首页 > > 网络编程 > Php编程 >

ngixn配置ssl

2018-06-22 05:33:10来源：未知阅读 ()

一、ssl证书安装

①

1.  wget  https://dl.eff.org/certbot-auto
2.   chmod a+x certbot-auto
3.  ./certbot-auto certonly --standalone -d www.sunkun.pub






②ssl生成的文件

/etc/letsencrypt/live/sk.test/fullchain.pem
/etc/letsencrypt/live/sk.test/privkey.pem

③

    cd /etc/nginx && openssl dhparam -out dhparam.pem 2048


二、nginx的安装

1. 下载   http://nginx.org/download/nginx-1.12.2.tar.gz

2. 编译 

    ./configure --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module


3. 安装
       
   make && make install


注意： 安装nginx时，一定要带上      --with-http_ssl_module 


查看防火墙

iptables -nL INPUT


开放443 端口

iptables -I INPUT -p tcp --dport 443 -j ACCEPT




三、nginx配置

server {
    listen       443 ssl http2;
    server_name  sk.test;
    ssl                  on;
    #cert
	root       /var/www/htdocs/sk.test;
    ssl_certificate      /etc/letsencrypt/live/sk.test/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/sk.test/privkey.pem;
    ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECD
HE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES2
56-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!EXP:!LOW:!SEED:!CAMELLIA:!IDEA:!Psk.test:!SRP:!SSLv:!aECD
H:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

    ssl_session_timeout  1h;
    ssl_session_cache shared:SSL:16m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    client_max_body_size       100m;
    location / {
            root html;
    }


    location ~ \.(inc|tpl|sql|ini|bin|sh|bak|old)$ {
        deny all;
    }

    location ~ \.(ico|gif|png|jpeg|jpg|css|js|xml|html|shtml|swf|mp3)$ {
        expires 1d;
        if ($uri ~ ^/favicon\.ico$) {
                expires 30d;
        }
        if ($uri ~ index\.(html|shtml)$) {
                expires 600;
        }
        if ($uri ~ check\.html$) {
            expires 100d;
        }
    }

    location ~ \.php {
	        fastcgi_pass   127.0.0.1:9000;
			fastcgi_index  index.php;
		    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
			fastcgi_param  PATH_INFO        $1;
			include        fastcgi_params;
    }
    try_files $uri $uri/ /index.php$request_uri;
}