crazyssl去年就出过一年通配符SSL证书的活动,今年活动又来了,有需要的朋友不要错过了,这个是个自家提供的全球信任的TrustOcean Wildcard SSL通配符 1年有效期,依然全球信任,实则为付费证书免费促销活动。
- 1年365天有效期 0元 拿到您的通配符SSL证书
- 避免欺诈订单检测,先注册确认邮件,
- 申请第二个证书之前需要配置并签发之前的免费证书
- 自家品牌网站上线,欢迎吐槽提建议
- 更有其他的全球最低价品牌SSL证书列表
官方网站
https://www.crazyssl.com/
SSL配置教程
让你的站点获得 SSL 配置达到 A+水平
nginx 配置,只贴出 SSL 相关,需要将配置放到 server {} 位置。
首先开启 ssl
listen 443 ssl; server_name www.example.com; ssl on; ssl_certificate /etc/ssl/certs/ssl-bundle.crt; ssl_certificate_key /etc/ssl/private/www_example_com.key;
1 2 3 4 5 | listen 443 ssl ; server_name www . example . com ; ssl on ; ssl_certificate / etc / ssl / certs / ssl - bundle . crt ; ssl_certificate_key / etc / ssl / private / www_example_com . key ; |
其中 ssl-bundle.crt 是网站证书,www_example_com.key 是证书私钥,如何获取这两个文件,请自行搜索。
需要注意的是,大部分 CA 提供的证书都是多级,所以可能需要我们把多个证书合并成一个,这样可以减少浏览器额外下载中间证书的次数。
生成 dhparam.pem
$ openssl dhparam -out dhparam.pem 4096
1 | $ openssl dhparam - out dhparam . pem 4096 |
配置到 nginx
ssl_dhparam /etc/ssl/certs/dhparam.pem;
1 | ssl_dhparam / etc / ssl / certs / dhparam . pem ; |
协议和 ciphers 选择,ciphers 的选择比较关键,这个配置中的 ciphers 支持大多数浏览器,但不支持 XP/IE6 。
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_stapling on; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; ssl_prefer_server_ciphers on;
1 2 3 4 | ssl_protocols TLSv1 TLSv1 . 1 TLSv1 . 2 ; ssl_stapling on ; ssl _ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" ; ssl_prefer_server_ciphers on ; |
ssl session 配置
ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m;
1 2 | ssl_session_cache shared : SSL : 10m ; ssl_session _timeout 10m ; |
HSTS 配置,这个对评分影响也比较大,但如果开启这个,需要全站开启 HTTPS 。
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
1 | add_header Strict - Transport - Security "max-age=63072000; includeSubdomains; preload" ; |
完整配置文件
server { listen 443 ssl; server_name www.example.com; ssl on; ssl_certificate /etc/ssl/certs/ssl-bundle.crt; ssl_certificate_key /etc/ssl/private/www_example_com.key; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_stapling on; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; location / { # pass } }
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | server { listen 443 ssl ; server_name www . example . com ; ssl on ; ssl_certificate / etc / ssl / certs / ssl - bundle . crt ; ssl_certificate_key / etc / ssl / private / www_example_com . key ; ssl_dhparam / etc / ssl / certs / dhparam . pem ; ssl_session_cache shared : SSL : 10m ; ssl_session _timeout 10m ; ssl_protocols TLSv1 TLSv1 . 1 TLSv1 . 2 ; ssl_stapling on ; ssl _ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" ; ssl_prefer_server_ciphers on ; add_header Strict - Transport - Security "max-age=63072000; includeSubdomains; preload" ; location / { # pass } } |
更新:
请移步Mozilla SSL配置生成器
《crazyssl限时活动: 免费1年期 通配符SSL TrustOcean Wildcard SSL 证书》留言数:0