配置nginx支持ssl服务器—HTTPS
下文摘自: http://docs.bigbluebutton.org/install/install.html
Configuring HTTPS on BigBlueButtonAnchor link for: configuring https on bigbluebutton
You’ll want to add HTTPS support to your BigBlueButton server for increased security. Also, as of Chrome 47, Chrome users will be unable to share their microphone via WebRTC unless BigBlueButton is loaded via HTTPS.
Configure BigBlueButton to use a domain nameAnchor link for: configure bigbluebutton to use a domain name
In order to obtain a valid SSL certificate for your server, you must configure the server to use a domain name that you own or control.
For the purposes of documentation, we will be using the domain name “example.com”, with a BigBlueButton server hosted at “bigbluebutton.example.com”.
Please run the commands as root.
Once you have a domain name and have configured it with a DNS host, add an A record pointing to your server. You can then use the bbb-conf setip command to configure BigBlueButton to use that domain name, for example:
bbb-conf --setip bigbluebutton.example.com
Obtain an SSL certificateAnchor link for: obtain an ssl certificate
In order to serve BigBlueButton over HTTPS, you need to have a valid SSL certificate. A domain validated (sometimes called “class 1”) certificate with a 2048 bit RSA key and SHA-256 checksum is the current recommended minimum, and it should be sufficient.
There are a number of providers that you could obtain a certificate from. Many domain name sales companies also offer certificates.
Some well known large providers of SSL certificates include Comodo, Symantec, GoDaddy, GlobalSign, and DigiCert. In addition, free SSL certificates are available from StartSSL and CACert, with some caveats: StartSSL certificates can’t be revoked without paying a service fee, and most people do not have the root for CACert installed in their web browser.
Each provider will give you a series of steps for generating the certificate, but they will normally include generating a private key and certificate request locally, sending the certificate request to be signed, and then receiving back the signed certificate after they have performed any required verification steps.
To install the certificate in BigBlueButton, you will need to have files for the certificate, private key, and any intermediate certificates in PEM format.
Configure nginx to use HTTPSAnchor link for: configure nginx to use https
Depending on your CA, you should now have 2 or more files, as follows:
- Certificate
- Private key
- Intermediate certificate (there may be more than one, or could be none)
The next step is to install the files on the server.
Create the directory /etc/nginx/ssl:
mkdir /etc/nginx/ssl
And now create the private key file for nginx to use (replace the hostname in the filename with your own). In addition, fix the permissions so that only root can read the private key:
cat >/etc/nginx/ssl/bigbluebutton.example.com.key <<'END'
Paste the contents of your key file here
END
chmod 0600 /etc/nginx/ssl/bigbluebutton.example.com.key
And the certificate file. Note that nginx needs your server certificate and the list of intermediate certificates together in one file (replace the hostname in the filename with your own):
cat >/etc/nginx/ssl/bigbluebutton.example.com.crt <<'END'
Paste (in order) the contents of the following files:
1. The signed certificate from the CA
2. In order, each intermediate certificate provided by the CA (but do not include the root).
END
In addition, we’ll generate a set of 2048-bit diffie-hellman parameters to improve security for some types of ciphers. This step can take several minutes to complete, particularly if run on a virtual machine.
openssl dhparam -out /etc/nginx/ssl/dhp-2048.pem 2048
Now we can edit the nginx configuration to use SSL. Edit the file /etc/nginx/sites-available/bigbluebutton to add the marked lines. Ensure that you’re using the correct filenames to match the certificate and key files you created above.
server {
server_name bigbluebutton.example.com;
listen 80;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/bigbluebutton.example.com.crt;
ssl_certificate_key /etc/nginx/ssl/bigbluebutton.example.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhp-2048.pem;
[...]
For reference, note that the SSL settings used above are based on those proposed in https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ and provide support for all modern browsers (including IE8, but not IE6, on Windows XP). Please note that recommended SSL settings are subject to change as new vulnerabilities are found.
Test your HTTPS configurationAnchor link for: test your https configuration
In order to ensure you didn’t make any mistakes that could cause security compromises, please test your HTTPS configuration. A well-respected site that can do a series of automated tests is https://www.ssllabs.com/ssltest/ - simply enter your server’s hostname, optionally check the “Do not show results” checkbox if you would like to keep it private, then Submit.
At time of writing, the configuration shown on this page should achieve an “A” ranking in the SSL Labs test page.
配置nginx支持ssl服务器—HTTPS的更多相关文章
- 配置Nginx支持SSL SNI(一个IP绑定多个证书) 以及Haproxy实现多域名证书
概述 传统的每个SSL证书签发,每个证书都需要独立ip,假如你编译openssl和nginx时候开启TLS SNI (Server Name Identification) 支持,这样你可以安装多个S ...
- CentOS 6.7 配置nginx支持SSL/https访问
一.安装必要的包 yum install openssl openssl-devel 二.配置编译参数,增加对SSL的支持 ./configure –with-http_ssl_module 三.修改 ...
- 配置nginx支持Https
配置nginx支持Https一定要先使用stop停止nginx然后重新代开不能使用reload 一:安装letsencrypt 1.从git上克隆下来git clone https://github. ...
- 使用HttpClient发送HTTPS请求以及配置Tomcat支持SSL
这里使用的是HttpComponents-Client-4.1.2 package com.jadyer.util; import java.io.File; import java.io.FileI ...
- nginx支持ssl双向认证配置
nginx支持ssl双向认证配置 listen 443; server_name test.com; ssl on; ssl_certificate server.crt; //server端公钥 s ...
- Linux - 配置php-fpm 以及 配置nginx支持php
配置php-fpm [root@localhost php7]# which php-fpm /usr/local/php7/sbin/php-fpm [root@localhost php7]# p ...
- centos下配置nginx支持php
添加nginx 默认主页index.php vim .../etc/nginx/conf.d/default.conf location / { root /usr/share/nginx/htm ...
- LNMP搭建04 -- 配置Nginx支持PHP
首先建立存放网页文件的目录,执行 mkdri /usr/local/server/www 然后进入到该目录中 cd /usr/local/server/www 然后创建一个测试文件: phpinfo ...
- Ubuntu下安装LNMP之php7的安装并配置Nginx支持php及卸载php
据了解,php7是比之前的版本性能快很多的.http://php.net/get/php-7.2.2.tar.gz/from/a/mirror 安装前也可提前将相关依赖库安装好,或者在安装php时若安 ...
随机推荐
- supportRequestWindowFeature与requestWindowFeature
在Activity中去掉标题栏只需要在onCreate()中在setContentView前使用requestWindowFeature(). 在AppCompatActivity中去掉标题栏只需要在 ...
- Electron Angular 开发小记
一介绍 electron分为主进程和渲染进程,主进程负责和原生交互,控制窗口等. 渲染进程就是普通网页.主进程和渲染进程可以通过ipcMain(主进程使用)及ipcRenderer(渲染进程用)通信 ...
- 解析C#类中的构造函数
<解析C#类中的构造函数> 一. C#中的构造函数概述: C#中类包含数据成员和函数成员.函数成员提供了操作类中数据的某些功能,包括方法.属性.构造器和终结器.运算符和索引器. 构造函数 ...
- JS函数相关及递归函数的使用
JS函数相关及递归函数的使用 通用js程序: function 函数名(参数列表) { 函数体 } 可使用alert()输出,也可用return返回值. alert与return区别: functio ...
- Sql Server 聚集索引扫描 Scan Direction的两种方式------FORWARD 和 BACKWARD
最近发现一个分页查询存储过程中的的一个SQL语句,当聚集索引列的排序方式不同的时候,效率差别达到数十倍,让我感到非常吃惊 由此引发出来分页查询的情况下对大表做Clustered Scan的时候, 不同 ...
- DirectShow+VS2010+Win7配置说明
不得不说,使用windows的东西确实很麻烦,DirectShow这个东西不断更新换代,书本上的知识完全跟不上时代,只能去博客上查资料.百度之后,看了大量的文章,终于完成了自己的DirectShow安 ...
- VS编译链接时错误(Error Link2005)的解决方法
近期参与的项目中使用了公司另外一个同事提供的一个静态库文件.该静态库文件集成了CUDA, OpenCL两个库,用于做图形加速计算,提高视频解码拼接速度.但是在编译链接项目时,VS爆出如下错误: 1&g ...
- 6.Configure Domain Classes(配置领域类)【EF Code-First 系列】
在前面的部分中,我们学习了Code-First默认约定,Code-First使用默认的约定,根据你的领域类,然后生成概念模型. Code-First模式,发起了一种编程模式:约定大于配置.这也就是说, ...
- webpack+vue-cli项目打包技巧
1.设置config文件夹index.js中productionSourceMap的值为false,也就是设置webpack配置中devtool为false,打包后文件体积可以减少百分之八十!!!!! ...
- C++ this指针的用法
this指针的含义及其用法: 1. this指针是一个隐含于每一个成员函数中的特殊指针.它指向正在被该成员函数操作的那个对象.2. 当对一个对象调用成员函数时,编译程序先将对象的地址赋给this指针, ...