安装nginx
下载
wget http://nginx.org/download/nginx-1.13.3.tar.gz
解压并进入目录
tar -zxvf nginx-1.13.3.tar.gz && cd nginx-1.13.3
编译
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_v2_module --with-openssl=/usr/bin/openssl
安装
make && make install
进入安装目录
cd /usr/local/nginx/sbin
查看版本
./nginx -v
启动nginx
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
配置防火墙
这个时候会发现服务器ip地址可以ping通,但是浏览器里面无法访问,就需要防火墙开启端口
安装完成之后发现一直都是http1.1协议而不是http2,后来才发现是yum源提供的openssl版本过低导致的,需要自己重新下载安装openssl
安装openssl
安装过程参考centos7.2源码安装openssl1.0.2需要注意的是现在最新的openssl的版本是1.1.0,而且在添加环境变量和设置库路径的时候
使用let’s encrypt配置https
下载
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
配置基本信息
./letsencrypt-auto certonly --webroot --webroot-path [web目录例如(/usr/share/nginx/html)] -d [域名,例如:likui.me] --agree-tos --email [邮箱,例如 xxxx@qq.com]
出现如下信息则表示成功:
nginx配置
server {
listen 80;
server_name likui.me www.likui.me *.likui.me;
return 301 https://$server_name$request_uri;
}
server {
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
listen 443 ssl http2;
server_name likui.me www.likui.me *.likui.me;
charset utf-8;
access_log /var/log/nginx/host.access.log main;
sendfile on;
tcp_nopush on;
location / {
root /usr/share/nginx/html;
index home.html home.htm;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
ssl_certificate /etc/letsencrypt/live/likui.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/likui.me/privkey.pem;
#include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "HIGH:!RC4:!3DES:!ADH:!aDSS:!aNULL:!kPSK:!kSRP:!MD5:!kRSA:!CAMELLIA:@STRENGTH:+SHA1:+kRSA";
ssl_stapling on;
ssl_stapling_verify on;
}
查看ssl_ciphers的可选择的加密套件
测试证书正确度
使用ssllabs来测试证书配置的强度和正确性