July 1, 2016

HSTS域名更换实例

新入手了its0k.com,原来的alair.cn还继续使用 在这里需要将alair.cn重定向到its0k.com 第一次只是将nginx配置文件中的alair.cn全部替换为its0k.com,通过its0k.com浏览新站完全没问题 但是试着从alair.cn跳转浏览新站,浏览器出现了证书安全告警,告警具体原因为证书未包含alair.cn域名,我才想起来旧域名alair.cn已经添加进了HSTS列表,因此不能简单的只为新域名签名,而是需要证书签名时包含新旧两个域名。 重新签名了证书,包含以下四个域名 its0k.com www.its0k.com alair.cn www.alair.cn 以下为更改完成后的nginx配置文件,请注意名相关的部分 server { listen 443 ssl http2; ssl_certificate /root/ssls/its0k.crt; ssl_certificate_key /root/ssls/its0k.key; ssl_session_timeout 60m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS; ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_dhparam /etc/ssl/certs/dhparam.pem; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options "DENY"; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; server_name its0k.com www.its0k.com alair.cn www.alair.cn; access_log off; index index.html index.htm; include /usr/local/nginx/conf/rewrite/ps.conf; root /data/wwwroot/its0k.com/compiled; error_page 403 404 500 503 505 = https://its0k. Read more

May 9, 2016

Let's encrypt 证书快速生成脚本

网站的Let’s encrypt证书快到期了,看了官方的续期方法比较繁琐,于是在网上找了找简单方便做法,结果找到了墓地小企鹅写的一个脚本(shell script),使用这个脚本可以方便的生成以及更新Let’s encrypt 证书。 脚本地址 https://github.com/xdtianyu/scripts/tree/master/lets-encrypt 下载脚本 wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.conf wget https://raw.githubusercontent.com/xdtianyu/scripts/master/lets-encrypt/letsencrypt.sh 配置 root@rnse:~/lesh# cat letsencrypt.conf # only modify the values, key files will be generated automaticly. ACCOUNT_KEY="letsencrypt-account.key" DOMAIN_KEY="alair.key" DOMAIN_DIR="/data/wwwroot/alair.cn/compiled" DOMAINS="DNS:alair.cn,DNS:www.alair.cn" #ECC=TRUE #LIGHTTPD=TRUE 按照需要自定义DOMAIN_KEY、DOMAIN_DIR、DOMAINS三部分。 生成证书 root@rnse:~/lesh#chmod +x letsencrypt.sh root@rnse:~/lesh# ./letsencrypt.sh letsencrypt.conf Generate account key... Generating RSA private key, 4096 bit long modulus ..............................++ ....++ e is 65537 (0x10001) Generate domain key... Generating RSA private key, 2048 bit long modulus . Read more

December 21, 2015

SSL安全优化

先贴出本站的SSL安全评级,测试地址为https://www.ssllabs.com/ssltest/analyze.html?d=alair.cn 以下是本站Nginx配置中关于SSL部分 listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/alair.cn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/alair.cn/privkey.pem; ssl_session_timeout 60m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!DSS:!PKS; ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_stapling on; ssl_stapling_verify on; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header X-Frame-Options "DENY"; 说明: dhparam.pem可以使用openssl dhparam -out dhparam.pem 4096命令生成,这个命令会执行很长时间,也可以将字节数改为2048

December 15, 2015

使用免费Let's Encrypt证书

在此介绍如何使用Let’s Encrypt的免费SSL证书,需要在有管理权限的VPS上操作,然后参考以下方法自签域名证书。 git clone https://github.com/letsencrypt/letsencrypt.git cd letsencrypt mkdir -p /home/webroot/.well-known/acme-challenge #/home/webroot为网站目录 ./letsencrypt-auto certonly --email me@alair.cn -d alair.cn,www.alair.cn --webroot -w /home/webroot --agree-tos #注意email、域名、和网站目录 签发成功后,会提示如/etc/letsencrypt/live/www.alair.cn/fullchain.pem;的证书路径信息。 IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.alair.cn/fullchain.pem. Your cert will expire on 2016-03-14. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt. Read more

May 25, 2015

Nginx配置SSL证书

申请Wosign免费SSL证书 申请地址: https://www.wosign.com/products/free_ssl.htm 申请成功后,收到类似于aquan.me_sha256_cn.zip的文件,解压后包含如下文件 for Apache.zip for IIS.zip for Nginx.zip for Other Server.zip for Tomcat.zip 其中for Nginx.zip中包含如下两个文件,将其上传到VPS自定义位置。 1_aquan.me_bundle.crt 2_aquan.me.key 配置Nginx 不多说了,直接贴代码: #### Add Wosign SSL Start #### listen 443; ssl on; ssl_certificate /usr/local/nginx/ssl/ssl.crt; ssl_certificate_key /usr/local/nginx/ssl/ssl.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; #### Add Wosign SSL End #### 将以上代码插入listen 80;之后。 重启Nginx生效 /etc/init.d/nginx restart 以上设置完成,就可以通过https来浏览网站,同时http也可以浏览。 合并Wosign根证书 有的浏览器会提示不信任证书,可以通过合并Wosign根证书来解决 wget https://www.wosign.com/Root/Bundle_DV_St.crt cat Bundle_DV_St.crt >> /usr/local/nginx/ssl/ssl. Read more

© unixetc.com 2012 - 2019
README