環境說明:CentOS Linux release 7.5.1804 (Core)、nginx/1.10.0
需求:公司網站在myssl的評級只得到了B的評分,需要提升至A+
具體操作如下:
一、nginx配置文件如下
server {
listen 443;
keepalive_timeout 70;
ssl on;
ssl_certificate /usr/local/nginx/conf/ssl/full_chain_rsa.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/private.key;
ssl_session_timeout 1m;
ssl_stapling on;
ssl_stapling_verify on; # Requires nginx => 1.3.7
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:1m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
add_header Strict-Transport-Security "max-age=80720000; preload";
server_name test.hb2018.com;
root /var/www/web/hb2018.ssl;
location / {
}
}
二、切換到nginx指定的SSL證書目錄/usr/local/nginx/conf/ssl/,把相關證書文件上傳並生成
把ca_bundle.crt、certificate.crt、private.key這3個文件放在ssl目錄下
在ssl此目錄下執行命令openssl dhparam -out dhparam.pem 2048
命令執行完就會生成一個dhparam.pem文件,此時證書目錄下會有ca_bundle.crt、certificate.crt、private.key、dhparam.pem這4個文件
三、進入myssl網站,點擊工具箱,再點擊證書鏈下載
在服務器上執行上圖中的curl就可以下載證書鏈,文件名是full_chain_rsa.crt
此時ssl目錄下就有5個文件:ca_bundle.crt、certificate.crt、private.key、dhparam.pem、full_chain_rsa.crt
再次在myssl評級,網站評級已經由B變成A+了