eCA 根憑證 "ROOTeCA_64.crt"
2. PublicCA G2 中繼憑證 "PublicCA2_64.crt"
3. 用戶的 SSL 伺服器憑證 "xxx...(32個英數字).crt"

# mkdir /etc/nginx/conf/Certs
放三個證書於此目錄
# cp * /etc/nginx/conf/Certs
產生可信任的CA憑證串列
# cd /etc/nginx/conf/Certs
# cat PublicCA_64.crt ROOTeCA_64.crt > caChain.crt
因 Nginx 只能使用未加密的 server key
# openssl rsa -in server.key -out server_no_pwd.key
# cat server_no_pwd.key > /etc/nginx/conf/Certs/server.key
# cat xxx...(32個英數字).crt PublicCA2_64.crt > server.pem


修改 /etc/nginx/sites-available/ 下的設定檔
        ssl_certificate /etc/nginx/conf/Certs/server.pem;
        ssl_certificate_key /etc/nginx/conf/Certs/server.key;
        ssl_stapling on;
        ssl_stapling_verify on;

        ssl_trusted_certificate /etc/nginx/conf/Certs/caChain.crt;

修改 /etc/nginx/nginx.conf        # 關閉有漏洞的 HTTPS SSLv3, 採用 TLS
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# ngnix -s reload

測試安全性
$ sudo apt install nmap
$ nmap --script ssl-enum-ciphers -p 8443 www.xxxx.com

Starting Nmap 7.60 ( https://nmap.org ) at 2020-07-20 14:21 CST
Nmap scan report for www.xxxx.com.tw (114.35.104.33)
Host is up (0.00057s latency).
rDNS record for 114.35.14.313: 114-35-104-33.HINET-IP.hinet.net

PORT     STATE SERVICE
8443/tcp open  https-alt
| ssl-enum-ciphers:
|   TLSv1.0:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.1:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
|       TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
|       TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

測試結果分為等級 A-F

參考 中華電信 SSL 憑證服務  

下載 認證標章，並放置下列HTML語法到網頁

<a href="javascript:location.href='https://publicca.hinet.net/SSLQueryCert/ SSLQueryCert.jsp?Domain_name='+document.location.hostname">
<img height="126" src="SSLSeal.gif" width="90" />
</a>

互動式 OpenAI gym

https://github.com/openai/gym/blob/master/gym/utils/play.py
env = gym.make("Enduro-v0")
def cb(obs_t, obs_tp1, action, rew, done, info):
    return [rew,]
plotter = PlayPlot(cb, hor0zon_timesteps=(30*5), plot_names=["reward"])
play(env, callback=plotter.callback, zoom=4)

https://github.com/openai/gym/blob/master/gym/core.py
https://github.com/openai/gym/tree/master/gym/wrappers
https://github.com/openai/gym/blob/master/gym/wrappers/atari_preprocessing.py
https://github.com/openai/gym/blob/master/gym/envs/__init__.py
        register(
            id='{}-v0'.format(name),
            entry_point='gym.envs.atari:AtariEnv',
            kwargs={'game': game, 'obs_type': obs_type, 'repeat_action_probability': 0.25},
            max_episode_steps=10000,
            nondeterministic=nondeterministic,
        )
https://github.com/openai/gym/blob/master/gym/envs/atari/atari_env.py
    pip install gym[atari]
    self.ale = atari_py.ALEInterface()
    reward += self.ale.act(action)

https://github.com/openai/atari-py/tree/master/atari_py
https://github.com/openai/atari-py/blob/master/atari_py/__init__.py
https://github.com/openai/atari-py/blob/master/atari_py/ale_python_interface.py
    ale_lib = cdll.LoadLibrary(os.path.join(os.path.dirname(__file__),
                                            'ale_interface/libale_c.so'))
    def act(self, action):
        return ale_lib.act(self.obj, int(action))
https://github.com/openai/atari-py/blob/master/atari_py/ale_interface/src/ale_interface.cpp
    reward_t reward = environment->act(action, PLAYER_B_NOOP);
https://github.com/openai/atari-py/blob/master/atari_py/ale_interface/src/ale_interface.hpp
std::unique_ptr<StellaEnvironment> environment;
https://github.com/openai/atari-py/blob/master/atari_py/ale_interface/src/environment/stella_environment.cpp
reward_t StellaEnvironment::act(Action player_a_action, Action player_b_action)
    sum_rewards += oneStepAct(m_player_a_action, m_player_b_action);
reward_t StellaEnvironment::oneStepAct(Action player_a_action, Action player_b_action)
    return m_settings->getReward();
https://github.com/openai/atari-py/blob/master/atari_py/ale_interface/src/environment/stella_environment.hpp
    RomSettings *m_settings;
https://github.com/openai/atari-py/blob/master/atari_py/ale_interface/src/games/RomSettings.hpp
    virtual reward_t getReward() const = 0;
https://github.com/openai/atari-py/blob/master/atari_py/ale_interface/src/games/supported/Enduro.cpp