Official website: https://certbot.eff.org/
Installation Tutorial: https://certbot.eff.org/#centos6-nginx
Download
wget https://dl.eff.org/certbot-autochmod a+x certbot-auto
Generate certificate
./certbot-auto certonly --nginx --email [email protected] --webroot -w /data/vhosts/xttan.com/wordpress -d www.xttan.com
Automatic Updates
## 手动./path/to/certbot-auto renew## crontab0'import random; import time; time.sleep(random.random() * 3600)'&&/home/tanda/cronb/certbot-auto renew
Configuration 1. First Turn on SSL
listen 443 ssl;server_name www.example.com;ssl on;ssl_certificate /etc/ssl/certs/xttan.crt;ssl_certificate_key /etc/ssl/private/xttan.key;
Where XTTAN.CRT is the Web site certificate, Xttan.key is the certificate private key
2. Generate DHPARAM.PEM
cd /etc/letsencrypt/openssl dhparam -out dhparam.pem 4096
##### 配置到nginxssl_dhparam /etc/ssl/certs/dhparam.pem;
Protocol and ciphers selection, ciphers choice is more critical, this configuration ciphers support most browsers, but does not support XP/IE6.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_stapling on;ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";ssl_prefer_server_ciphers on;
3.SSL Session Configuration
ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;
4.HSTS Configuration
The impact on the score is also relatively large, but if you open this, you need to open the entire station HTTPS
add_header strict-transport-security "max-age=63072000; Includesubdomains; Preload ";
server {listen 443 SSL; SSL on; SSL_CERTIFICATE/USR/LOCAL/NGINX/CERT/XTTAN.CRT; Ssl_certificate_key/usr/local/nginx/cert/xttan.key; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Ssl_stapling on; # # ciphers choice of SSL_DHPARAM/ETC/SSL/CERTS/DHPARAM.PEM; Ssl_ciphers "ecdhe-rsa-aes128-gcm-sha256:ecdhe-ecdsa-aes128-gcm-sha256:ecdhe-rsa-aes256-gcm-sha384: Ecdhe-ecdsa-aes256-gcm-sha384:ecdhe-rsa-aes128-sha256:ecdhe-ecdsa-aes128-sha256:ecdhe-rsa-aes128-sha: Ecdhe-ecdsa-aes128-sha:ecdhe-rsa-aes256-sha384:ecdhe-ecdsa-aes256-sha384:ecdhe-rsa-aes256-sha: Ecdhe-ecdsa-aes256-sha:aes128-gcm-sha256:aes256-gcm-sha384:aes128-sha256:aes256-sha256:aes128-sha:aes256-sha: aes:camellia:des-cbc3-sha:!anull:!enull:! export:! Des:! rc4:! md5:! psk:!aecdh:! edh-dss-des-cbc3-sha:! edh-rsa-des-cbc3-sha:! Krb5-des-cbc3-sha "; Ssl_prefer_server_ciphers on; # # Session configuration Ssl_session_cache shared:ssl1:20m; Ssl_session_timeout 60m; # # HSTS configuration Add_header strict-transport-security "max-age=63072000; Includesubdomains; Preload "; Location/{# Pass}}
Reference:
Nginx Configuration HTTPS Server
Nginx Enhanced SSL Security Configuration
Nginx configuration for HTTPS A +
To configure HTTPS for a site by using Certbot