Linux Configuration SSL Certificate

Source: Internet
Author: User
Tags http strict transport security ssl certificate

A complete SSL certificate is divided into four parts:
    • CA root certificate (Root CA)
    • Intermediate certificate (Intermediate Certificate)
    • Domain name Certificate
    • Certificate key (only held by you)

Take the COMODO Positivessl certificate as an example, you will receive four documents:

    • Root certificate –AddTrustExternalCARoot.crt
    • Intermediate Certificate –COMODORSAAddTrustCA.crt
    • Intermediate Certificate –COMODORSADomainValidationSecureServerCA.crt
    • Your Domain name certificate –example_com.crt

You will be trusted by the vast majority of browsers by concatenating the certificate chain in the same order as the certificate, the intermediate certificate, and the root certificate . To cat concatenate a certificate with a command:

Cat Example_com.crt comodorsadomainvalidationsecureserverca.crt COMODORSAADDTRUSTCA.CRT ADDTRUSTEXTERNALCAROOT.CRT > EXAMPLE_COM.BUNDLE.CRT

example_com.bundle.crtOnce you have it, upload the key file to the example_com.key server and save it in a secure location, such as the /etc/ssl/private directory (without this directory, create it).

Modify NGINX Site Configuration

Here is an SSL partial configuration for a newer version of NGINX, add it to the section in the site configuration file server , and modify it according to the comments and your needs.

Listen 443 SSL;#Listening Ports#Listen [::]:443 SSL Ipv6only=on; # If you want to listen to IPv6 at the same time, cancel this line commentserver_name example.com; #please change to your domain namessl_certificate/ETC/SSL/PRIVATE/EXAMPLE_COM.BUNDLE.CRT;#Certificate ChainSsl_certificate_key/etc/ssl/private/example_com.key;#secret keySsl_protocols TLSv1.2 TLSv1.1 TLSv1;#supported protocols, Windows XP does not supportSsl_prefer_server_ciphers on;#Enable Forward secrecySsl_ciphers"eecdh+ecdsa+aesgcm eecdh+arsa+aesgcm eecdh+ecdsa+sha384 eecdh+ecdsa+sha256 eecdh+arsa+sha384 EECDH+aRSA+SHA256 EECDH+ARSA+RC4 EECDH edh+arsa!anull!enull! Low!3des! MD5! Exp! Psk! SRP! Dss! RC4"; Keepalive_timeout70; ssl_session_cache shared:ssl:10m;ssl_session_timeout 10m;

If you want to support at least some old-fashioned browsers and use this algorithm whenever possible using ECDHE, you can use the following configuration:

" eecdh+ecdsa+aesgcm eecdh+arsa+aesgcm eecdh+ecdsa+sha384 eecdh+ecdsa+sha256 eecdh+arsa+sha384 EECDH+aRSA+SHA256 EECDH+ARSA+RC4 EECDH edh+arsa RC4!anull!enull! Low!3des! MD5! Exp! Psk! SRP! DSS +RC4 RC4";

Or use the simplest scenario:

" Eecdh+arsa+aes ";
Generate DHE Parameters

To avoid using OpenSSL's default 1024bit DHE parameter, we need to generate a stronger parameter file:

cd/etc/ssl/-out dhparam.pem 4096

We recommend that you use a powerful platform to generate this file , such as the latest version of the Xeon physical machine. If you have only one small VPS, use openssl dhparam -out dhparam.pem 2048 the command to generate a 2048bit parameter file.

When you are finished, add a line under the SSL configuration:

SSL_DHPARAM/ETC/SSL/CERTS/DHPARAM.PEM;
Enable HSTS

HTTP Strict Transport Security (HSTS) allows the browser to remember to communicate with your site only over HTTPS the first time it accesses your site, which can greatly improve security.

Under SSL configuration, add the following:

Add_header strict-transport-security max-age=63072000add_header x-frame-Options deny;add_header x -content-type-options Nosniff;
Force-directed to HTTPS

You need a separate server configuration to listen for HTTP 80 ports, and then all requests sent here are directed to the HTTPS protocol.

server {    a;     # Listen [::]:80 ipv6only=on;    # If you need to listen to IPv6 at the same time, cancel this line comment    server_name example.com;    # your domain /{return 301 https://example.com$request_uri;                 # to redirect the address, please change example.com to your domain name     }}

or use rewrite :

Rewrite ^ Https://example.com$request_uri? permanent;    # Please change example.com to your domain name
A complete sample

Here is an example of a complete configuration based on NGINX 1.4.6. Please modify the use according to your needs.

Server {Listen80; #Listen [::]:80 ipv6only=on;server_name www.example.com; Rewrite^ https://Www.example.com$request_uri? Permanent;} server {Listen443SSL; #Listen [::]:443 SSL Ipv6only=on;server_name www.example.com;        SSL on; Ssl_certificate/etc/ssl/private/WWW_EXAMPLE_COM.CRT; Ssl_certificate_key/etc/ssl/private/Www_example_com.key;        Ssl_prefer_server_ciphers on; Ssl_dhparam/etc/ssl/certs/Dhparam.pem; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Ssl_ciphers"eecdh+ecdsa+aesgcm eecdh+arsa+aesgcm eecdh+ecdsa+sha384 eecdh+ecdsa+sha256 eecdh+arsa+sha384 EECDH+aRSA+SHA256 EECDH+ARSA+RC4 EECDH edh+arsa!anull!enull! Low!3des! MD5! Exp! Psk! SRP! Dss! RC4"; Keepalive_timeout70;        Ssl_session_cache shared:ssl:10m;        Ssl_session_timeout 10m; Add_header Strict-transport-security max-age=63072000; Add_header X-frame-Options DENY; Add_header X-content-type-Options Nosniff; Root/var/www/example.com;        Index index.html; Location/{try_files $uri $uri/ /index.html; }}



Linux Configuration SSL Certificate

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.