Tagged: nginx

AlphaSSL Wildcard SSL 证书安装记

昨天在某宝买了一个AlphaSSL Wildcard SSL的通配符证书,一切顺利,一会就收到了。

首先要使用通配符证书必须保证服务器支持SNI。Nginx可以使用 nginx -V来查看是否支持

[root@WebServer nginx]# nginx -V
nginx version: nginx/1.9.5
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) 
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_v2_module --with-http_ssl_module --with-ipv6 --with-http_gzip_static_module --with-http_realip_module --with-http_flv_module

如果支持那么就好办了,直接配置吧。。附上我的配置

# 以下为server段内容
listen 443 ssl http2;
keepalive_timeout   	20;
server_name test.bcsytv.com;
index index.html index.htm index.php default.html default.htm default.php;
root  /home/wwwroot/test;

ssl 						on;
ssl_certificate 			/usr/local/nginx/conf/vhost/test.crt;
ssl_certificate_key 		/usr/local/nginx/conf/vhost/test.key;
ssl_dhparam 				/usr/local/nginx/conf/vhost/dhparam.pem;

ssl_protocols 				TLSv1.2 TLSv1.1 TLSv1;
ssl_stapling 				on;
ssl_stapling_verify 		on;
resolver 					8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 			10s;
ssl_ciphers 				"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_session_cache       	shared:SSL:10m;
ssl_session_timeout     	10m;
ssl_prefer_server_ciphers 	on;
# 以下参数是个超级坑爹的东西!!千万不要尝试!
#ssl_session_tickets 		off;

# 强制使用HTTPS,includeSubdomains是否指定子域名
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

# 不允许被任何页面嵌入
add_header X-Frame-Options DENY;

# 禁用浏览器的类型猜测行为
add_header X-Content-Type-Options nosniff;

小花絮:

直接给的证书是不带中级证书的,我们需要合并。。假如你收到的证书是demo.crt

wget https://jalena.bcsytv.com/Upfiles/2015/11/alpha.crt && cat alpha.crt >> demo.crt

dhparam.pem生成命令

openssl dhparam -out dhparam.pem 4096

ok。

Nginx 部署Comodo Positive SSL证书

生成2048位key

root@sg:/etc/nginx# openssl genrsa -out ssl2.me.key 2048
Generating RSA private key, 2048 bit long modulus
......+++
..................................................................................................................................+++
e is 65537 (0x10001)

生成SCR文件

root@sg:/etc/nginx# openssl req -new -key ssl2.me.key -out ssl2.me.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN  (这里输入两位大写字母的国家代码 CN是中国)
State or Province Name (full name) [Some-State]:BJ (这里省份 可以填写简称,一般填写拼音)
Locality Name (eg, city) []:BJ  (这里是城市可以填写简称,一般填拼音)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ssl2 (组织或公司名)
Organizational Unit Name (eg, section) []: (不填写直接回车)
Common Name (eg, YOUR name) []:ssl2.me  (输入使用ssl的域名,一般不带www)
Email Address []:admin@ssl2.me (填写邮箱,有时候证书是发送到这个邮箱)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  (不填写直接回车)
An optional company name []:  (不填写直接回车)

Read more

Nginx 轻松屏蔽恶意密码猜测

密码猜测

密码猜测

相信很多人用wordpress都有这样的情况,如果你的密码不够强度,被人这样天天猜,迟早要被破。

当然wordpress是不会主动通知你的,我们可以在主题的Function.php文件内加入如下代码来实现这个功能(前提是你的php要配置发信模块)

当然这个功能只是起到了提示作用,最终如何限制访问来源还是需要你自己配置的。

你可以使用nginx的ua判断,或者ip判断等等信息来确认访问者身份后返回正确的信息。

/*****************************************************
函数名称:wp_login_failed_notify v1.0 by DH.huahua.
函数作用:有错误登录wp后台就会email通知博主
******************************************************/
function wp_login_failed_notify(){
		date_default_timezone_set('PRC');
		$admin_email = get_bloginfo ('admin_email');
		$to = $admin_email;
		$subject = '你的博客空间登录错误警告';
		$message = '<p>你好!你的博客空间(' . get_option("blogname") . ')有登录错误!' .
		'<p>请确定是您自己的登录失误,以防别人攻击!登录信息如下:' .
		'<p>登录名:' . $_POST['log'] . '<p>' .
		'<p>登录密码:' . $_POST['pwd'] . '<p>' .
		'<p>登录时间:' . date("Y-m-d H:i:s") . '<p>' .
		'<p>登录IP:' . $_SERVER['REMOTE_ADDR'] . '<p>';
		$wp_email = 'no-reply@' . preg_replace('#^www\.#', '', strtolower($_SERVER['SERVER_NAME']));
		$from = "From: \"" . get_option('blogname') . "\" <$wp_email>";
		$headers = "$from\nContent-Type: text/html; charset=" . get_option('blog_charset') . "\n";
		wp_mail( $to, $subject, $message, $headers );
		}
add_action('wp_login_failed', 'wp_login_failed_notify');

Read more