1. 首页
  2. 软件开发
  3. Linux
  4. 正文

AlphaSSL Wildcard SSL 证书安装记

2015-11-07 1910点热度 0条评论

昨天在某宝买了一个AlphaSSL Wildcard SSL的通配符证书,一切顺利,一会就收到了。

首先要使用通配符证书必须保证服务器支持SNI。Nginx可以使用 nginx -V来查看是否支持

[root@WebServer nginx]# nginx -V
nginx version: nginx/1.9.5
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) 
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-ipv6 --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module

如果支持那么就好办了,直接配置吧。。附上我的配置

# 以下为server段内容
listen 443 ssl http2;
keepalive_timeout   	20;
server_name test.bcsytv.com;
index index.html index.htm index.php default.html default.htm default.php;
root  /home/wwwroot/test;

ssl 						on;
ssl_certificate 			/usr/local/nginx/conf/vhost/test.crt;
ssl_certificate_key 		/usr/local/nginx/conf/vhost/test.key;
ssl_dhparam 				/usr/local/nginx/conf/vhost/dhparam.pem;

ssl_protocols 				TLSv1.2 TLSv1.1 TLSv1;
ssl_stapling 				on;
ssl_stapling_verify 		on;
resolver 					8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 			10s;
ssl_ciphers 				"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_session_cache       	shared:SSL:10m;
ssl_session_timeout     	10m;
ssl_prefer_server_ciphers 	on;
# 以下参数是个超级坑爹的东西!!千万不要尝试!
#ssl_session_tickets 		off;

# 强制使用HTTPS,includeSubdomains是否指定子域名
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

# 不允许被任何页面嵌入
add_header X-Frame-Options DENY;

# 禁用浏览器的类型猜测行为
add_header X-Content-Type-Options nosniff;

小花絮:

直接给的证书是不带中级证书的,我们需要合并。。假如你收到的证书是demo.crt

wget https://jalena.bcsytv.com/uploads/2015/11/alpha.crt && cat alpha.crt >> demo.crt

dhparam.pem生成命令

openssl dhparam -out dhparam.pem 4096
标签:
最后更新:2021-03-16

Jalena

原创内容,转载请注明出处! 部分内容来自网络,请遵守法律适用!

文章评论

razz evil exclaim smile redface biggrin eek confused idea lol mad twisted rolleyes wink cool arrow neutral cry mrgreen drooling persevering

【腾讯云】云服务器特惠热卖中
标签聚合
java Centos odoo 其他 生活 wordpress docker MySql
分类

COPYRIGHT © 2025 Jalena Blog. ALL RIGHTS RESERVED.

Theme Kratos Made By Seaton Jiang

蜀ICP备17025376号