- 浏览: 3500592 次
- 性别:
- 来自: 北京
文章分类
最新评论
-
wanglf1207:
EJB的确是个不错的产品,只是因为用起来有点门槛,招来太多人吐 ...
weblogic-ejb-jar.xml的元素解析 -
qwfys200:
总结的不错。
Spring Web Flow 2.0 入门 -
u011577913:
u011577913 写道也能给我发一份翻译文档? 邮件437 ...
Hazelcast 参考文档-4 -
u011577913:
也能给我发一份翻译文档?
Hazelcast 参考文档-4 -
songzj001:
DbUnit入门实战
HTTPS server optimization
SSL certifcate chains
A single HTTP/HTTPS server
Name-based HTTPS servers
A SSL certificate with several names
Server Name Indication
Compatibility
To configure an HTTPS server you must enable the SSL protocol in the server block, and specify the locations of the server certificate and private key files:
server { listen 443; server_name www.nginx.com; ssl on; ssl_certificate www.nginx.com.crt; ssl_certificate_key www.nginx.com.key; ssl_protocols SSLv3 TLSv1; ssl_ciphers HIGH:!ADH:!MD5; ... }
The server certificate is a public entity. It is sent to every client that connects to the server. The private key is a secure entity and should be stored in a file with restricted access, however, it must be readable by nginx’s master process. The private key may alternately be stored in the same file as the certificate:
ssl_certificate www.nginx.com.cert; ssl_certificate_key www.nginx.com.cert;
in which case the file access rights should also be restricted. Although the certificate and the key are stored in one file, only the certificate is sent to a client.
The directives “ssl_protocols” and “ssl_ciphers” may be used to limit connections to strong SSL protocol versions and ciphers. Since version 0.8.20, nginx uses “ssl_protocols SSLv3 TLSv1” and “ssl_ciphers HIGH:!ADH:!MD5” by default, so they should only be set for earlier nginx versions.
HTTPS server optimization
SSL operations consume extra CPU resources. On multi-processor systems you should run several worker processes: no less than the number of available CPU cores. The most CPU-intensive operation is the SSL handshake. There are two ways to minimize the number of these operations per client: the first is by enabling keepalive connections to send several requests via one connection and the second is to reuse SSL session parameters to avoid SSL handshakes for parallel and subsequent connections. The sessions are stored in an SSL session cache shared between workers and configured by an “ssl_session_cache” directive. One megabyte of the cache contains about 4000 sessions. The default cache timeout is 5 minutes. It can be increased by using the “ssl_session_timeout” directive. Here is a sample configuration optimized for a quad core system with 10M shared session cache:
worker_processes 4 ; http { ssl_session_cache shared:SSL:10m ; ssl_session_timeout 10m ; server { listen 443; server_name www.nginx.com; keepalive 70 ; ssl on; ssl_certificate www.nginx.com.crt; ssl_certificate_key www.nginx.com.key; ssl_protocols SSLv3 TLSv1; ssl_ciphers HIGH:!ADH:!MD5; ...
SSL certifcate chains
Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:
$ cat www.nginx.com.crt bundle.crt > www.nginx.com.chained.crt
The resulting file should be used in the “ssl_certificate” directive:
server { listen 443; server_name www.nginx.com; ssl on; ssl_certificate www.nginx.com.chained.crt; ssl_certificate_key www.nginx.com.key; ... }
If the server certificate and the bundle have been concatenated in the wrong order, nginx will fail to start and will display the error message:
SSL_CTX_use_PrivateKey_file(" ... /www.nginx.com.key") failed (SSL: error:0B080074:x509 certificate routines: X509_check_private_key:key values mismatch)
because nginx has tried to use the private key with the bundle’s first certificate instead of the server certificate.
Browsers usually store intermediate certificates which they receive
and which are signed by trusted authorities, so actively used browsers
may already have the required intermediate certificates and
may not complain about a certificate sent without a chained bundle.
To ensure the server sends the complete certificate chain,
you may use the “openssl
” command line utility, for example:
$ openssl s_client -connect www.godaddy.com:443 ... Certificate chain 0 s:/C=US/ST=Arizona/L=Scottsdale/1.3.6.1.4.1.311.60.2.1.3=US /1.3.6.1.4.1.311.60.2.1.2=AZ/O=GoDaddy.com, Inc /OU=MIS Department/CN=www.GoDaddy.com /serialNumber=0796928-7/2.5.4.15=V1.0, Clause 5.(b) i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. /OU=http://certificates.godaddy.com/repository /CN=Go Daddy Secure Certification Authority /serialNumber=07969287 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc. /OU=http://certificates.godaddy.com/repository /CN=Go Daddy Secure Certification Authority /serialNumber=07969287 i:/C=US/O=The Go Daddy Group, Inc. /OU=Go Daddy Class 2 Certification Authority 2 s:/C=US/O=The Go Daddy Group, Inc. /OU=Go Daddy Class 2 Certification Authority i:/L=ValiCert Validation Network/O=ValiCert, Inc. /OU=ValiCert Class 2 Policy Validation Authority /CN=http://www.valicert.com//emailAddress=info@valicert.com ...
In this example the subject (“s ”) of the www.GoDaddy.com server certificate #0 is signed by an issuer (“i ”) which itself is the subject of the certificate #1, which is signed by an issuer which itself is the subject of the certificate #2, which signed by the well-known issuer ValiCert, Inc. whose certificate is stored in the browsers’ built-in certificate base (that lay in the house that Jack built).
If you have not added the certificates bundle, you will see only your server certificate #0.
A single HTTP/HTTPS server
It is good practice to configure separate servers for HTTP and HTTPS protocols from the very start. Although their functionalities currently seem equal, this may change significantly in the future and using a consolidated server may become problematic. However, if HTTP and HTTPS servers are equal, and you prefer not to think about the future, you may configure a single server that handles both HTTP and HTTPS requests by deleting the directive “ssl on” and adding the “ssl” parameter for *:443 port:
server { listen 80; listen 443 ssl; server_name www.nginx.com; ssl_certificate www.nginx.com.crt; ssl_certificate_key www.nginx.com.key; ... }
Prior to 0.8.21, nginx only allows the “ssl” parameter to be set on listen sockets with the “default” parameter:listen 443 default ssl;
Name-based HTTPS servers
A common issue arises when configuring two or more HTTPS servers listening on a single IP address:
server { listen 443; server_name www.nginx.com; ssl on; ssl_certificate www.nginx.com.crt; ... } server { listen 443; server_name www.nginx.org; ssl on; ssl_certificate www.nginx.org.crt; ... }
With this configuration a browser receives the certificate of the default server, i.e., www.nginx.com regardless of the requested server name. This is caused by SSL protocol behaviour. The SSL connection is established before the browser sends an HTTP request and nginx does not know the name of the requested server. Therefore, it may only offer the certificate of the default server.
The oldest and most robust method to resolve the issue is to assign a separate IP address for every HTTPS server:
server { listen 192.168.1.1:443; server_name www.nginx.com; ssl on; ssl_certificate www.nginx.com.crt; ... } server { listen 192.168.1.2:443; server_name www.nginx.org; ssl on; ssl_certificate www.nginx.org.crt; ... }
A SSL certificate with several names
There are other ways to share a single IP address between several HTTPS servers, however, all of them have drawbacks. One way is to use a certificate with several names in the SubjectAltName certificate field, for example, www.nginx.com and www.nginx.org . However, the SubjectAltName field length is limited.
Another way is to use a certificate with a wildcard name, for example, *.nginx.org . This certificate matches www.nginx.org , but does not match nginx.org and www.sub.nginx.org . These two methods can also be combined. A certificate may contain exact and wildcard names in the SubjectAltName field, for example, nginx.org and *.nginx.org .
It is better to place a certificate file with several names and its private key file at the http level of configuration to inherit their single memory copy in all servers:
ssl_certificate common.crt; ssl_certificate_key common.key; server { listen 443; server_name www.nginx.com; ssl on; ... } server { listen 443; server_name www.nginx.org; ssl on; ... }
Server Name Indication
A more generic solution for running several HTTPS servers on a single IP address is TLSv1.1 Server Name Indication extension (SNI, RFC3546), which allows a browser to pass a requested server name during the SSL handshake and, therefore, the server will know which certificate it should use for the connection. However, SNI has limited browser support. Currently it is supported starting with the following browsers versions:
- Opera 8.0;
- MSIE 7.0 (but only on Windows Vista or higher);
- Firefox 2.0 and other browsers using Mozilla Platform rv:1.8.1;
- Safari 3.2.1 (Windows version supports SNI on Vista or higher);
- and Chrome (Windows version supports SNI on Vista or higher, too).
In order to use SNI in nginx, it must be supported in both the OpenSSL libraries with which the nginx binary has been built as well as the libraries to which it is being dynamically linked at run time. OpenSSL supports SNI since 0.9.8f version if it was built with config option “--enable-tlsext”. Since OpenSSL 0.8.9j this option is enabled by default. If nginx was built with SNI support, then nginx will show this when run with the “-V” switch:
$ nginx -V ... TLS SNI support enabled ...
However, if the SNI-enabled nginx is linked dynamically to an OpenSSL library without SNI support, nginx displays the warning:
nginx was built with SNI support, however, now it is linked dynamically to an OpenSSL library which has no tlsext support, therefore SNI is not available
Compatibility
- The SNI support status has been shown by the “-V” switch since 0.8.21 and 0.7.62.
- The “ssl” parameter of the “listen” directive has been supported since 0.7.14.
- SNI has been supported since 0.5.32.
- The shared SSL session cache has been supported since 0.5.6.
- Version 0.8.19 and later: the default SSL protocols are SSLv3 and TLSv1.
- Version 0.8.18 and earlier: the default SSL protocols are SSLv2, SSLv3, and TLSv1.
- Version 0.8.20 and later: the default SSL ciphers are “HIGH:!ADH:!MD5”.
- Version 0.8.19: the default SSL ciphers are “ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM”.
-
Version 0.8.18 and earlier: the default SSL ciphers are
“ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP”.
written by Igor Sysoev
edited by Brian Mercer
发表评论
-
collectd
2011-08-03 14:27 2280collectd是一个守护(daemon)进程,用来收集系 ... -
HP ASR(Automatic Server Recovery)机制
2011-04-15 14:24 3556ASR(Automatic Server Re ... -
LINUX下用HP的IML工具查看服务器的日志信息
2011-04-14 16:40 4889LINUX下用HP的IML工具查看 ... -
LINUX做服务器的无盘系统
2011-01-26 18:19 1921客户端是支持PXE方式启 ... -
简易搭建一个私有云平台
2010-11-17 18:30 3217众说周知Amazon EC2是一个公共云的计算平台,属于Iaa ... -
[HA]利于heartbeat构建Oracle高可用
2010-09-17 12:41 476210月 24th, 2008 @ Kevin.yuan ... -
服务部署--IP SAN潜在的关键应用
2010-08-26 09:38 2094IP SAN可以说是近几年来存储领域的关键技术之一, ... -
通过HAProxy构建开源负载均衡架构平台
2010-08-09 00:07 49991. 目的 通过此作业指导书,知道如何使用ubu ... -
MySQL负载均衡
2010-08-08 23:39 46861. 添加监控MySQL状态的端口 # vi /etc/se ... -
Ha-proxy 学习
2010-08-08 23:08 8961什么是ha-proxy ... -
SQL Server 各版本的区别
2010-08-08 17:49 4037SQL Server 2005 Enterprise Ed ... -
Oracle数据库11g版本介绍
2010-08-08 17:44 3475无论您是独立开发者、中小企业还是大型企业,这些世界一 ... -
tpmC简单计算法
2010-07-29 18:59 17959计算原则: 以单台服务器性能进行计算,即确保单台服务器工作的时 ... -
KVM遥控服务器群
2010-07-07 15:54 2148众所周知,所谓KVM,就是键盘(Keyboard)、显示器 ... -
数据存储配置参考
2010-07-02 10:07 1790型号 配 置 数量 ... -
More Numbers (OpenDS and a hint at ApacheDS)
2010-04-29 23:45 2475Some more numbers have come in. ... -
利用Copssh在windows下搭建ssh服务
2010-03-09 01:04 13432现在远程维护基本上用ssh连接,linux系 ... -
Taking a load off: Load balancing with balance
2010-03-05 16:00 1781A server is limited in how man ... -
Software Based Load Balancers
2010-03-05 15:57 1838keyword:Load Balance ref: http ... -
SAN,NAS,DAS及其架构之间区别
2010-02-26 14:11 1690随着计算机技术的发展 ...
相关推荐
### Nginx与Tomcat HTTPS至HTTP反向代理配置详解 #### 一、Windows环境下Nginx与Tomcat HTTPS至HTTP反向代理配置 ##### 1. 安装Nginx - **下载Nginx** - 普通版下载地址: [http://nginx.org/en/download.html]...
在Windows环境下,配置Nginx以支持HTTPS及在同一端口监听多个网站,即配置多个虚拟主机,是一项常见的网络服务设置任务。Nginx是一个高性能的HTTP和反向代理服务器,以其稳定性、高并发处理能力而受到广泛使用。下面...
nginx转发https的配置文件,仅供参考
nginx配置https ssl 安全协议nginx配置https ssl 安全协议
阿里云服务器配置Nginx与HTTPS的流程是一个关键任务,对于提供安全的Web服务至关重要。以下将详细解释如何在CentOS7系统上进行这一过程。 首先,为了安装Nginx,你需要确保系统拥有必要的依赖库。运行以下命令来...
nginx图片服务器配置和https配置
"nginx https 配置"这个主题涉及到的是如何在Nginx上设置HTTPS服务,以实现网站的安全访问。HTTPS是HTTP协议的安全版本,通过使用SSL/TLS协议来加密数据传输,确保用户与服务器之间的通信不被中间人攻击。 首先,...
### WebLogic 集群安装及 Nginx HTTPS 反向代理及负载均衡配置 #### 一、WebLogic 集群安装 ##### 1.1 安装环境概述 在进行 WebLogic 集群的安装之前,需要对安装环境进行一定的规划与准备。这里主要包括硬件环境...
### Nginx 配置详解 + 负载均衡 + HTTPS 协议 #### 一、SSL证书申请 SSL证书是实现HTTPS的关键组件之一,它主要用于保护网站与用户之间的数据传输安全。文中提到两种常见的SSL证书类型:OpenSSL和StartSSL。在此...
本主题聚焦于如何使用Nginx作为反向代理,将HTTPS流量转换为HTTP内部通信,以确保用户数据的安全性同时优化服务器性能。以下是关于这个主题的详细解释: 首先,Nginx是一个高性能的Web服务器和反向代理服务器,它以...
Nginx配置http转https以及https访问http静态资源 Nginx是一款流行的开源Web服务器软件,常用于服务器端的反向代理、负载均衡、媒体流等功能。本文档将详细介绍如何使用Nginx配置http转https,以及https访问http静态...
要使Nginx能够同时监听HTTP和HTTPS,我们需要在server块中同时使用listen指令监听80和443端口,并且对于443端口,需要指定ssl证书和密钥。这样配置后,Nginx可以处理HTTP请求,并对HTTPS请求进行加密处理。特别的,...
本教程将详细解释如何使用自动化脚本来一键生成Nginx所用的HTTPS PEM格式证书,并适用于不同环境。 首先,我们要理解PEM(Privacy Enhanced Mail)格式,它是公钥证书的一种常见表示方式,以Base64编码,并被包裹在...
Nginx:Nginx与HTTPS配置实践.docx
总结起来,当遇到NGINX从HTTPS跳转到HTTP的问题时,我们可以通过在NGINX配置中使用`proxy_set_header`添加自定义头部,或者使用`proxy_redirect`指令来修正Location头,确保用户始终在安全的HTTPS连接中。...
Nginx是由伊戈尔·赛索耶夫为俄罗斯访问量第二的Rambler.ru站点(俄文:Рамблер)开发的,第一个公开版本0.1.0发布于2004年10月4日。其将源代码以类BSD许可证的形式发布,因它的稳定性、丰富的功能集、示例...
"title": "windows下nginx部署https服务实战","keywords": "nginx部署https服务,nginx https","ca