centos7下nginx的基本配置

安装nginx

下载

wget http://nginx.org/download/nginx-1.13.3.tar.gz

解压并进入目录

tar -zxvf nginx-1.13.3.tar.gz && cd nginx-1.13.3

编译

./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_v2_module --with-openssl=/usr/bin/openssl

安装

 make && make install

进入安装目录

  cd /usr/local/nginx/sbin

查看版本

./nginx -v

启动nginx

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

配置防火墙

这个时候会发现服务器ip地址可以ping通，但是浏览器里面无法访问，就需要防火墙开启端口
安装完成之后发现一直都是http1.1协议而不是http2，后来才发现是yum源提供的openssl版本过低导致的，需要自己重新下载安装openssl

安装openssl

安装过程参考centos7.2源码安装openssl1.0.2需要注意的是现在最新的openssl的版本是1.1.0,而且在添加环境变量和设置库路径的时候

使用let’s encrypt配置https

下载

git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt

配置基本信息

 ./letsencrypt-auto certonly --webroot --webroot-path [web目录例如（/usr/share/nginx/html）] -d [域名，例如：likui.me] --agree-tos --email [邮箱，例如 xxxx@qq.com]

出现如下信息则表示成功：

nginx配置

server {
    listen 80;
    server_name  likui.me www.likui.me *.likui.me;
    return 301 https://$server_name$request_uri;
}
server {
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    listen     443 ssl http2;
    server_name  likui.me www.likui.me *.likui.me;

    charset utf-8;
    access_log  /var/log/nginx/host.access.log  main;
        sendfile on;
        tcp_nopush  on;

    location / {
        root   /usr/share/nginx/html;
        index  home.html home.htm;
    }

    error_page  404              /404.html;
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    ssl_certificate /etc/letsencrypt/live/likui.me/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/likui.me/privkey.pem;
    #include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    ssl_session_cache shared:le_nginx_SSL:1m;
    ssl_session_timeout 1440m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "HIGH:!RC4:!3DES:!ADH:!aDSS:!aNULL:!kPSK:!kSRP:!MD5:!kRSA:!CAMELLIA:@STRENGTH:+SHA1:+kRSA";
    ssl_stapling on;
    ssl_stapling_verify on;


}

查看ssl_ciphers的可选择的加密套件

测试证书正确度

使用ssllabs来测试证书配置的强度和正确性