参考文章:
1. https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E
2. http://songchenwen.com/tech/2015/09/09/nginx-configuration-with-ssl-labs-class-a-plus/
正式开始:
1. 安装nginx - yum install nginx
2. 安装acme.sh - curl https://get.acme.sh | sh
3. 创建一个alias - acme.sh=~/.acme.sh/acme.sh
4. 生成证书 - acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /home/wwwroot/mydomain.com/
5. 安装证书(之前生成的证书只是用于内部,所以我们需要将它们copy到生产目录 -
acme.sh --installcert -d mydomain.com --key-file /etc/nginx/ssl/mydomain.key --fullchain-file /etc/nginx/ssl/mydonain.cer --reloadcmd "service nginx force-reload"
6. 启动acme.sh自动更新功能 -acme.sh --upgrade --auto-upgrade
----------到此acme.sh部分结束,接下去是nginx配置时间-----------
1. 运行openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048
2. 将80端口的请求转发到443端口
server {
listen 80;
server_name lovelywindy.club;
return 301 https://$server_name$request_uri;
}
3. 配置443
server {
listen 443 ssl http2;
server_name lovelywindy.club;
ssl_certificate /etc/nginx/ssl/lovelywindy.club.cer;
ssl_certificate_key /etc/nginx/ssl/lovelywindy.club.key;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
ssl_prefer_server_ciphers on;
ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
keepalive_timeout 70;
ssl_buffer_size 1400;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
4. 重启nginx - systemctl restart nginx
结束,这个配置通过www.ssllabs.com的检查,能达到A+
https://www.ssllabs.com/ssltest/analyze.html?d=lovelywindy.club