昨天在某宝买了一个AlphaSSL Wildcard SSL的通配符证书,一切顺利,一会就收到了。
首先要使用通配符证书必须保证服务器支持SNI。Nginx可以使用 nginx -V来查看是否支持
|
1 2 3 4 5 6 |
[root@WebServer nginx]# nginx -V nginx version: nginx/1.9.5 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-ipv6 --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module |
如果支持那么就好办了,直接配置吧。。附上我的配置
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
# 以下为server段内容 listen 443 ssl http2; keepalive_timeout 20; server_name test.bcsytv.com; index index.html index.htm index.php default.html default.htm default.php; root /home/wwwroot/test; ssl on; ssl_certificate /usr/local/nginx/conf/vhost/test.crt; ssl_certificate_key /usr/local/nginx/conf/vhost/test.key; ssl_dhparam /usr/local/nginx/conf/vhost/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 8.8.8.8 valid=300s; resolver_timeout 10s; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_prefer_server_ciphers on; # 以下参数是个超级坑爹的东西!!千万不要尝试! #ssl_session_tickets off; # 强制使用HTTPS,includeSubdomains是否指定子域名 add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; # 不允许被任何页面嵌入 add_header X-Frame-Options DENY; # 禁用浏览器的类型猜测行为 add_header X-Content-Type-Options nosniff; |
小花絮:
直接给的证书是不带中级证书的,我们需要合并。。假如你收到的证书是demo.crt
|
1 |
wget https://jalena.bcsytv.com/Upfiles/2015/11/alpha.crt && cat alpha.crt >> demo.crt |
dhparam.pem生成命令
|
1 |
openssl dhparam -out dhparam.pem 4096 |
ok。
Comment