centos7下nginx的基本配置
阿新 • • 發佈:2018-11-29
安裝nginx
下載
wget http://nginx.org/download/nginx-1.13.3.tar.gz
解壓並進入目錄
tar -zxvf nginx-1.13.3.tar.gz && cd nginx-1.13.3
編譯
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-http_v2_module --with-openssl=/usr/bin/openssl
安裝
make && make install
進入安裝目錄
cd /usr/local/nginx/sbin
檢視版本
./nginx -v
啟動nginx
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
配置防火牆
這個時候會發現伺服器ip地址可以ping通,但是瀏覽器裡面無法訪問,就需要防火牆開啟埠
安裝完成之後發現一直都是http1.1協議而不是http2,後來才發現是yum源提供的openssl版本過低導致的,需要自己重新下載安裝openssl
安裝openssl
安裝過程參考centos7.2原始碼安裝openssl1.0.2需要注意的是現在最新的openssl的版本是1.1.0,而且在新增環境變數和設定庫路徑的時候
使用let’s encrypt配置https
下載
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
配置基本資訊
./letsencrypt-auto certonly --webroot --webroot-path [web目錄例如(/usr/share/nginx/html)] -d [域名,例如:likui.me] --agree-tos --email [郵箱,例如 [email protected].com]
出現如下資訊則表示成功:
nginx配置
server {
listen 80 ;
server_name likui.me www.likui.me *.likui.me;
return 301 https://$server_name$request_uri;
}
server {
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
listen 443 ssl http2;
server_name likui.me www.likui.me *.likui.me;
charset utf-8;
access_log /var/log/nginx/host.access.log main;
sendfile on;
tcp_nopush on;
location / {
root /usr/share/nginx/html;
index home.html home.htm;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
ssl_certificate /etc/letsencrypt/live/likui.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/likui.me/privkey.pem;
#include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "HIGH:!RC4:!3DES:!ADH:!aDSS:!aNULL:!kPSK:!kSRP:!MD5:!kRSA:!CAMELLIA:@STRENGTH:+SHA1:+kRSA";
ssl_stapling on;
ssl_stapling_verify on;
}
檢視ssl_ciphers的可選擇的加密套件
測試證書正確度
使用ssllabs來測試證書配置的強度和正確性