首先需要购买SSL证书,详细步骤省略。

为了安全获得A+评分需要增加Diffie-Hellman参数

openssl dhparam -out dhparam.pem 2048  //4096也行,等待时间可能稍长(服务器性能一般可能超过1小时)

然后编辑博客的conf配置

server {
    listen 80;
    server_name blog.tse.moe;  //修改为自己域名
    return 301 https://blog.tse.moe$request_uri;   //修改为自己域名
}     

server {
    listen 443 ssl http2;
    server_name blog.tse.moe;    //修改为自己域名
    ssl_certificate /etc/nginx/ssl/xxx.crt;      //证书保存路径
    ssl_certificate_key /etc/nginx/ssl/xxx.key;  //证书保存路径
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;      //证书保存路径
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_stapling on;
    ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
    ssl_prefer_server_ciphers on;
    add_header Strict-Transport-Security max-age=15768000;  //非全站HTTPS删掉此行
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    location / {
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   Host $http_host;
    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   Host      $http_host;
    proxy_pass http://ghost_upstream;
    proxy_hide_header Vary;
    proxy_hide_header Cache-Control;
   }
}
upstream ghost_upstream {
server unix:/var/www/xxx/socket.sock;    //ghost安装路径
keepalive 64;
}

最后

service nginx restart  //重启nginx

附:测试地址

2017.02.22更新获得免费通配符证书地址:https://portal.loovit.net/cart.php?a=add&pid=1