Last active
October 4, 2018 04:00
-
-
Save yourtion/62af0035992becff81b7b1204897b764 to your computer and use it in GitHub Desktop.
Docker+Nginx+Let'sEncrypt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# https://ruby-china.org/topics/31942 | |
# Install | |
yum install -y epel-release | |
yum install -y certbot | |
# 使用方法:certbot certonly --webroot -w [Web站点目录] -d [站点域名] -m [联系人email地址] --agree-tos | |
certbot certonly --webroot -w /opt/www/demo.mydomain.com -d demo.mydomain.com -m myname@gmail.com --agree-tos | |
# 证书的保存位置在:/etc/letsencrypt/live/demo.mydomain.com/ | |
# 更新证书 | |
certbot renew --dry-run | |
# 如果不需要返回的信息,可以用静默方式: | |
certbot renew --quiet | |
# 可以使用crontab定时更新,例如: | |
# 每月1号5时执行执行一次更新,并重启nginx服务器 | |
00 05 01 * * /usr/bin/certbot renew --quiet && /bin/systemctl restart nginx | |
# 生成Perfect Forward Security(PFS)键值 | |
openssl dhparam 2048 -out dhparam.pem | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# https://aotu.io/notes/2016/08/16/nginx-https/index.html | |
worker_processes auto; | |
http { | |
#配置共享会话缓存大小,视站点访问情况设定 | |
ssl_session_cache shared:SSL:10m; | |
#配置会话超时时间 | |
ssl_session_timeout 10m; | |
server { | |
listen 80; | |
listen 443 ssl; | |
server_name www.example.com; | |
#设置长连接 | |
keepalive_timeout 70; | |
#HSTS策略 | |
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | |
#证书文件 | |
ssl_certificate www.example.com.crt; | |
#私钥文件 | |
ssl_certificate_key www.example.com.key; | |
#优先采取服务器算法 | |
ssl_prefer_server_ciphers on; | |
#使用DH文件 | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
#定义算法 | |
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; | |
#减少点击劫持 | |
add_header X-Frame-Options DENY; | |
#禁止服务器自动解析资源类型 | |
add_header X-Content-Type-Options nosniff; | |
#防XSS攻擊 | |
add_header X-Xss-Protection 1; | |
#... | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment