Nginx provides secure HTTP functionalities through the SSL module but also offers an extra module called Secure Link that helps you protect your website and visitors in a totally different way.

SSL

The SSL module enables HTTPS support, HTTP over SSL/TLS in particular. It gives you the possibility to serve secure websites by providing a certificate, a certificate key, and other parameters defined with the following directives:

This module is not included in the default Nginx build.


ssl

Context: http, server

Enables HTTPS for the specified server. This directive is the equivalent of listen 443 ssl or listen port ssl more generally.

Syntax: on or off

Default: ssl off;


ssl_certificate

Context: http, server

Sets the path of the PEM certificate.

Syntax: File path


ssl_certificate_key

Context: http, server

Sets the path of the PEM secret key file.

Syntax: File path


ssl_client_certificate

Context: http, server

Sets the path of the client PEM certificate.

Syntax: File path


ssl_crl

Context: http, server

Orders Nginx to load a CRL (Certificate Revocation List) file, which allows checking the revocation status of certificates.


ssl_dhparam

Context: http, server

Sets the path of the Diffie-Hellman parameters file.

Syntax: File path.


ssl_protocols

Context: http, server

Specifies the protocol that should be employed.

Syntax: ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];

Default: ssl_protocols SSLv2 SSLv3 TLSv1;


ssl_ciphers

Context: http, server

Specifies the ciphers that should be employed. The list of available ciphers can be obtained running the following command from the shell: openssl ciphers.

Syntax: ssl_ciphers cipher1[:cipher2…];

Default: ssl_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;


ssl_prefer_server_ciphers

Context: http, server

Specifies whether server ciphers should be preferred over client ciphers.

Syntax: on or off

Default: off


ssl_verify_client

Context: http, server

Enables verifying certificates transmitted by the client and sets the result in the $ssl_client_verify. The optional_no_ca value verifies the certificate if there is one, but does not require it to be signed by a trusted CA certificate.

Syntax: on | off | optional | optional_no_ca

Default: off


ssl_session_cache

Context: http, server

Configures the cache for SSL sessions.

Syntax: off, none, builtin:size or shared:name:size

Default: off (disables SSL sessions)


ssl_session_timeout

Context: http, server

When SSL sessions are enabled, this directive defines the timeout for using session data.

Syntax: Time value

Default: 5 minutes


Additionally, the following variables are made available:

  • $ssl_cipher: Indicates the cipher used for the current request
  • $ssl_client_serial: Indicates the serial number of the client certificate
  • $ssl_client_s_dn and $ssl_client_i_dn: Indicates the value of the Subject and Issuer DN of the client certificate
  • $ssl_protocol: Indicates the protocol at use for the current request
  • $ssl_client_cert and $ssl_client_raw_cert: Returns client certificate data, which is raw data for the second variable
  • $ssl_client_verify: Set to SUCCESS if the client certificate was successfully verified
  • $ssl_session_id: Allows you to retrieve the ID of an SSL session

Setting Up an SSL Certificate

Although the SSL module offers a lot of possibilities, in most cases only a couple of directives are actually useful for setting up a secure website. This guide will help you configure Nginx to use an SSL certificate for your website (in the example, your website is identified by secure.website.com). Before doing so, ensure that you already have the following elements at your disposal:

  • A .key file generated with the following command: openssl genrsa -out secure.website.com.key 1024 (other encryption levels work too).
  • A .csr file generated with the following command: openssl req -new -key secure.website.com.key -out secure.website.com.csr.
  • Your website certificate file, as issued by the Certificate Authority, for example, secure.website.com.crt. (Note: In order to obtain a certificate from the CA, you will need to provide your .csr file.)
  • The CA certificate file as issued by the CA (for example, gd_bundle.crt if you purchased your certificate from GoDaddy.com).

The first step is to merge your website certificate and the CA certificate together with the following command:

cat secure.website.com.crt gd_bundle.crt > combined.crt

You are then ready to configure Nginx to serve secure content:

server {
  listen 443;
  server_name secure.website.com;
  ssl on;
  ssl_certificate /path/to/combined.crt;
  ssl_certificate_key /path/to/secure.website.com.key;
  […]
}

Secure Link

Totally independent from the SSL module, Secure link provides a basic protection by checking the presence of a specific hash in the URL before allowing the user to access a resource:

location /downloads/ {
  secure_link_md5 "secret";
  secure_link $arg_hash,$arg_expires;
  if ($secure_link = "") {
    return 403;
  }
}

With such a configuration, documents in the /downloads/ folder must be accessed via a URL containing a query string parameter hash=XXX (note the $arg_hash in the example), where XXX is the MD5 hash of the secret you defined through the secure_link_md5 directive. The second argument of the secure_link directive is a UNIX timestamp defining the expiration date. The $secure_link variable is empty if the URI does not contain the proper hash or if the date has expired. Otherwise, it is set to 1.

This module is not included in the default Nginx build.

Nginx - Additional Modules, SSL and Security的更多相关文章

  1. Nginx - Additional Modules, About Your Visitors

    The following set of modules provides extra functionality that will help you find out more informati ...

  2. Nginx - Additional Modules, Website Access and Logging

    The following set of modules allows you to configure how visitors access your website and the way yo ...

  3. Nginx - Additional Modules, Limits and Restrictions

    The following modules allow you to regulate access to the documents of your websites — require users ...

  4. Nginx - Additional Modules, Content and Encoding

    The following set of modules provides functionalities having an effect on the contents served to the ...

  5. Nginx自建SSL证书部署HTTPS网站

    一.创建SSL相关证书 1.安装Nginx(这里为了测试使用yum安装,实际看具体情况) [root@localhost ~]# yum install nginx -y #默认yum安装已经支持SS ...

  6. Nginx 下配置SSL证书的方法

    1.Nginx 配置 ssl 模块 默认 Nginx 是没有 ssl 模块的,而我的 VPS 默认装的是 Nginx 0.7.63 ,顺带把 Nginx 升级到 0.7.64 并且 配置 ssl 模块 ...

  7. Nginx配置免费SSL证书StartSSL,解决Firefox不信任问题

    先在StartSSL上申请免费一年的SSL证书,具体过程网上很多教程.然后把申请到的key和crt文件上传到服务器,比如/usr/local/nginx/certs/. Nginx配置SSL证书 直接 ...

  8. CentOS6.5 下在Nginx中添加SSL证书以支持HTTPS协议访问

    参考文献: 1. NginxV1.8.0安装与配置 2. CentOS下在Nginx中添加SSL证书以支持HTTPS协议访问 3. nginx配置ssl证书的方法 4.nginx强制使用https访问 ...

  9. nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:37

    一:开始Nginx的SSL模块 1.1 Nginx如果未开启SSL模块,配置Https时提示错误 1 nginx: [emerg] the "ssl" parameter requ ...

随机推荐

  1. UVa 1629 Cake slicing (记忆化搜索)

    题意:一个矩形蛋糕上有好多个樱桃,现在要做的就是切割最少的距离,切出矩形形状的小蛋糕,让每个蛋糕上都有一个樱桃,问最少切割距离是多少. 析:很容易知道是记忆化搜索,我们用dp[u][d][l][r]来 ...

  2. 从最简单的HelloWorld理解MVP模式

    版权声明:本文为博主原创文章,转载请注明出处:http://www.cnblogs.com/joy99/p/6116855.html 大多数编程语言相关的学习书籍,都会以hello,world这个典型 ...

  3. Spring中注解事务方面的问题

    我们可以在spring的配置文件beans.xml中对事务进行注解配置,这样在相应的类中就不用对事务进行管事,对于某个类,想单独交给spring来管理,那么就在相应的类上加入@Transactiona ...

  4. velocity 快速入门

    基本语法      1.变量定义 : $name 注意 : a.名字和$配合一起用  b.更规范的写法是 ${name} 2.赋值 : #set($name = "威少") 3.条 ...

  5. 如何将mysql表结构导出成Excel格式的(并带备注)

    http://www.liangchan.net/liangchan/4561.html 1.使用一个mysql管理工具:SQLyog,点击菜单栏“数据库”下拉的最后一项: 导出的格式如下: 2.要想 ...

  6. CustomerSOList

    using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.We ...

  7. PostgreSQL的initdb 源代码分析之六

    继续分析 下面的是获取运行此程序的用户名称,主要还是为了防止在linux下用root来运行的情形. effective_user = get_id(); ) username = effective_ ...

  8. Spring强制使用CGLIB代理事务

    Spring强制使用CGLIB代理事务   springaopjdkreferenceclasspath Spring1.2: 将事务代理工厂[TransactionProxyFactoryBean] ...

  9. Excel设置数据有效性实现单元格下拉菜单的3种方法(转)

    http://blog.csdn.net/cdefu/article/details/4129136 一.直接输入: 1.选择要设置的单元格,譬如A1单元格: 2.选择菜单栏的“数据”→“有效性”→出 ...

  10. Codeforces Beta Round #51 B. Smallest number dfs

    B. Smallest number Time Limit: 20 Sec Memory Limit: 256 MB 题目连接 http://codeforces.com/contest/55/pro ...