Nginx 升级最新版本并开启TLSv1.3

97 阅读1分钟

本操作基于debian 9

nginx 升级

1、清理残余的旧版本

# 原有配置不会删除
sudo apt-get remove nginx nginx-common nginx-full

2、安装nginx PGP签名文件

wget http://nginx.org/keys/nginx_signing.key
sudo apt-key add nginx_signing.key

3、修改source源

cd 进入apt源目录

cd /etc/apt/
ll

修改这个文件,也可能是source.list

在文件末追加以下: codename是版本代号,查询地址: nginx.org/en/linux_pa…

deb http://nginx.org/packages/mainline/debian/ [codename] nginx
deb-src http://nginx.org/packages/mainline/debian/ [codename] nginx

# 我的:
deb http://nginx.org/packages/mainline/debian/ stretch nginx
deb-src http://nginx.org/packages/mainline/debian/ stretch nginx

4、更新软件源并安装nginx

apt update -y
apt install nginx -y

5、查看nginx版本号

nginx -v

开启TLSv1.3

在配置文件的server下追加:

# 基础只要这几个就够了
# 放弃TLSv1 不再支持ie8 
# TLS版本
ssl_protocols TLSv1.2 TLSv1.3;
# 加密套件
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;

证书检测: 检测地址: www.ssllabs.com/ssltest/ana…

截屏2020-04-15 10.21.09