@@ -11,10 +11,12 @@ EPEL 源中版本过旧,使用 Nginx 官方源
11
11
```
12
12
sudo tee /etc/yum.repos.d/nginx.repo <<-'EOF'
13
13
[nginx]
14
- name=nginx repo
15
- baseurl=http ://nginx.org/packages/centos/7 /$basearch/
16
- gpgcheck=0
14
+ name=nginx stable repo
15
+ baseurl=https ://nginx.org/packages/centos/$releasever /$basearch/
16
+ gpgcheck=1
17
17
enabled=1
18
+ gpgkey=https://nginx.org/keys/nginx_signing.key
19
+ module_hotfixes=true
18
20
EOF
19
21
20
22
sudo yum makecache
@@ -119,16 +121,17 @@ sudo tee /etc/nginx/includes/https.conf <<-'EOF'
119
121
#ssl_trusted_certificate /path/to/chain.pem;
120
122
121
123
ssl_session_timeout 1d;
122
- ssl_session_cache shared:SSL:50m;
124
+ ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
123
125
ssl_session_tickets off;
124
126
125
127
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
126
128
ssl_dhparam /etc/ssl/dhparam.pem;
127
129
128
- # modern configuration. tweak to your needs.
129
- ssl_protocols TLSv1.2;
130
- ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
131
- ssl_prefer_server_ciphers on;
130
+ # intermediate configuration
131
+ ssl_protocols TLSv1.2 TLSv1.3;
132
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
133
+ ssl_prefer_server_ciphers off;
134
+
132
135
133
136
# OCSP Stapling ---
134
137
# fetch OCSP records from URL in ssl_certificate and cache them
@@ -145,8 +148,7 @@ sudo tee /etc/nginx/includes/https-hsts.conf <<-'EOF'
145
148
include /etc/nginx/includes/https.conf;
146
149
147
150
# HSTS
148
- # 15768000 seconds = 6 months
149
- add_header Strict-Transport-Security max-age=15768000;
151
+ add_header Strict-Transport-Security "max-age=63072000" always;
150
152
EOF
151
153
```
152
154
0 commit comments