下载源码
cd /tmp
wget https://openresty.org/download/openresty-1.11.2.1.tar.gz
tar xf openresty-1.11.2.1.tar.gz
wget https://www.openssl.org/source/openssl-1.0.2j.tar.gz
tar xf openssl-1.0.2j.tar.gz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.39.tar.bz2
tar xf pcre-8.39.tar.bz2
开始编译
cd /tmp/openresty-1.11.2.1
./configure --prefix=/opt/openresty --with-http_v2_module --with-http_stub_status_module --with-http_realip_module --with-http_ssl_module --with-openssl=/tmp/openssl-1.0.2j --with-pcre=/tmp/pcre-8.39
make
make install
nginx.conf片段
listen 80; # 80端口也一起监听
listen 443 ssl http2; # 启用http2
ssl_certificate /opt/ssl_keys/getssl_server.crt;
ssl_certificate_key /opt/ssl_keys/getssl_server.key;
server_name nutz.cn www.nutz.cn;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_dhparam /opt/ssl_keys/dhparam.pem;
关键的是ssl_ciphers和ssl_protocols, 因为需要兼容Chrome/Firefox/IE8/QQ内置浏览器,必须折中