ngixn配置ssl

一、ssl证书安装

①

1.  wget  https://dl.eff.org/certbot-auto
2.   chmod a+x certbot-auto
3. ./certbot-auto certonly --standalone -d www.sunkun.pub

②ssl生成的文件

/etc/letsencrypt/live/sk.test/fullchain.pem
/etc/letsencrypt/live/sk.test/privkey.pem

③

    cd /etc/nginx && openssl dhparam -out dhparam.pem 2048


二、nginx的安装

1. 下载   http://nginx.org/download/nginx-1.12.2.tar.gz

2. 编译 

    ./configure --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-threads --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-http_slice_module --with-mail --with-mail_ssl_module --with-compat --with-file-aio --with-http_v2_module 
3. 安装
 make && make install

注意： 安装nginx时，一定要带上 --with-http_ssl_module 


查看防火墙

iptables -nL INPUT


开放443 端口

iptables -I INPUT -p tcp --dport 443 -j ACCEPT

三、nginx配置

server {
    listen       443 ssl http2;
    server_name  sk.test;
    ssl on; #cert root /var/www/htdocs/sk.test; ssl_certificate /etc/letsencrypt/live/sk.test/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/sk.test/privkey.pem; ssl_dhparam /etc/nginx/dhparam.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECD HE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES2 56-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!EXP:!LOW:!SEED:!CAMELLIA:!IDEA:!Psk.test:!SRP:!SSLv:!aECD H:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; ssl_session_timeout 1h; ssl_session_cache shared:SSL:16m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; client_max_body_size 100m; location / { root html; } location ~ \.(inc|tpl|sql|ini|bin|sh|bak|old)$ { deny all; } location ~ \.(ico|gif|png|jpeg|jpg|css|js|xml|html|shtml|swf|mp3)$ { expires 1d; if ($uri ~ ^/favicon\.ico$) { expires 30d; } if ($uri ~ index\.(html|shtml)$) { expires 600; } if ($uri ~ check\.html$) { expires 100d; } } location ~ \.php { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $1; include fastcgi_params; } try_files $uri $uri/ /index.php$request_uri; }

转载于:https://www.cnblogs.com/sk2015/p/8072316.html