使用Certbot配置站点的https

官网： https://certbot.eff.org/
安装教程：https://certbot.eff.org/#centos6-nginx

下载

wget https://dl.eff.org/certbot-autochmod a+x certbot-auto

生成证书

./certbot-auto certonly --nginx --email xxxx@gmail.com --webroot -w /data/vhosts/xttan.com/wordpress -d www.xttan.com

自动更新

## 手动./path/to/certbot-auto renew## crontab0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && /home/tanda/cronb/certbot-auto renew

配置

1.首先开启 ssl

listen 443 ssl;server_name www.example.com;ssl on;ssl_certificate /etc/ssl/certs/xttan.crt;ssl_certificate_key /etc/ssl/private/xttan.key;

其中 xttan.crt 是网站证书，xttan.key 是证书私钥

2.生成 dhparam.pem

cd /etc/letsencrypt/openssl dhparam -out dhparam.pem 4096

##### 配置到nginxssl_dhparam /etc/ssl/certs/dhparam.pem;

协议和 ciphers 选择，ciphers 的选择比较关键，这个配置中的 ciphers 支持大多数浏览器，但不支持 XP/IE6 。

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_stapling on;ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";ssl_prefer_server_ciphers on;

3.ssl session 配置

ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;

4.HSTS 配置

这个对评分影响也比较大，但如果开启这个，需要全站开启 HTTPS

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

server { ???????listen 443 ssl; ???????ssl on; ???????ssl_certificate /usr/local/nginx/cert/xttan.crt; ???????ssl_certificate_key /usr/local/nginx/cert/xttan.key; ???????ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ???????ssl_stapling on; ???????????????## ciphers 的选择 ???????ssl_dhparam /etc/ssl/certs/dhparam.pem; ???????ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; ???????ssl_prefer_server_ciphers on; ???????## session 配置 ???????ssl_session_cache shared:SSL1:20m; ???????ssl_session_timeout 60m; ???????????????## HSTS 配置 ???????add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; ???????????location / { ???????????????# pass ???????}}

参考：

Nginx 配置HTTPS 服务器
nginx增强SSL安全配置
HTTPS A+ 的 nginx 配置