构建一个 A+级别的 HTTPS 网站
首先,需要升级系统自带的 openssl,因为系统自带的 openssl 比较老,openssl 已经被爆出很多漏洞,升级无疑是最佳选择我这里以 nginx1.11.6为例,搭建了一个 https关于openssl ,参考centos 编译安装 openssl关于ssl 证书 参考Let's Encrypt 申请免费ssl证书
升级nginx
1.下载 openssl,然后解压后修改为 openssl
wget -c https://www.openssl.org/source/openssl-1.0.2j.tar.gz
tar zxvf openssl-1.0.2j.tar.gz
cd openssl-1.0.2j
2.进入 nginx 目录
cd nginx-1.11.6
./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-openssl=/root/openssl && make
3.复制编译后的 nginx 文件替换 nginx
cp /usr/local/nginx/sbin/nginx{,.old} # 备份之前的 nginx
cp ./objs/nginx /usr/local/nginx/sbin/
4.查看nginx
[root@host-133-130-118-235 sbin]# ./nginx -V
nginx version: nginx/1.11.6
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
built with OpenSSL 1.0.2j 26 Sep 2016
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module --with-http_gzip_static_module --with-http_sub_module --with-openssl=/root/openssl
5.修改nginx 配置文件,注意这里只贴下 ssl 的相关配置
server
{
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server ipv6only=on;
server_name www.awen.me awen.me blog.awen.me;
index index.html index.htm index.php;
root /home/wwwroot/default;
ssl on;
ssl_certificate /etc/letsencrypt/live/awen.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/awen.me/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_prefer_server_ciphers on;
resolver 114.114.114.114;
resolver_timeout 30s;
#error_page 404 /404.html;
include enable-php.conf;
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444;
}
