LinMinquan's Blog

Experience technology to change life

怎样在 SSL Labs 上得到 A+ 的分数

环境: Ubuntu: 18.04.4 Nginx: 1.16.1

TLS 1.2 和 TLS 1.3 得 enable,去掉 weak cipher。

证书用 生成的 let’s encrypt wildcard 证书。

如下为 Nginx 配置:

ssl_certificate /path-of-certificate/fullchain.cer;
ssl_certificate_key /path-of-certificate/xxxx.key;

# Enable TLSv1.2 And TLS1.3 Only
ssl_protocols TLSv1.2 TLSv1.3;
# Enable Modern TLS Cipher Suites(No Weak)
# Server Cipher Order Required
ssl_prefer_server_ciphers on;

# Enable SSL Stapling
ssl_stapling on;
ssl_stapling_verify on;

# Add HSTS Header With Preload. Forces Clients To Remember The Server Has SSL And Use It
#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header Strict-Transport-Security "max-age=63072000; preload";