让你的网站在SSLLabs上A+ (Nginx)
· 实践教程 · 0 comment · 228 Views

让你的网站在SSLLabs上A+ (Nginx)

· 实践教程 · 0 comment · 228 Views

首先是站点的 Nginx 配置

    server
        {
            listen 80;
            #listen [::]:80;
            server_name dobyi.com www.dobyi.com;
            rewrite ^/(.*) https://dobyi.com/$1 permanent;
        }
    server
        {
            listen 443;
            server_name dobyi.com www.dobyi.com;
            include ssl.conf;
            ssl_certificate     /■■■■■/ssl/dobyi/dobyi.pem;
            ssl_certificate_key /■■■■■/ssl/dobyi/dobyi.key;
            index index.html index.htm index.php default.html default.htm default.php;
            root  /■■■■■/dobyi.com;
            #... ...#
        }

然后是ssl.conf

      ssl on;
     
      ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
     
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;
     
      ssl_stapling on;
      ssl_stapling_verify on;
     
      ssl_prefer_server_ciphers on;
      ssl_dhparam /■■■■■/ssl/dhparam.pem;
     
      add_header Strict-Transport-Security max-age=15552000;

其中,dhparam.pem可以通过以下命令生成(这一步会花费较长时间,一般在五分钟左右,看vps性能而定)

openssl dhparam -out dhparam.pem 4096

最后给 Nginx 重启一下就可以啦~收工!

添加新评论