ssl_session_tickets       on;
ssl_session_ticket_key  ~/ssl_session_ticket.key;
ssl_session_cache       shared:SSL:10m;
ssl_session_timeout     10m;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate   ~/ocsp.cer;
resolver 208.67.222.222 valid=300s;
resolver_timeout 5s;

ssl_session_tickets       on;
ssl_session_ticket_key  ~/ssl_session_ticket.key;
ssl_session_cache       shared:SSL:10m;
ssl_session_timeout     10m;

ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate   ~/ocsp.cer;
resolver 208.67.222.222 valid=300s;
resolver_timeout 5s;

TLS 会话恢复的目的是简化 TLS 握手，它包含两种方案：Session Cache 和 Session Ticket，这俩都是将之前握手的 Session 存起来，供后续连接使用。

所不同的是，Session Cache 将缓存丢在服务端，占用服务端资源；而 Session Ticket 丢在客户端，不占用服务端资源，而是对客户端提出缓存要求，这对客户端浏览器的兼容性提出了要求。目前主流浏览器普遍支持 Session Cache，而 Session Ticket 的支持度较一般。

在以上配置中，出现了一个 ssl_session_ticket.key，这个文件是用于让多台机器使用相同的 key 文件，否则 Nginx 会使用随机生成的 key 文件，无法复用 Session Ticket，降低性能。对于单服务器站点，此文件无需配置。可执行以下指令生成该文件：

openssl rand 48 > ssl_session_ticket.key

ssl_stapling_file

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling_file

Syntax:     ssl_stapling_file file;
Default:     —
Context:     http, server

Syntax:     ssl_stapling_file file;
Default:     —
Context:     http, server

生成ocsp 文件

openssl ocsp -no_nonce \
    -issuer  intermediate.pem \
    -cert    website.pem \
    -CAfile  bundle.pem \
    -VAfile  bundle.pem \
    -url     http://ocsp.int-x3.letsencrypt.org \
    -respout stapled.der

openssl ocsp -no_nonce \
    -issuer  intermediate.pem \
    -cert    website.pem \
    -CAfile  bundle.pem \
    -VAfile  bundle.pem \
    -url     http://ocsp.int-x3.letsencrypt.org \
    -respout stapled.der

配置

ssl_stapling on;
ssl_stapling_file .../stapled.der;

ssl_stapling on;
ssl_stapling_file .../stapled.der;

stapled.der 这个文件有限期为7天

curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem

ssl_dhparam /path/to/dhparam.pem;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;

#verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

# replace with the IP address of your resolver
resolver 127.0.0.1;

crt to pem

openssl x509 -in www.xx.com.crt -out www.xx.com.pem

获取中间件证书

openssl s_client -connect xx.com:443 -showcerts < /dev/null 2>&1

CONNECTED(00000004)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.bitcoinwin.io
verify return:1
---
Certificate chain
 0 s:OU = Domain Control Validated, CN = *.bitcoinwin.io
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIGOjCCBSKgAwIBAgIIHTBwaOYexGowDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwMTA4MDg1NjE1WhcN
MjEwMjE4MDQxNjE3WjA9MSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
ZWQxGDAWBgNVBAMMDyouYml0Y29pbndpbi5pbzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMEgX8NDssfFEwo3iA1fRNij9ZIRMS9EEtex5vrcwonVGf4F
NwaXrtC94zt0RA7tjuV3Olb/Oi/u29G3+9rnYM1WCI9m8c+7dBQzdqQeR6RkUnjQ
ug047qnQn7mYoiuA6azcw2vgAXX1mDBH+rYyn29UWmYioPrS7CIEBuxZbRZK3ndR
SfRs8pIi6ZdxYw08rIche/Ht9x3LRWvvT8exrAW7LnztHI3YmYz4pMTsGEs/UhEw
REGmwx6DWxawa/CgurKupZu6P9sEvVlugrpkM2AUITyy8eU9UYBXjLHfJIJENVb9
6fbTdCS8udttGq2IUBDe0ja6X+/nQDbwQJbY/dUCAwEAAaOCAsQwggLAMAwGA1Ud
EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB
/wQEAwIFoDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmdvZGFkZHkuY29t
L2dkaWcyczEtMTYyOS5jcmwwXQYDVR0gBFYwVDBIBgtghkgBhv1tAQcXATA5MDcG
CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
aXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRp
ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSME
GDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjApBgNVHREEIjAggg8qLmJpdGNvaW53
aW4uaW+CDWJpdGNvaW53aW4uaW8wHQYDVR0OBBYEFB0DZn+RDJqm+HakmikSsc4b
bA1jMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUApLkJkLQYWBSHuxOizGdwCjw1
mAT5G9+443fNDsgN3BAAAAFvhF5jdwAABAMARjBEAiBt4gu5ciVvYdTHVgpAmBMc
BEeb+qJc239BMD903MTMOgIgAc+35MY/9iDDPksQfb2rHoHQ3AM/ffL+vCVcEVN9
+qEAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAW+EXmSWAAAE
AwBHMEUCIHDyY9iPaImQ1ZBdc3dMhlKi1V8jSGPjdgdkwkL6Uw8xAiEAnJTJE5wU
Vi3vElEo0W1/9iopV38Bh8Sz/PUA7WKV5YkwDQYJKoZIhvcNAQELBQADggEBAGDq
0l3U1o0+QDVQnYGsY06ERTn095wnbaBCyGc/rfxJlrtixCBOMpzkL5Q6L2SkQOTj
9MUtqXHEh5rfpXwtY6J14ghZP/c/HWuBfkFR8Ba0AKf2obsICzJA6StI44VEv0XZ
JxP94B3HlfDTR1lcHS5VW88CqqEW13gtU6tF/RYmbO4uw6554pQyVllJw2EhYyNH
vRVi3RcmE+GKmG4ZJI98y5AeE8aOM7qIPc6RXRKM7JrlYRg43BeJXbrqaknq2tWN
euPrXC7/4KL/e9QAijdCA2qUkDWALJGkPrUUzIIAAgGaG1vYw37Y/Uk7XhJzMQ2U
oXEVzD9zAmOYdO2+i40=
-----END CERTIFICATE-----
 1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----
 2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx
MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku
Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1
dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi
CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H
Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/
3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+
6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI
gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E
GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud
IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9
MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv
bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d
H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg
OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq
9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO
KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3
qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm
rw==
-----END CERTIFICATE-----
 3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----
---
Server certificate
subject=OU = Domain Control Validated, CN = *.bitcoinwin.io

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5693 bytes and written 410 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 959412EF2EE6AAA15C723B577AF63A36AC2761C600948FC048EEF38813875637
    Session-ID-ctx: 
    Master-Key: 66A51845AA2374CB7C565EE26F15D1B2DEFA1F4C36034F95331CC1E45C1B7D6BA48E45ACECDF7ED9AADC1CFE219D12F9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e2 bb 80 56 bb 80 7c 52-48 8d a0 fd d8 99 24 ce   ...V..|RH.....$.
    0010 - 80 0d 02 7a 81 d1 87 cc-8e a8 9a 6b a4 7f 75 db   ...z.......k..u.
    0020 - 8f cf e5 bb c2 11 24 82-f4 57 dc b6 18 6b 32 8c   ......$..W...k2.
    0030 - 53 6e 9c 1f 7c 89 0a f9-21 54 97 86 3f a2 38 02   Sn..|...!T..?.8.
    0040 - c1 b3 c1 31 2f d8 1c fb-96 dd 14 b3 f8 7b 6f a5   ...1/........{o.
    0050 - 9d 00 da d4 7c 40 2b 82-95 db 3c ec 33 80 74 25   ....|@+...<.3.t%
    0060 - da 76 93 af 95 c0 da f9-77 69 77 93 bf 18 8a 9e   .v......wiw.....
    0070 - 5e 79 23 9e 74 34 fb 80-de dd 20 d6 aa 40 eb 64   ^y#.t4.... ..@.d
    0080 - ca 4b fe 21 40 7f de f3-5c e6 7f d7 e7 7d 5d cc   .K.!@...\....}].
    0090 - e0 21 eb 8f 05 8c 25 56-59 b9 6c 8b 66 72 5f 3a   .!....%VY.l.fr_:
    00a0 - 69 c6 65 d1 bf b0 d2 dd-f3 f1 5a 2b c4 e1 d3 2a   i.e.......Z+...*
    00b0 - 15 e6 c9 9d 5d 82 b7 10-25 08 d4 8c 50 24 0d 3b   ....]...%...P$.;
    00c0 - 1c f1 0e 33 2e 54 dc c2-da 78 31 12 75 5d 04 2c   ...3.T...x1.u].,

    Start Time: 1579080694
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

openssl s_client -connect xx.com:443 -showcerts < /dev/null 2>&1

CONNECTED(00000004)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.bitcoinwin.io
verify return:1
---
Certificate chain
 0 s:OU = Domain Control Validated, CN = *.bitcoinwin.io
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIGOjCCBSKgAwIBAgIIHTBwaOYexGowDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjAwMTA4MDg1NjE1WhcN
MjEwMjE4MDQxNjE3WjA9MSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
ZWQxGDAWBgNVBAMMDyouYml0Y29pbndpbi5pbzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAMEgX8NDssfFEwo3iA1fRNij9ZIRMS9EEtex5vrcwonVGf4F
NwaXrtC94zt0RA7tjuV3Olb/Oi/u29G3+9rnYM1WCI9m8c+7dBQzdqQeR6RkUnjQ
ug047qnQn7mYoiuA6azcw2vgAXX1mDBH+rYyn29UWmYioPrS7CIEBuxZbRZK3ndR
SfRs8pIi6ZdxYw08rIche/Ht9x3LRWvvT8exrAW7LnztHI3YmYz4pMTsGEs/UhEw
REGmwx6DWxawa/CgurKupZu6P9sEvVlugrpkM2AUITyy8eU9UYBXjLHfJIJENVb9
6fbTdCS8udttGq2IUBDe0ja6X+/nQDbwQJbY/dUCAwEAAaOCAsQwggLAMAwGA1Ud
EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB
/wQEAwIFoDA4BgNVHR8EMTAvMC2gK6AphidodHRwOi8vY3JsLmdvZGFkZHkuY29t
L2dkaWcyczEtMTYyOS5jcmwwXQYDVR0gBFYwVDBIBgtghkgBhv1tAQcXATA5MDcG
CCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9z
aXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2NlcnRp
ZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNVHSME
GDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjApBgNVHREEIjAggg8qLmJpdGNvaW53
aW4uaW+CDWJpdGNvaW53aW4uaW8wHQYDVR0OBBYEFB0DZn+RDJqm+HakmikSsc4b
bA1jMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUApLkJkLQYWBSHuxOizGdwCjw1
mAT5G9+443fNDsgN3BAAAAFvhF5jdwAABAMARjBEAiBt4gu5ciVvYdTHVgpAmBMc
BEeb+qJc239BMD903MTMOgIgAc+35MY/9iDDPksQfb2rHoHQ3AM/ffL+vCVcEVN9
+qEAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAW+EXmSWAAAE
AwBHMEUCIHDyY9iPaImQ1ZBdc3dMhlKi1V8jSGPjdgdkwkL6Uw8xAiEAnJTJE5wU
Vi3vElEo0W1/9iopV38Bh8Sz/PUA7WKV5YkwDQYJKoZIhvcNAQELBQADggEBAGDq
0l3U1o0+QDVQnYGsY06ERTn095wnbaBCyGc/rfxJlrtixCBOMpzkL5Q6L2SkQOTj
9MUtqXHEh5rfpXwtY6J14ghZP/c/HWuBfkFR8Ba0AKf2obsICzJA6StI44VEv0XZ
JxP94B3HlfDTR1lcHS5VW88CqqEW13gtU6tF/RYmbO4uw6554pQyVllJw2EhYyNH
vRVi3RcmE+GKmG4ZJI98y5AeE8aOM7qIPc6RXRKM7JrlYRg43BeJXbrqaknq2tWN
euPrXC7/4KL/e9QAijdCA2qUkDWALJGkPrUUzIIAAgGaG1vYw37Y/Uk7XhJzMQ2U
oXEVzD9zAmOYdO2+i40=
-----END CERTIFICATE-----
 1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----
 2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEfTCCA2WgAwIBAgIDG+cVMA0GCSqGSIb3DQEBCwUAMGMxCzAJBgNVBAYTAlVT
MSEwHwYDVQQKExhUaGUgR28gRGFkZHkgR3JvdXAsIEluYy4xMTAvBgNVBAsTKEdv
IERhZGR5IENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMTAx
MDcwMDAwWhcNMzEwNTMwMDcwMDAwWjCBgzELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
B0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHku
Y29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRpZmljYXRlIEF1
dGhvcml0eSAtIEcyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv3Fi
CPH6WTT3G8kYo/eASVjpIoMTpsUgQwE7hPHmhUmfJ+r2hBtOoLTbcJjHMgGxBT4H
Tu70+k8vWTAi56sZVmvigAf88xZ1gDlRe+X5NbZ0TqmNghPktj+pA4P6or6KFWp/
3gvDthkUBcrqw6gElDtGfDIN8wBmIsiNaW02jBEYt9OyHGC0OPoCjM7T3UYH3go+
6118yHz7sCtTpJJiaVElBWEaRIGMLKlDliPfrDqBmg4pxRyp6V0etp6eMAo5zvGI
gPtLXcwy7IViQyU0AlYnAZG0O3AqP26x6JyIAX2f1PnbU21gnb8s51iruF9G/M7E
GwM8CetJMVxpRrPgRwIDAQABo4IBFzCCARMwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFDqahQcQZyi27/a9BUFuIMGU2g/eMB8GA1Ud
IwQYMBaAFNLEsNKR1EwRcbNhyz2h/t2oatTjMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMDIGA1UdHwQrMCkwJ6Al
oCOGIWh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2Ryb290LmNybDBGBgNVHSAEPzA9
MDsGBFUdIAAwMzAxBggrBgEFBQcCARYlaHR0cHM6Ly9jZXJ0cy5nb2RhZGR5LmNv
bS9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAWQtTvZKGEacke+1bMc8d
H2xwxbhuvk679r6XUOEwf7ooXGKUwuN+M/f7QnaF25UcjCJYdQkMiGVnOQoWCcWg
OJekxSOTP7QYpgEGRJHjp2kntFolfzq3Ms3dhP8qOCkzpN1nsoX+oYggHFCJyNwq
9kIDN0zmiN/VryTyscPfzLXs4Jlet0lUIDyUGAzHHFIYSaRt4bNYC8nY7NmuHDKO
KHAN4v6mF56ED71XcLNa6R+ghlO773z/aQvgSMO3kwvIClTErF0UZzdsyqUvMQg3
qm5vjLyb4lddJIGvl5echK1srDdMZvNhkREg5L4wn3qkKQmw4TRfZHcYQFHfjDCm
rw==
-----END CERTIFICATE-----
 3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----
---
Server certificate
subject=OU = Domain Control Validated, CN = *.bitcoinwin.io

issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5693 bytes and written 410 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 959412EF2EE6AAA15C723B577AF63A36AC2761C600948FC048EEF38813875637
    Session-ID-ctx: 
    Master-Key: 66A51845AA2374CB7C565EE26F15D1B2DEFA1F4C36034F95331CC1E45C1B7D6BA48E45ACECDF7ED9AADC1CFE219D12F9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e2 bb 80 56 bb 80 7c 52-48 8d a0 fd d8 99 24 ce   ...V..|RH.....$.
    0010 - 80 0d 02 7a 81 d1 87 cc-8e a8 9a 6b a4 7f 75 db   ...z.......k..u.
    0020 - 8f cf e5 bb c2 11 24 82-f4 57 dc b6 18 6b 32 8c   ......$..W...k2.
    0030 - 53 6e 9c 1f 7c 89 0a f9-21 54 97 86 3f a2 38 02   Sn..|...!T..?.8.
    0040 - c1 b3 c1 31 2f d8 1c fb-96 dd 14 b3 f8 7b 6f a5   ...1/........{o.
    0050 - 9d 00 da d4 7c 40 2b 82-95 db 3c ec 33 80 74 25   ....|@+...<.3.t%
    0060 - da 76 93 af 95 c0 da f9-77 69 77 93 bf 18 8a 9e   .v......wiw.....
    0070 - 5e 79 23 9e 74 34 fb 80-de dd 20 d6 aa 40 eb 64   ^y#.t4.... ..@.d
    0080 - ca 4b fe 21 40 7f de f3-5c e6 7f d7 e7 7d 5d cc   .K.!@...\....}].
    0090 - e0 21 eb 8f 05 8c 25 56-59 b9 6c 8b 66 72 5f 3a   .!....%VY.l.fr_:
    00a0 - 69 c6 65 d1 bf b0 d2 dd-f3 f1 5a 2b c4 e1 d3 2a   i.e.......Z+...*
    00b0 - 15 e6 c9 9d 5d 82 b7 10-25 08 d4 8c 50 24 0d 3b   ....]...%...P$.;
    00c0 - 1c f1 0e 33 2e 54 dc c2-da 78 31 12 75 5d 04 2c   ...3.T...x1.u].,

    Start Time: 1579080694
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

编号为 0 的证书是站点证书；

编号为 1 的证书是中间证书

我的证书链一共是三级，服务端只需要发送两个证书，对于四级证书链，服务端就需要发送三个证书了。总之，只有根证书无需发送

将站点证书保存为 site.pem；中间证书保存为 intermediate.pem（如果有多个中间证书，按照子证书在上的顺序保存）；再从系统中导出对应的根证书存为 root.pem。这样，证书链上的所有证书都搞定了。为了确保无误，建议再验证一下每个证书的 Common Name：

$ openssl x509 -in site.pem -noout -subject
subject= /CN=www.imququ.com

$ openssl x509 -in intermediate.pem -noout -subject
subject= /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G4

$ openssl x509 -in root.pem -noout -subject
subject= /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3

$ openssl x509 -in site.pem -noout -subject
subject= /CN=www.imququ.com

$ openssl x509 -in intermediate.pem -noout -subject
subject= /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G4

$ openssl x509 -in root.pem -noout -subject
subject= /C=US/O=GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only/CN=GeoTrust Primary Certification Authority - G3

openssl x509 -in site.pem -noout -subject
openssl x509 -in intermediate.pem -noout -subject
openssl x509 -in site.pem -noout -ocsp_uri
openssl ocsp -issuer intermediate.pem -cert site.pem -no_nonce -text -url http://ocsp.godaddy.com

openssl x509 -in site.pem -noout -subject
openssl x509 -in intermediate.pem -noout -subject
openssl x509 -in site.pem -noout -ocsp_uri
openssl ocsp -issuer intermediate.pem -cert site.pem -no_nonce -text -url http://ocsp.godaddy.com

完整配置

     ssl_session_cache   shared:SSL:20m;
     ssl_session_timeout 4h;
     ssl_protocols TLSv1.2 TLSv1.3;

     ssl_prefer_server_ciphers on;  # prefer a list of ciphers to prevent old and slow ciphers
     ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';


    charset utf-8;
 	ssl_certificate /data/apps/nginx/ssl/domain.crt;
	ssl_certificate_key /data/apps/nginx/ssl/domain.key;

	# OCSP
    ssl_stapling on;
    ssl_stapling_verify on;
	ssl_stapling_file /data/apps/nginx/ssl/stapling_ocsp;
    ssl_trusted_certificate  /data/apps/nginx/ssl/domain.crt;

	resolver 8.8.8.8 valid=300s;
	resolver_timeout 2s;

        ssl_buffer_size 4k;

     ssl_session_cache   shared:SSL:20m;
     ssl_session_timeout 4h;
     ssl_protocols TLSv1.2 TLSv1.3;

     ssl_prefer_server_ciphers on;  # prefer a list of ciphers to prevent old and slow ciphers
     ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';


    charset utf-8;
 	ssl_certificate /data/apps/nginx/ssl/domain.crt;
	ssl_certificate_key /data/apps/nginx/ssl/domain.key;

	# OCSP
    ssl_stapling on;
    ssl_stapling_verify on;
	ssl_stapling_file /data/apps/nginx/ssl/stapling_ocsp;
    ssl_trusted_certificate  /data/apps/nginx/ssl/domain.crt;

	resolver 8.8.8.8 valid=300s;
	resolver_timeout 2s;

        ssl_buffer_size 4k;

测试带宽

$ wget -O=/dev/null http://url/download.tgz
$ curl -o /dev/null http://url/download.tgz
$ scp download.tgz jaseywang@host-2:

$ wget -O=/dev/null http://url/download.tgz
$ curl -o /dev/null http://url/download.tgz
$ scp download.tgz jaseywang@host-2:

https://quchao.com/entry/how-to-configure-ocsp-stapling-on-nginx-for-the-certificates-issued-by-lets-encrypt/

2-Harbor

3-Docker

1.安装

4-Containerd

1.安装

3.镜像管理

4.构建镜像

5-Dockerfile

🍂 env案例

6-Docker-Compose

7-Swarm

8-KVM

2-资源对象

2-Pod

5-Deployment

6-StatefulSet

7-Service

9-Job

10-ConfigMap

11-Secret

13-CoreDns

16-发布

3-存储

1- 存储卷概念

2-NFS

4-Minio

1-安装

4-网络

1-Calico

2-Cilium

OpenELB

5-认证与授权

6-安装

1.二进制安装

2.kubeadm安装

7-监控

1-Prometheus

2-Alertmanager

3-PrometheusAlert

4-Grafana

5-VictoriaMetrics

8-备份

9-常用操作

10-Yaml配置

11-Helm

8-Helm项目

12-CICD

1-Jenkins

2-ArgoCD

13-Ingress

1-Ingress_nginx

2-Higress

15-Autoscaler

1-HPA

2-VPA

3-OpenKruise

1-Kruise

16-Scheduler

17-云k8s

1-AWS EKS

5-ingress-nginx

维护手册

18-Kubernetes故障排查

19-Kubernetes排查手册

1-WireShark

20-Kubernetes维护手册

21-Kubernetes面试

1-Go

2-Go框架

3-Go编译

5-Go文档

6-Go日志

10-Go模块

11-Web前端开发

4-vue

5-vue架构

12-Git

13-Client-Go

FAQ

PostgreSQL