冷轩信 冷轩信

启用Let’s Encrypt SSL证书并做安全设置

in 冷轩纪 文章转载请注明来源!

由于要同时为多个域名申请ssl证书,为了方便所以要关闭占用80端口的程序

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly

最后生成的证书在/etc/letsencrypt/live/yourdomain目录下

使用 openssl 工具生成 dhparams

openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048

最后是nginx配置文件修改,

ssl on;
ssl_certificate /etc/letsencrypt/live/lengxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/lengxx.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS:!RC4;
ssl_session_timeout 5m;
ssl_session_cache builtin:1000 shared:SSL:10m;
add_header Strict-Transport-Security "max-age=31536000;";

这样在 https://www.ssllabs.com/ 测试成绩就应为A

2个月后续期
./letsencrypt-auto renew --email youremail@gmail.com --agree-tos

文章二维码

扫描二维码,在手机上阅读!

发表新评论
仅有 1 条评论
  1. 上海项目管理软件

    学习了


© 2017 由 Typecho 强力驱动.Theme by Yodu
前篇 后篇
雷姆
拉姆
音乐加载中...
0:00