首先需要购买SSL证书,详细步骤省略。
为了安全获得A+评分需要增加Diffie-Hellman参数
openssl dhparam -out dhparam.pem 2048 //4096也行,等待时间可能稍长(服务器性能一般可能超过1小时)
然后编辑博客的conf配置
server {
listen 80;
server_name blog.tse.moe; //修改为自己域名
return 301 https://blog.tse.moe$request_uri; //修改为自己域名
}
server {
listen 443 ssl http2;
server_name blog.tse.moe; //修改为自己域名
ssl_certificate /etc/nginx/ssl/xxx.crt; //证书保存路径
ssl_certificate_key /etc/nginx/ssl/xxx.key; //证书保存路径
ssl_dhparam /etc/nginx/ssl/dhparam.pem; //证书保存路径
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_stapling on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=15768000; //非全站HTTPS删掉此行
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass http://ghost_upstream;
proxy_hide_header Vary;
proxy_hide_header Cache-Control;
}
}
upstream ghost_upstream {
server unix:/var/www/xxx/socket.sock; //ghost安装路径
keepalive 64;
}
最后
service nginx restart //重启nginx
附:测试地址
2017.02.22更新获得免费通配符证书地址:https://portal.loovit.net/cart.php?a=add&pid=1