Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #1.下載Let's encrypt
- sudo apt-get update
- sudo apt-get install git
- sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
- ----------------------------------------------------------------------------------------
- #2. 申請證書 Root Domain (subdomain刪掉後面的-d www.$domain)
- #網站根目錄資料夾請按照實際狀況填寫
- read -p "Enter domain: " domain
- /opt/letsencrypt/letsencrypt-auto certonly --agree-tos --email 信箱@gmail.com --webroot -w /var/www/$domain/htdocs -d $domain -d www.$domain
- ----------------------------------------------------------------------------------------
- #3. 安裝證書
- #寫在 /etc/nginx/sites-available/域名.conf 或是 這個檔案裡頭有include的資料夾下自創新檔案
- #存擋後 nginx -t && service nginx reload
- #查詢設定:https://mozilla.github.io/server-side-tls/ssl-config-generator/
- #參考設定:
- listen 443 ssl http2;
- ssl on;
- ssl_certificate /etc/letsencrypt/live/域名/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/域名/privkey.pem;
- # intermediate configuration. tweak to your needs.
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
- ssl_prefer_server_ciphers on;
- # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
- add_header Strict-Transport-Security max-age=15768000;
- # OCSP Stapling ---
- # fetch OCSP records from URL in ssl_certificate and cache them
- ssl_stapling on;
- ssl_stapling_verify on;
- ----------------------------------------------------------------------------------------
- #4. http轉https
- #寫在 /etc/nginx/sites-available/域名.conf 檔案的最上面 或是 /etc/nginx/nginx.conf這個檔案裡頭有include的資料夾下自創新檔案,像是/etc/nginx/conf.d
- #存擋後 nginx -t && service nginx reload
- server {
- listen 80;
- server_name www.域名 域名;
- return 301 https://域名$request_uri;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement