Skip to content

Commit f48d80c

Browse files
committed
Update Nginx
1 parent c577203 commit f48d80c

File tree

1 file changed

+12
-10
lines changed

1 file changed

+12
-10
lines changed

base/nginx.md

+12-10
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,12 @@ EPEL 源中版本过旧,使用 Nginx 官方源
1111
```
1212
sudo tee /etc/yum.repos.d/nginx.repo <<-'EOF'
1313
[nginx]
14-
name=nginx repo
15-
baseurl=http://nginx.org/packages/centos/7/$basearch/
16-
gpgcheck=0
14+
name=nginx stable repo
15+
baseurl=https://nginx.org/packages/centos/$releasever/$basearch/
16+
gpgcheck=1
1717
enabled=1
18+
gpgkey=https://nginx.org/keys/nginx_signing.key
19+
module_hotfixes=true
1820
EOF
1921
2022
sudo yum makecache
@@ -119,16 +121,17 @@ sudo tee /etc/nginx/includes/https.conf <<-'EOF'
119121
#ssl_trusted_certificate /path/to/chain.pem;
120122
121123
ssl_session_timeout 1d;
122-
ssl_session_cache shared:SSL:50m;
124+
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
123125
ssl_session_tickets off;
124126
125127
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
126128
ssl_dhparam /etc/ssl/dhparam.pem;
127129
128-
# modern configuration. tweak to your needs.
129-
ssl_protocols TLSv1.2;
130-
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
131-
ssl_prefer_server_ciphers on;
130+
# intermediate configuration
131+
ssl_protocols TLSv1.2 TLSv1.3;
132+
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
133+
ssl_prefer_server_ciphers off;
134+
132135
133136
# OCSP Stapling ---
134137
# fetch OCSP records from URL in ssl_certificate and cache them
@@ -145,8 +148,7 @@ sudo tee /etc/nginx/includes/https-hsts.conf <<-'EOF'
145148
include /etc/nginx/includes/https.conf;
146149
147150
# HSTS
148-
# 15768000 seconds = 6 months
149-
add_header Strict-Transport-Security max-age=15768000;
151+
add_header Strict-Transport-Security "max-age=63072000" always;
150152
EOF
151153
```
152154

0 commit comments

Comments
 (0)