本操作基于debian 9
nginx 升级
1、清理残余的旧版本
# 原有配置不会删除
sudo apt-get remove nginx nginx-common nginx-full
2、安装nginx PGP签名文件
wget http://nginx.org/keys/nginx_signing.key
sudo apt-key add nginx_signing.key
3、修改source源
cd 进入apt源目录
cd /etc/apt/
ll
修改这个文件,也可能是source.list
在文件末追加以下:
codename是版本代号,查询地址: https://nginx.org/en/linux_packages.html#distributions
deb http://nginx.org/packages/mainline/debian/ [codename] nginx
deb-src http://nginx.org/packages/mainline/debian/ [codename] nginx
# 我的:
deb http://nginx.org/packages/mainline/debian/ stretch nginx
deb-src http://nginx.org/packages/mainline/debian/ stretch nginx
4、更新软件源并安装nginx
apt update -y
apt install nginx -y
5、查看nginx版本号
nginx -v
开启TLSv1.3
在配置文件的server下追加:
# 基础只要这几个就够了
# 放弃TLSv1 不再支持ie8
# TLS版本
ssl_protocols TLSv1.2 TLSv1.3;
# 加密套件
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
证书检测:
检测地址: https://www.ssllabs.com/ssltest/analyze.html