参考文章：

1. 

2. 

正式开始：

1. 安装nginx - yum install nginx

2. 安装acme.sh - curl https://get.acme.sh | sh

3. 创建一个alias - acme.sh=~/.acme.sh/acme.sh

4. 生成证书 - acme.sh --issue -d mydomain.com -d www.mydomain.com --webroot /home/wwwroot/mydomain.com/

5. 安装证书（之前生成的证书只是用于内部，所以我们需要将它们copy到生产目录 - 

acme.sh  --installcert  -d  mydomain.com   \        --key-file   /etc/nginx/ssl/mydomain.key \        --fullchain-file /etc/nginx/ssl/mydonain.cer \        --reloadcmd  "service nginx force-reload" 6. 启动acme.sh自动更新功能 - acme.sh  --upgrade  --auto-upgrade ----------到此acme.sh部分结束，接下去是nginx配置时间----------- 1. 运行openssl dhparam -outform pem -out /etc/nginx/ssl/dhparam2048.pem 2048 2. 将80端口的请求转发到443端口

server {

listen 80;

server_name lovelywindy.club;

return 301 https://$server_name$request_uri;

}

3. 配置443

server {

listen 443 ssl http2;

server_name lovelywindy.club;

ssl_certificate /etc/nginx/ssl/lovelywindy.club.cer;

ssl_certificate_key /etc/nginx/ssl/lovelywindy.club.key;

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';

ssl_prefer_server_ciphers on;

ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';

ssl_dhparam /etc/nginx/ssl/dhparam2048.pem;

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;

keepalive_timeout 70;

ssl_buffer_size 1400;

root /usr/share/nginx/html;

# Load configuration files for the default server block.

include /etc/nginx/default.d/*.conf;

location / {

}

error_page 404 /404.html;

location = /40x.html {

}

error_page 500 502 503 504 /50x.html;

location = /50x.html {

}

}

4. 重启nginx - systemctl restart nginx

结束，这个配置通过的检查，能达到A+