bundle.cer

回覆文章
yehlu
Site Admin
文章: 3245
註冊時間: 2004-04-15 17:20:21
來自: CodeCharge Support Engineer

bundle.cer

文章 yehlu »

https://www.peterdavehello.org/2015/10/ ... e-version/

代碼: 選擇全部

cat server.cer uca_2.cer > bundle.cer
cat uca_1.cer root.cer > trustchain.cer
yehlu
Site Admin
文章: 3245
註冊時間: 2004-04-15 17:20:21
來自: CodeCharge Support Engineer

Re: bundle.cer

文章 yehlu »

https://www.ssllabs.com/
B -> A-

shell

代碼: 選擇全部

$ openssl dhparam -out dhparams.pem 4096
nginx config

代碼: 選擇全部

ssl_dhparam /etc/ssl/nginx/dhparams.pem;
yehlu
Site Admin
文章: 3245
註冊時間: 2004-04-15 17:20:21
來自: CodeCharge Support Engineer

Re: bundle.cer

文章 yehlu »

https://blog.qualys.com/ssllabs/2013/08 ... rd-secrecy
https://hynek.me/articles/hardening-you ... l-ciphers/

Configuring Apache, Nginx, and OpenSSL for Forward Secrecy

nginx config

代碼: 選擇全部

ssl_prefer_server_ciphers On;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;
yehlu
Site Admin
文章: 3245
註冊時間: 2004-04-15 17:20:21
來自: CodeCharge Support Engineer

Re: bundle.cer

文章 yehlu »

https://blog.hellosanta.com.tw/node/242

代碼: 選擇全部

server {
    listen 80;
    listen  443; #default_server ssl;# spdy;
    ssl on;
    ssl_certificate /etc/nginx/ssl/gitlab.hellosanta.tw/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/gitlab.hellosanta.tw/gitlab.key;
    ssl_session_timeout 10m;
    ssl_session_cache    shared:SSL:10m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #SSLv3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
    add_header Alternate-Protocol  443:npn-spdy/3;
    spdy_headers_comp 3;
    spdy_chunk_size 8k;
    ssl_dhparam /etc/nginx/ssl/gitlab.hellosanta.tw/dhparams.pem;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/ssl/gitlab.hellosanta.tw/trustchain.crt;
    resolver 8.8.8.8 8.8.4.4;

    server_name gitlab.hellosanta.tw;

    if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:8888;
    }
}
回覆文章

回到「nginx」