carlcarl · December 21, 2015 03:34
diff --git a/gistfile1.txt b/gistfile1.txt
 Nginx使用者請看這

 由於Let's Encrypt的安裝程式目前還沒有提供nginx模組（其實有在開發，只是還在測試階段），我們依舊可以透過安裝程式自動取得certification後，手動更新nginx的設定黨即可。

 首先，我們先取得免費的憑證：

 # 如果nginx正在執行中，請先把它關閉
 $ sudo -s
 $ service nginx stop
 $ ./letsencrypt-auto certonly --email 你的email@你的email.net -d freessl.csie.io
 第一次執行letsencrypt-auto會花點時間，請耐心等候安裝畫面出現。
 首先會出現一個我們通常不會讀，直接按Agree的ToS，這次當然也不意外，直接按Agree
 let's encrypt ToS

 如果你的申請的domain name有成功的指向這台機器，那恭喜你已經成功取得憑證。
 所有相關的憑證會放在 /etc/letsencrypt/live/你的domain (eg: /etc/letsencrypt/live/freessl.csie.io)
 let's encrypt done

 為了避免Logjam Attack，我們自行產生強度更強的2048 bits Diffie-Hellman parameter（這一步驟可能得花個幾分鐘，請耐心等候）:

 $ sudo openssl dhparam -out /etc/nginx/dhparam.pem 2048
 接下來編輯你的nginx設定檔：

 $ vim /etc/nginx/sites-enabled/default
 以下是建議的設定範本：

 server {
    listen 443 ssl;

    ssl_certificate         /etc/letsencrypt/live/你的domain/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/你的domain/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/你的domain/fullchain.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    # Generate with:
    #   openssl dhparam -out /etc/nginx/dhparam.pem 2048
    ssl_dhparam /etc/nginx/dhparam.pem;

    # What Mozilla calls "Intermediate configuration"
    # Copied from https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    # add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
 }
 如果您想要啟用HSTS請將add_header那行註解拿掉即可。設定完成後，請將nginx重新啟動：

 $ service nginx start
	Nginx使用者請看這

	由於Let's Encrypt的安裝程式目前還沒有提供nginx模組（其實有在開發，只是還在測試階段），我們依舊可以透過安裝程式自動取得certification後，手動更新nginx的設定黨即可。

	首先，我們先取得免費的憑證：

	# 如果nginx正在執行中，請先把它關閉
	$ sudo -s
	$ service nginx stop
	$ ./letsencrypt-auto certonly --email 你的email@你的email.net -d freessl.csie.io
	第一次執行letsencrypt-auto會花點時間，請耐心等候安裝畫面出現。
	首先會出現一個我們通常不會讀，直接按Agree的ToS，這次當然也不意外，直接按Agree
	let's encrypt ToS

	如果你的申請的domain name有成功的指向這台機器，那恭喜你已經成功取得憑證。
	所有相關的憑證會放在 /etc/letsencrypt/live/你的domain (eg: /etc/letsencrypt/live/freessl.csie.io)
	let's encrypt done

	為了避免Logjam Attack，我們自行產生強度更強的2048 bits Diffie-Hellman parameter（這一步驟可能得花個幾分鐘，請耐心等候）:

	$ sudo openssl dhparam -out /etc/nginx/dhparam.pem 2048
	接下來編輯你的nginx設定檔：

	$ vim /etc/nginx/sites-enabled/default
	以下是建議的設定範本：

	server {
	listen 443 ssl;

	ssl_certificate /etc/letsencrypt/live/你的domain/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/你的domain/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/你的domain/fullchain.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	# Generate with:
	# openssl dhparam -out /etc/nginx/dhparam.pem 2048
	ssl_dhparam /etc/nginx/dhparam.pem;

	# What Mozilla calls "Intermediate configuration"
	# Copied from https://mozilla.github.io/server-side-tls/ssl-config-generator/
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	# add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;
	}
	如果您想要啟用HSTS請將add_header那行註解拿掉即可。設定完成後，請將nginx重新啟動：

	$ service nginx start