跳到主內容

CentOS 7 Let’s Encrypt 免費 SSL/TLS 憑證 HTTPS 設置 for Nginx

NGINX 設定

NGINX SSL/TLS 設定:

可使用 Security/Server Side TLS – MozillaWiki 提供的介面,自動產生 Apache、NGINX HTTP 網頁伺服器的設定檔

# vim /etc/nginx/conf.d/default.conf
... 以上省略 ...
 
server {
    # 使用 https 和 http/2 協定
    listen 443 ssl http2;
    # 上述的 IPv6 方式
    listen [::]:443 ssl http2;
 
    # 網站網址
    server_name img.abc.com.tw;
    # 網站根目錄
    root   /var/nginx/html;
 
 
    #
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    #
 
    # SSL 憑證證書路徑
    ssl_certificate /etc/letsencrypt/live/img.abc.com.tw/fullchain.pem;
    # 私鑰路徑
    ssl_certificate_key /etc/letsencrypt/live/img.abc.com.tw/privkey.pem;
    # 緩存有效期
    ssl_session_timeout 1d;
    # 緩存憑證類型和大小
    ssl_session_cache shared:SSL:50m;
 
 
    #
    # intermediate configuration. tweak to your needs.
    #
 
    # 使用的加密協定
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # 加密演算法,越前面的優先級越高
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    # 交握過程使用 Server 的首選加演算法,這裡使用 Client 為首選
    ssl_prefer_server_ciphers on;
 
 
    #
    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    #
 
    # 增加 http header
    add_header Strict-Transport-Security max-age=15768000;
}

重新啟動 NGINX:

# systemctl restart nginx

參考相關網頁: