User Tools

Site Tools


nginx_ssl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

nginx_ssl [2017/01/05 06:10] (current)
felixonmars created
Line 1: Line 1:
 +==== Make A Self-signed SSL certificate ====
 +<​code>​
 +cd /etc/nginx
 +openssl req -new -x509 -nodes -out server.crt -keyout server.key
 +chmod 600 server.key
 +</​code>​
 +
 +==== Global Settings ====
 +<​code>​
 +ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ​   ​
 +ssl_prefer_server_ciphers on;
 +ssl_ciphers "​EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
 +</​code>​
 +
 +If you want to support IE8/XP, change the last line to
 +<​code>​
 +ssl_ciphers "​EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4";
 +</​code>​
 +
 +==== Example Site Configuration Part ====
 +<​code>​
 +listen 443 ssl spdy;
 +ssl_certificate /​etc/​nginx/​server.crt;​
 +ssl_certificate_key /​etc/​nginx/​server.key;​
 +</​code>​
 +
 +==== Redirect to HTTPS ====
 +<​code>​
 +location / {
 +    return 301 https://​example.com$request_uri;​
 +}
 +</​code>​
 +
 +==== As A Force-HTTPS Reverse Proxy ====
 +<​code>​
 +proxy_redirect ​  ​http://​ $scheme://
 +proxy_set_header X-Forwarded-Proto $scheme;
 +proxy_set_header X-Scheme $scheme;
 +</​code>​
 +
 +==== Verify A CRT Matches A KEY ====
 +<​code>​
 +openssl x509 -noout -modulus -in server.crt | openssl md5
 +openssl rsa -noout -modulus -in myserver.key | openssl md5
 +</​code>​
 +If the output are not the same, then they do not match and won't work on Nginx.
 +
 +==== Generating a Certificate Signing Request (CSR) ====
 +<​code>​
 +openssl req -new -newkey rsa:2048 -nodes -keyout $DOMAIN.key -out $DOMAIN.csr
 +</​code>​
 +
 +=== CSR Fields ===
 +
 +  * Country Code: The two-letter International Organization for Standardization (ISO-) format country code for the country in which your organization is legally registered. Click the link below for a complete list of ISO country codes. [[http://​www.iso.org/​iso/​home/​standards/​country_codes/​country_names_and_code_elements.htm|ISO Country Codes]]
 +
 +  * State/​Province:​ Name of state, province, region, territory where your organization is located. Please enter the full name. Do not abbreviate
 +
 +  * City/​Locality:​ Name of the city/​locality in which your organization is registered/​located. Please spell out the name of the city/​locality. Do not abbreviate.
 +
 +  * Organization:​ The name under which your business is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as a small business/​sole proprietor, please enter the certificate requester'​s name in the "​Organization"​ field, and the DBA (doing business as) name in the "​Organizational Unit" field.
 +
 +  * Organizational Unit: Optional. Use this field to differentiate between divisions within an organization. For example, "​Engineering"​ or "Human Resources."​ If applicable, you may enter the DBA (doing business as) name in this field.
 +
 +  * Common name: The name entered in the "​CN"​ (common name) field of the CSR MUST be the fully-qualified domain name for the website you will be using the certificate for (e.g., "​www.domainnamegoeshere"​). Do not include the "​http://"​ or "​https://"​ prefixes in your common name. Do NOT enter your personal name in this field.
 +
 +If you are requesting a Wild Card certificate,​ please add an asterisk (*) on the left side of the common name (e.g., "​*.domainnamegoeshere.com"​). This will secure all subdomains of the common name.
 +
 +NOTE: If you enter "​www.domainnamegoeshere.com"​ as the Common Name in your certificate signing request, the certificate will secure both "​www.domainnamegoeshere.com"​ and "​domainnamegoeshere.com."​ And vice versa.
 +
 +
 +References:
 +
 +  * http://​dracoblue.net/​dev/​https-nginx-with-self-signed-ssl-certificate/​188/​
 +  * http://​serverfault.com/​questions/​372886/​prevent-nginx-from-redirecting-traffic-from-https-to-http-when-used-as-a-reverse
 +  * http://​support.godaddy.com/​help/​article/​3601/​generating-a-certificate-signing-request-nginx
 +  * http://​support.godaddy.com/​help/​category/​746/​ssl-certificates-csr-generation-instructions
 +  * https://​support.comodo.com/​index.php?​_m=knowledgebase&​_a=viewarticle&​kbarticleid=1250
 +  * https://​www.digicert.com/​ssl-support/​ssl-enabling-perfect-forward-secrecy.htm
  
nginx_ssl.txt ยท Last modified: 2017/01/05 06:10 by felixonmars