LinMinquan's Blog

环境： Ubuntu: 18.04.4 Nginx: 1.16.1

TLS 1.2 和 TLS 1.3 得 enable，去掉 weak cipher。

证书用 acme.sh 生成的 let’s encrypt wildcard 证书。

如下为 Nginx 配置：

ssl_certificate /path-of-certificate/fullchain.cer;
ssl_certificate_key /path-of-certificate/xxxx.key;

# Enable TLSv1.2 And TLS1.3 Only
ssl_protocols TLSv1.2 TLSv1.3;
# Enable Modern TLS Cipher Suites(No Weak)
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
# Server Cipher Order Required
ssl_prefer_server_ciphers on;

# Enable SSL Stapling
ssl_stapling on;
ssl_stapling_verify on;

# Add HSTS Header With Preload. Forces Clients To Remember The Server Has SSL And Use It
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header Strict-Transport-Security "max-age=63072000; preload";