This shows you the differences between two versions of the page.
— |
nginx_ssl [2017/01/05 06:10] (current) felixonmars created |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ==== Make A Self-signed SSL certificate ==== | ||
+ | <code> | ||
+ | cd /etc/nginx | ||
+ | openssl req -new -x509 -nodes -out server.crt -keyout server.key | ||
+ | chmod 600 server.key | ||
+ | </code> | ||
+ | |||
+ | ==== Global Settings ==== | ||
+ | <code> | ||
+ | ssl_protocols TLSv1.2 TLSv1.1 TLSv1; | ||
+ | ssl_prefer_server_ciphers on; | ||
+ | ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"; | ||
+ | </code> | ||
+ | |||
+ | If you want to support IE8/XP, change the last line to | ||
+ | <code> | ||
+ | ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"; | ||
+ | </code> | ||
+ | |||
+ | ==== Example Site Configuration Part ==== | ||
+ | <code> | ||
+ | listen 443 ssl spdy; | ||
+ | ssl_certificate /etc/nginx/server.crt; | ||
+ | ssl_certificate_key /etc/nginx/server.key; | ||
+ | </code> | ||
+ | |||
+ | ==== Redirect to HTTPS ==== | ||
+ | <code> | ||
+ | location / { | ||
+ | return 301 https://example.com$request_uri; | ||
+ | } | ||
+ | </code> | ||
+ | |||
+ | ==== As A Force-HTTPS Reverse Proxy ==== | ||
+ | <code> | ||
+ | proxy_redirect http:// $scheme:// | ||
+ | proxy_set_header X-Forwarded-Proto $scheme; | ||
+ | proxy_set_header X-Scheme $scheme; | ||
+ | </code> | ||
+ | |||
+ | ==== Verify A CRT Matches A KEY ==== | ||
+ | <code> | ||
+ | openssl x509 -noout -modulus -in server.crt | openssl md5 | ||
+ | openssl rsa -noout -modulus -in myserver.key | openssl md5 | ||
+ | </code> | ||
+ | If the output are not the same, then they do not match and won't work on Nginx. | ||
+ | |||
+ | ==== Generating a Certificate Signing Request (CSR) ==== | ||
+ | <code> | ||
+ | openssl req -new -newkey rsa:2048 -nodes -keyout $DOMAIN.key -out $DOMAIN.csr | ||
+ | </code> | ||
+ | |||
+ | === CSR Fields === | ||
+ | |||
+ | * Country Code: The two-letter International Organization for Standardization (ISO-) format country code for the country in which your organization is legally registered. Click the link below for a complete list of ISO country codes. [[http://www.iso.org/iso/home/standards/country_codes/country_names_and_code_elements.htm|ISO Country Codes]] | ||
+ | |||
+ | * State/Province: Name of state, province, region, territory where your organization is located. Please enter the full name. Do not abbreviate | ||
+ | |||
+ | * City/Locality: Name of the city/locality in which your organization is registered/located. Please spell out the name of the city/locality. Do not abbreviate. | ||
+ | |||
+ | * Organization: The name under which your business is legally registered. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as a small business/sole proprietor, please enter the certificate requester's name in the "Organization" field, and the DBA (doing business as) name in the "Organizational Unit" field. | ||
+ | |||
+ | * Organizational Unit: Optional. Use this field to differentiate between divisions within an organization. For example, "Engineering" or "Human Resources." If applicable, you may enter the DBA (doing business as) name in this field. | ||
+ | |||
+ | * Common name: The name entered in the "CN" (common name) field of the CSR MUST be the fully-qualified domain name for the website you will be using the certificate for (e.g., "www.domainnamegoeshere"). Do not include the "http://" or "https://" prefixes in your common name. Do NOT enter your personal name in this field. | ||
+ | |||
+ | If you are requesting a Wild Card certificate, please add an asterisk (*) on the left side of the common name (e.g., "*.domainnamegoeshere.com"). This will secure all subdomains of the common name. | ||
+ | |||
+ | NOTE: If you enter "www.domainnamegoeshere.com" as the Common Name in your certificate signing request, the certificate will secure both "www.domainnamegoeshere.com" and "domainnamegoeshere.com." And vice versa. | ||
+ | |||
+ | |||
+ | References: | ||
+ | |||
+ | * http://dracoblue.net/dev/https-nginx-with-self-signed-ssl-certificate/188/ | ||
+ | * http://serverfault.com/questions/372886/prevent-nginx-from-redirecting-traffic-from-https-to-http-when-used-as-a-reverse | ||
+ | * http://support.godaddy.com/help/article/3601/generating-a-certificate-signing-request-nginx | ||
+ | * http://support.godaddy.com/help/category/746/ssl-certificates-csr-generation-instructions | ||
+ | * https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1250 | ||
+ | * https://www.digicert.com/ssl-support/ssl-enabling-perfect-forward-secrecy.htm | ||