本操作基于debian 9

nginx 升级

1、清理残余的旧版本

  1. # 原有配置不会删除
  2. sudo apt-get remove nginx nginx-common nginx-full

2、安装nginx PGP签名文件

  1. wget http://nginx.org/keys/nginx_signing.key
  2. sudo apt-key add nginx_signing.key

3、修改source源

cd 进入apt源目录

  1. cd /etc/apt/
  2. ll

Nginx 升级最新版本并开启TLSv1.3 - 图1
修改这个文件,也可能是source.list

在文件末追加以下:
codename是版本代号,查询地址: https://nginx.org/en/linux_packages.html#distributions

  1. deb http://nginx.org/packages/mainline/debian/ [codename] nginx
  2. deb-src http://nginx.org/packages/mainline/debian/ [codename] nginx
  4. # 我的:
  5. deb http://nginx.org/packages/mainline/debian/ stretch nginx
  6. deb-src http://nginx.org/packages/mainline/debian/ stretch nginx

4、更新软件源并安装nginx

  1. apt update -y
  2. apt install nginx -y

5、查看nginx版本号

  1. nginx -v

开启TLSv1.3

在配置文件的server下追加:

  1. # 基础只要这几个就够了
  2. # 放弃TLSv1 不再支持ie8 
  3. # TLS版本
  4. ssl_protocols TLSv1.2 TLSv1.3;
  5. # 加密套件
  6. ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
  7. ssl_prefer_server_ciphers on;

Nginx 升级最新版本并开启TLSv1.3 - 图2

Nginx 升级最新版本并开启TLSv1.3 - 图3

证书检测:
检测地址: https://www.ssllabs.com/ssltest/analyze.html

Nginx 升级最新版本并开启TLSv1.3 - 图4