by ·3条评论

免费ssl证书申请

到 http://www.wosign.com/Products/free_SSL.htm 申请免费的SSL证书。

下载www.iamle.com.zip文件,解压文件,找到for Nginx.zip解压,得到2个文件

1_www.iamle.com_bundle.crt ,2_www.iamle.com.key

改个名字www.iamle.com.crt,www.iamle.com.key传到服务器上备用

Nginx配置SSL证书部署https支持

找到对应的server

增加

listen          443 ssl;
ssl                     on;
ssl_certificate         /usr/local/nginx/conf/ssl/www.iamle.com.crt;
ssl_certificate_key     /usr/local/nginx/conf/ssl/www.iamle.com.key;
ssl_session_timeout     5m;
ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers             ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers       on;

 

重新载入nginx配置

[root@do ssl]# /etc/init.d/nginx  reload

浏览器信任的https://www.iamle.com 已经可用了~

 

 

补充

转换pfx为nginx需要的crt,key

如果已经有一个扩展名为pfx的证书,那么需要转换使用

[root@do ~]# openssl pkcs12 -in www.iamle.com.pfx -nocerts -nodes -out www.iamle.com.key
Enter Import Password: 输入证书密码
MAC verified OK

 

[root@do ~]# openssl pkcs12 -in www.iamle.com.pfx -clcerts -nokeys -out www.iamle.com.crt
Enter Import Password: 输入证书密码
MAC verified OK

 

生成2个文件 www.iamle.com.key , www.iamle.com.pfx 复制到你指定的目录

 

参考文献

http://nginx.org/en/docs/http/configuring_https_servers.html

by ·0评论

如果一站点既要80 http访问,又要443https访问。

要让https和http并存,不能在配置文件中使用ssl on,配置listen 443 ssl;

实例

server
{

listen 80;
listen 443 ssl;
server_name www.iamle.com;
index index.html index.htm index.php;
root /home/wwwroot/www.iamle.com/;
#ssl on; 这里要注释掉
ssl_certificate /usr/local/nginx/conf/ssl/www_iamle_com.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/www_iamle_com.key;

#以下配置省略

}

 

 

 

From:http://nginx.org/en/docs/http/configuring_https_servers.html#single_http_https_server

It is good practice to configure separate servers for HTTP and HTTPS protocols from the very start. Although their functionalities currently seem equal, this may change significantly in the future and using a consolidated server may become problematic. However, if HTTP and HTTPS servers are equal, and you prefer not to think about the future, you may configure a single server that handles both HTTP and HTTPS requests by deleting the directive “ssl on” and adding the “ssl” parameter for *:443 port:

by ·0评论
server{
listen 80;
server_name www.iamle.com;
return 301 https://www.iamle.com$request_uri;
}

server {

listen 443 ssl http2;
ssl    on;
ssl_certificate         /usr/local/nginx/conf/ssl/www.iamle.com.crt;
ssl_certificate_key     /usr/local/nginx/conf/ssl/www.iamle.com.key;
ssl_session_cache           shared:SSL:10m;
ssl_session_timeout         10m;
ssl_session_tickets         off;

ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers             'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers       on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Stricu-Transport-Security "max-age=63072000; includeSubdomains; preload";

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-Xss-Protection "1; mode=block";

server_name www.iamle.com;
#  ....
}

参考
Mozilla SSL Configuration Generator

by ·0评论

转载说明:[文章作者:张宴 本文版本:v1.0 最后修改:2009.11.14 转载请注明原文链接:http://blog.s135.com/startssl/]

  HTTPS(全称:Hypertext Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容请看SSL。

  它是一个URI scheme(抽象标识符体系),句法类同http:体系。用于安全的HTTP数据传输。https:URL表明它使用了HTTP,但HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层(在HTTP与TCP之间)。这个系统的最初研发由网景公司进行,提供了身份验证与加密通讯方法,现在它被广泛用于万维网上安全敏感的通讯,例如交易支付方面。

 

  1、自行颁发不受浏览器信任的SSL证书:
  HTTPS的SSL证书可以自行颁发,Linux下的颁发步骤如下:
 

openssl genrsa -des3 -out api.bz.key 1024
openssl req -new -key api.bz.key -out api.bz.csr
openssl rsa -in api.bz.key -out api.bz_nopass.key

  点击在新窗口中浏览此图片

 

继续阅读