分类:笔记 日期:2020-08-05 作者:caocaofff 浏览:984
要求服务器的nginx和openssl版本是最新稳定版,推荐编译源码安装,别使用apt或yum自动安装
#安装acme工具
curl https://get.acme.sh | sh
#申请证书时,需要验证域名属于你,这里直接使用文件验证
#开始自动申请RSA
~/.acme.sh/acme.sh --issue -d ccpe.net -d *.ccpe.net --webroot /data/wwwroot
#开始自动申请ECC
~/.acme.sh/acme.sh --issue -d ccpe.net -d *.ccpe.net -k ec-256 --webroot /data/wwwroot/
#准备证书目录
mkdir /etc/nginx/conf/cert_rsa -p
mkdir /etc/nginx/conf/cert_ecc
#开始复制RSA到目录
~/.acme.sh/acme.sh --installcert -d ccpe.net --key-file /etc/nginx/conf/cert_rsa/ccpe.net.key --fullchain-file /etc/nginx/conf/cert_rsa/ccpe.net.cer --reloadcmd "service nginx force-reload"
#开始复制ECC到目录
~/.acme.sh/acme.sh --installcert -d ccpe.net --ecc --key-file /etc/nginx/conf/cert_ecc/ccpe.net.key --fullchain-file /etc/nginx/conf/cert_ecc/ccpe.net.cer --reloadcmd "service nginx force-reload"
#DH密钥协商
openssl dhparam -out /etc/nginx/dhparam.pem 2048
#开始配置nginx
vim /etc/nginx/conf.d/default.conf
nginx配置文件示例:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ccpe.net ccpe.net;
ssl_certificate /etc/nginx/conf/cert_rsa/ccpe.net.cer;
ssl_certificate_key /etc/nginx/conf/cert_rsa/ccpe.net.key;
ssl_certificate /etc/nginx/conf/cert_ecc/ccpe.net.cer;
ssl_certificate_key /etc/nginx/conf/cert_ecc/ccpe.net.key;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
keepalive_timeout 75s;
keepalive_requests 100;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_early_data on;
gzip on;
gzip_comp_level 6;
gzip_min_length 1k;
gzip_types text/plain text/css text/xml text/javascript text/x-component application/json application/javascript application/x-javascript application/xml application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;
root /data/www/typecho;
index index.php index.html;
location / {
#
}
location ~ \.php(/|$) {
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_buffers 8 4K;
fastcgi_buffer_size 4K;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
最后可以用www.myssl.com跑个分
CC版权: 本篇博文采用《CC 协议》,转载必须注明作者和本文链接