突然锵 微信视频打赏平台搭建门户网站如何选择服务器提供商以及服务器 段视频也能打赏啦
Nginx怎么配置配置 SSL_SSL配置方法
本文档指导您在 NGINX HTTP 服务器上安装并配置 SSL 证书,关于 NGINX 在各个平台上的安装不再涉及。由于近年 OpenSSL 高危漏洞不断,因此强烈推荐您在开始配置之前首先升级 OpenSSL 到最新版本。
配置 SSL 证书
完整的 SSL 证书分为四个部分:
CA 根证书 (root CA)
中级证书 (Intermediate Certificate)
域名证书
证书密钥 (仅由您持有)
以 COMODO PositiveSSL 证书为例,您将收到四份文件:
根证书 - AddTrustExternalCARoot.crt
中级证书 - COMODORSAAddTrustCA.crt
中级证书 - COMODORSADomainValidationSecureServerCA.crt
您的域名证书 - example_com.crt
或者,您会收到 2 个文件(新签发证书大部分会收到两个文件)
CA 证书串 - example_com.ca-bundle
您的域名证书 - example_com.crt
您要依照 域名证书 -> 中间证书 -> 根证书 的顺序串联为证书链,才能被绝大多数浏览器信任。使用 cat 命令串联证书:
cat example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > example_com.bundle.crt
如果您收到的是 example_com.ca-bundle 的形式,请直接和 example_com.crt 串联。命令为:
cat example_com.crt example_com.ca-bundle > example_com.bundle.crt
得到 example_com.bundle.crt 后,和密钥文件 example_com.key 一同上传至服务器并保存在安全的位置,例如 /etc/ssl/private 目录下 (没有此目录请创建)。
修改 NGINX 站点配置
下面是一份针对较新版本的 NGINX 的 SSL 部分配置,请将其添加到站点配置文件中 server 的部分,并根据注释和您的需求修改。
listen 443 ssl; # 侦听端口
# listen [::]:443 ssl ipv6only=on; # 如果您希望同时侦听 IPv6,请取消此行注释
server_name example.com; # 请改为您的域名
ssl_certificate /etc/ssl/private/example_com.bundle.crt; # 证书链
ssl_certificate_key /etc/ssl/private/example_com.key; # 密钥
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # 支持的协议,Windows XP 不支持
ssl_prefer_server_ciphers on; # 启用 Forward Secrecy
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
如果您希望至少支持一些老式浏览器,并且在能够使用 ECDHE 时尽可能使用此算法,您可以使用下面的配置:
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4";
能够最低支持到 Android 2.3 (不支持 IE6) 的方案:
ssl_ciphers "CHACHA20:ECDH+AESGCM:ECDH+AES256:RSA+AESGCM:RSA+AES:DH+AESGCM:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+3DES:!aNULL:!eNULL:!EXPORT:!CAMLLIA:!DES:!MD5:!PSK:!RC4";
您可能需要使用 LibreSSL 以支持 CHACHA20 算法。
或者使用最简单的方案:
ssl_ciphers "EECDH+aRSA+AES";
生成 DHE 参数
为了避免使用 OpenSSL 默认的 1024bit DHE 参数,我们需要生成一份更强的参数文件:
cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096
建议您使用性能强劲的平台生成此文件,例如最新版的至强物理机。如果您只有一台小型 VPS,请使用 openssl dhparam -out dhparam.pem 2048 命令生成 2048bit 的参数文件。
完成后,在 SSL 配置下添加一行:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
启用 HSTS
HTTP Strict Transport Security (HSTS) 可以使浏览器第一次访问您的站点后即记住仅通过 HTTPS 与您的站点通信,可以大大提升安全性。
在 SSL 配置下添加:
add_header Strict-Transport-Security max-age=63072000;
# add_header X-Frame-Options DENY; # 如果不需要引用 iframe 则可以加上
add_header X-Content-Type-Options nosniff;
强制定向到 HTTPS
您需要一个单独 server 配置用于侦听 HTTP 80 端口,然后所有发送到这里的请求定向到 HTTPS 协议。
server {
listen 80;
# listen [::]:80; # 如果您需要同时侦听 IPv6,请取消此行注释
server_name example.com; # 您的域名
location / {
return 301 https://example.com$request_uri; # 要重定向的地址,请将 example.com 改为您的域名
}
}
或者使用 rewrite:
rewrite ^ https://example.com$request_uri? permanent; # 请将 example.com 改为您的域名
一份完整样例
这里是基于 NGINX 1.4.6 的一份完整配置样例。请根据您的需求修改使用。
server {
listen 80;
# listen [::]:80;
server_name www.example.com;
rewrite ^ https://www.example.com$request_uri? permanent;
}
server {
listen 443 ssl;
# listen [::]:443 ssl;
server_name www.example.com;
ssl on;
ssl_certificate /etc/ssl/private/www_example_com.crt;
ssl_certificate_key /etc/ssl/private/www_example_com.key;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security max-age=63072000;
# add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
root /var/www/example.com;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
}
202.36.56.0
202.36.56.1
202.36.56.2
202.36.56.3
202.36.56.4
202.36.56.5
202.36.56.6
202.36.56.7
202.36.56.8
202.36.56.9
202.36.56.10
202.36.56.11
202.36.56.12
202.36.56.13
202.36.56.14
202.36.56.15
202.36.56.16
202.36.56.17
202.36.56.18
202.36.56.19
202.36.56.20
202.36.56.21
202.36.56.22
202.36.56.23
202.36.56.24
202.36.56.25
202.36.56.26
202.36.56.27
202.36.56.28
202.36.56.29
202.36.56.30
202.36.56.31
202.36.56.32
202.36.56.33
202.36.56.34
202.36.56.35
202.36.56.36
202.36.56.37
202.36.56.38
202.36.56.39
202.36.56.40
202.36.56.41
202.36.56.42
202.36.56.43
202.36.56.44
202.36.56.45
202.36.56.46
202.36.56.47
202.36.56.48
202.36.56.49
202.36.56.50
202.36.56.51
202.36.56.52
202.36.56.53
202.36.56.54
202.36.56.55
202.36.56.56
202.36.56.57
202.36.56.58
202.36.56.59
202.36.56.60
202.36.56.61
202.36.56.62
202.36.56.63
202.36.56.64
202.36.56.65
202.36.56.66
202.36.56.67
202.36.56.68
202.36.56.69
202.36.56.70
202.36.56.71
202.36.56.72
202.36.56.73
202.36.56.74
202.36.56.75
202.36.56.76
202.36.56.77
202.36.56.78
202.36.56.79
202.36.56.80
202.36.56.81
202.36.56.82
202.36.56.83
202.36.56.84
202.36.56.85
202.36.56.86
202.36.56.87
202.36.56.88
202.36.56.89
202.36.56.90
202.36.56.91
202.36.56.92
202.36.56.93
202.36.56.94
202.36.56.95
202.36.56.96
202.36.56.97
202.36.56.98
202.36.56.99
202.36.56.100
202.36.56.101
202.36.56.102
202.36.56.103
202.36.56.104
202.36.56.105
202.36.56.106
202.36.56.107
202.36.56.108
202.36.56.109
202.36.56.110
202.36.56.111
202.36.56.112
202.36.56.113
202.36.56.114
202.36.56.115
202.36.56.116
202.36.56.117
202.36.56.118
202.36.56.119
202.36.56.120
202.36.56.121
202.36.56.122
202.36.56.123
202.36.56.124
202.36.56.125
202.36.56.126
202.36.56.127
202.36.56.128
202.36.56.129
202.36.56.130
202.36.56.131
202.36.56.132
202.36.56.133
202.36.56.134
202.36.56.135
202.36.56.136
202.36.56.137
202.36.56.138
202.36.56.139
202.36.56.140
202.36.56.141
202.36.56.142
202.36.56.143
202.36.56.144
202.36.56.145
202.36.56.146
202.36.56.147
202.36.56.148
202.36.56.149
202.36.56.150
202.36.56.151
202.36.56.152
202.36.56.153
202.36.56.154
202.36.56.155
202.36.56.156
202.36.56.157
202.36.56.158
202.36.56.159
202.36.56.160
202.36.56.161
202.36.56.162
202.36.56.163
202.36.56.164
202.36.56.165
202.36.56.166
202.36.56.167
202.36.56.168
202.36.56.169
202.36.56.170
202.36.56.171
202.36.56.172
202.36.56.173
202.36.56.174
202.36.56.175
202.36.56.176
202.36.56.177
202.36.56.178
202.36.56.179
202.36.56.180
202.36.56.181
202.36.56.182
202.36.56.183
202.36.56.184
202.36.56.185
202.36.56.186
202.36.56.187
202.36.56.188
202.36.56.189
202.36.56.190
202.36.56.191
202.36.56.192
202.36.56.193
202.36.56.194
202.36.56.195
202.36.56.196
202.36.56.197
202.36.56.198
202.36.56.199
202.36.56.200
202.36.56.201
202.36.56.202
202.36.56.203
202.36.56.204
202.36.56.205
202.36.56.206
202.36.56.207
202.36.56.208
202.36.56.209
202.36.56.210
202.36.56.211
202.36.56.212
202.36.56.213
202.36.56.214
202.36.56.215
202.36.56.216
202.36.56.217
202.36.56.218
202.36.56.219
202.36.56.220
202.36.56.221
202.36.56.222
202.36.56.223
202.36.56.224
202.36.56.225
202.36.56.226
202.36.56.227
202.36.56.228
202.36.56.229
202.36.56.230
202.36.56.231
202.36.56.232
202.36.56.233
202.36.56.234
202.36.56.235
202.36.56.236
202.36.56.237
202.36.56.238
202.36.56.239
202.36.56.240
202.36.56.241
202.36.56.242
202.36.56.243
202.36.56.244
202.36.56.245
202.36.56.246
202.36.56.247
202.36.56.248
202.36.56.249
202.36.56.250
202.36.56.251
202.36.56.252
202.36.56.253
202.36.56.254
202.36.56.255
评论
九劫剑第一截微信电影打赏平台制作 唯有存有这样
开场微信打赏第三方平台色情 哭不敢哭
只是小辈之间打闹了一次南昌打赏服务器 .租用高防服务器需要考虑的问题,如何选择选择? .看了一圈lazyorange这番话似乎只是平铺直叙.打赏视频是怎么制作的 .英雄无敌00汗珠从头上滴落
小潘不在家2599目光都注视在刘云炎脸上
今天兄弟姐妹魔焱尊者