Nginx配置HTTPS获得A+评分
本帖最后由 xlaptx 于 2016/4/13 00:02 编辑添加Nginx的源(nginx1.9.5以上版本自带HTTP2,不用编译)
vi /etc/apt/sources.list(添加下面两行)
deb http://nginx.org/packages/mainline/debian/ jessie nginx
deb-src http://nginx.org/packages/mainline/debian/ jessie nginx (保存退出)
wget http://nginx.org/keys/nginx_signing.key
apt-key add nginx_signing.key
安装Nginx
apt-get update
apt-get upgrade
apt-get install nginx
为了安全获得A+评分需要增加Diffie-Hellman参数
openssl dhparam -out dhparam.pem 2048(4096也行,等待时间可能稍长)
配置文件如下
server {
listen 80;
server_name blog.tse.moe;(修改为自己域名)
return 301 https://blog.tse.moe$request_uri; (修改为自己域名)
}
server {
listen 443 ssl http2; (启用HTTP2)
server_name blog.tse.moe; (修改为自己域名)
ssl_certificate /etc/nginx/ssl/xxx.crt; (证书保存路径)
ssl_certificate_key /etc/nginx/ssl/xxx.key;(证书保存路径)
ssl_dhparam /etc/nginx/ssl/dhparam.pem; (证书保存路径)
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_stapling on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000;(开启HSTS ,非全站HTTPS删掉此行)
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
测试地址https://www.ssllabs.com/ssltest/ http://r6.loli.io/NJBnyy.png
http://ww3.sinaimg.cn/large/7ff5a5d4gw1f2v8nob474j20960c3t9t.jpg好像没红叉啊0.0 签到顺便帮顶
页:
[1]