环境说明:CentOS Linux release 7.5.1804 (Core)、nginx/1.10.0
需求:公司网站在myssl的评级只得到了B的评分,需要提升至A+
具体操作如下:
一、nginx配置文件如下
server {
listen 443;
keepalive_timeout 70;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/full_chain_rsa.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/private.key;
ssl_session_timeout 1m;
ssl_stapling on;
ssl_stapling_verify on; # Requires nginx => 1.3.7
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:1m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
add_header Strict-Transport-Security "max-age=80720000; preload";
server_name test.hb2018.com;
root /var/www/web/hb2018.ssl;
location / {
}
}
二、切换到nginx指定的SSL证书目录/usr/local/nginx/conf/ssl/,把相关证书文件上传并生成
把ca_bundle.crt、certificate.crt、private.key这3个文件放在ssl目录下
在ssl此目录下执行命令openssl dhparam -out dhparam.pem 2048
命令执行完就会生成一个dhparam.pem文件,此时证书目录下会有ca_bundle.crt、certificate.crt、private.key、dhparam.pem这4个文件
三、进入myssl网站,点击工具箱,再点击证书链下载
在服务器上执行上图中的curl就可以下载证书链,文件名是full_chain_rsa.crt
此时ssl目录下就有5个文件:ca_bundle.crt、certificate.crt、private.key、dhparam.pem、full_chain_rsa.crt
再次在myssl评级,网站评级已经由B变成A+了