一、ssl证书安装
①
1. wget https://dl.eff.org/certbot-auto
2. chmod a+x certbot-auto
3. ./certbot-auto certonly --standalone -d www.sunkun.pub
②ssl生成的文件/etc/letsencrypt/live/sk.test/fullchain.pem
/etc/letsencrypt/live/sk.test/privkey.pem
③ cd /etc/nginx && openssl dhparam -out dhparam.pem 2048
二、nginx的安装1. 下载 http://nginx.org/download/nginx-1.12.2.tar.gz
2. 编译
./configure --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module
3. 安装
make && make install
注意: 安装nginx时,一定要带上 --with-http_ssl_module
查看防火墙
开放443 端口
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
三、nginx配置
server {
listen 443 ssl http2;
server_name sk.test;
ssl on;
#cert
root /var/www/htdocs/sk.test;
ssl_certificate /etc/letsencrypt/live/sk.test/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sk.test/privkey.pem;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECD
HE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES2
56-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!EXP:!LOW:!SEED:!CAMELLIA:!IDEA:!Psk.test:!SRP:!SSLv:!aECD
H:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA‘;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
ssl_session_timeout 1h;
ssl_session_cache shared:SSL:16m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
client_max_body_size 100m;
location / {
root html;
}
location ~ \.(inc|tpl|sql|ini|bin|sh|bak|old)$ {
deny all;
}
location ~ \.(ico|gif|png|jpeg|jpg|css|js|xml|html|shtml|swf|mp3)$ {
expires 1d;
if ($uri ~ ^/favicon\.ico$) {
expires 30d;
}
if ($uri ~ index\.(html|shtml)$) {
expires 600;
}
if ($uri ~ check\.html$) {
expires 100d;
}
}
location ~ \.php {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $1;
include fastcgi_params;
}
try_files $uri $uri/ /index.php$request_uri;
}
