A complete SSL certificate is divided into four parts:
- CA root certificate (Root CA)
- Intermediate certificate (Intermediate Certificate)
- Domain name Certificate
- Certificate key (only held by you)
Take the COMODO Positivessl certificate as an example, you will receive four documents:
- Root certificate –
AddTrustExternalCARoot.crt
- Intermediate Certificate –
COMODORSAAddTrustCA.crt
- Intermediate Certificate –
COMODORSADomainValidationSecureServerCA.crt
- Your Domain name certificate –
example_com.crt
You will be trusted by the vast majority of browsers by concatenating the certificate chain in the same order as the certificate, the intermediate certificate, and the root certificate . To cat
concatenate a certificate with a command:
Cat Example_com.crt comodorsadomainvalidationsecureserverca.crt COMODORSAADDTRUSTCA.CRT ADDTRUSTEXTERNALCAROOT.CRT > EXAMPLE_COM.BUNDLE.CRT
example_com.bundle.crt
Once you have it, upload the key file to the example_com.key
server and save it in a secure location, such as the /etc/ssl/private
directory (without this directory, create it).
Modify NGINX Site Configuration
Here is an SSL partial configuration for a newer version of NGINX, add it to the section in the site configuration file server
, and modify it according to the comments and your needs.
Listen 443 SSL;#Listening Ports#Listen [::]:443 SSL Ipv6only=on; # If you want to listen to IPv6 at the same time, cancel this line commentserver_name example.com; #please change to your domain namessl_certificate/ETC/SSL/PRIVATE/EXAMPLE_COM.BUNDLE.CRT;#Certificate ChainSsl_certificate_key/etc/ssl/private/example_com.key;#secret keySsl_protocols TLSv1.2 TLSv1.1 TLSv1;#supported protocols, Windows XP does not supportSsl_prefer_server_ciphers on;#Enable Forward secrecySsl_ciphers"eecdh+ecdsa+aesgcm eecdh+arsa+aesgcm eecdh+ecdsa+sha384 eecdh+ecdsa+sha256 eecdh+arsa+sha384 EECDH+aRSA+SHA256 EECDH+ARSA+RC4 EECDH edh+arsa!anull!enull! Low!3des! MD5! Exp! Psk! SRP! Dss! RC4"; Keepalive_timeout70; ssl_session_cache shared:ssl:10m;ssl_session_timeout 10m;
If you want to support at least some old-fashioned browsers and use this algorithm whenever possible using ECDHE, you can use the following configuration:
" eecdh+ecdsa+aesgcm eecdh+arsa+aesgcm eecdh+ecdsa+sha384 eecdh+ecdsa+sha256 eecdh+arsa+sha384 EECDH+aRSA+SHA256 EECDH+ARSA+RC4 EECDH edh+arsa RC4!anull!enull! Low!3des! MD5! Exp! Psk! SRP! DSS +RC4 RC4";
Or use the simplest scenario:
" Eecdh+arsa+aes ";
Generate DHE Parameters
To avoid using OpenSSL's default 1024bit DHE parameter, we need to generate a stronger parameter file:
cd/etc/ssl/-out dhparam.pem 4096
We recommend that you use a powerful platform to generate this file , such as the latest version of the Xeon physical machine. If you have only one small VPS, use openssl dhparam -out dhparam.pem 2048
the command to generate a 2048bit parameter file.
When you are finished, add a line under the SSL configuration:
SSL_DHPARAM/ETC/SSL/CERTS/DHPARAM.PEM;
Enable HSTS
HTTP Strict Transport Security (HSTS) allows the browser to remember to communicate with your site only over HTTPS the first time it accesses your site, which can greatly improve security.
Under SSL configuration, add the following:
Add_header strict-transport-security max-age=63072000add_header x-frame-Options deny;add_header x -content-type-options Nosniff;
Force-directed to HTTPS
You need a separate server
configuration to listen for HTTP 80 ports, and then all requests sent here are directed to the HTTPS protocol.
server { a; # Listen [::]:80 ipv6only=on; # If you need to listen to IPv6 at the same time, cancel this line comment server_name example.com; # your domain /{return 301 https://example.com$request_uri; # to redirect the address, please change example.com to your domain name }}
or use rewrite
:
Rewrite ^ Https://example.com$request_uri? permanent; # Please change example.com to your domain name
A complete sample
Here is an example of a complete configuration based on NGINX 1.4.6. Please modify the use according to your needs.
Server {Listen80; #Listen [::]:80 ipv6only=on;server_name www.example.com; Rewrite^ https://Www.example.com$request_uri? Permanent;} server {Listen443SSL; #Listen [::]:443 SSL Ipv6only=on;server_name www.example.com; SSL on; Ssl_certificate/etc/ssl/private/WWW_EXAMPLE_COM.CRT; Ssl_certificate_key/etc/ssl/private/Www_example_com.key; Ssl_prefer_server_ciphers on; Ssl_dhparam/etc/ssl/certs/Dhparam.pem; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Ssl_ciphers"eecdh+ecdsa+aesgcm eecdh+arsa+aesgcm eecdh+ecdsa+sha384 eecdh+ecdsa+sha256 eecdh+arsa+sha384 EECDH+aRSA+SHA256 EECDH+ARSA+RC4 EECDH edh+arsa!anull!enull! Low!3des! MD5! Exp! Psk! SRP! Dss! RC4"; Keepalive_timeout70; Ssl_session_cache shared:ssl:10m; Ssl_session_timeout 10m; Add_header Strict-transport-security max-age=63072000; Add_header X-frame-Options DENY; Add_header X-content-type-Options Nosniff; Root/var/www/example.com; Index index.html; Location/{try_files $uri $uri/ /index.html; }}
Linux Configuration SSL Certificate