配置nginx支持ssl服务器—HTTPS
下文摘自: http://docs.bigbluebutton.org/install/install.html
Configuring HTTPS on BigBlueButtonAnchor link for: configuring https on bigbluebutton
You’ll want to add HTTPS support to your BigBlueButton server for increased security. Also, as of Chrome 47, Chrome users will be unable to share their microphone via WebRTC unless BigBlueButton is loaded via HTTPS.
Configure BigBlueButton to use a domain nameAnchor link for: configure bigbluebutton to use a domain name
In order to obtain a valid SSL certificate for your server, you must configure the server to use a domain name that you own or control.
For the purposes of documentation, we will be using the domain name “example.com”, with a BigBlueButton server hosted at “bigbluebutton.example.com”.
Please run the commands as root.
Once you have a domain name and have configured it with a DNS host, add an A record pointing to your server. You can then use the bbb-conf setip command to configure BigBlueButton to use that domain name, for example:
bbb-conf --setip bigbluebutton.example.com
Obtain an SSL certificateAnchor link for: obtain an ssl certificate
In order to serve BigBlueButton over HTTPS, you need to have a valid SSL certificate. A domain validated (sometimes called “class 1”) certificate with a 2048 bit RSA key and SHA-256 checksum is the current recommended minimum, and it should be sufficient.
There are a number of providers that you could obtain a certificate from. Many domain name sales companies also offer certificates.
Some well known large providers of SSL certificates include Comodo, Symantec, GoDaddy, GlobalSign, and DigiCert. In addition, free SSL certificates are available from StartSSL and CACert, with some caveats: StartSSL certificates can’t be revoked without paying a service fee, and most people do not have the root for CACert installed in their web browser.
Each provider will give you a series of steps for generating the certificate, but they will normally include generating a private key and certificate request locally, sending the certificate request to be signed, and then receiving back the signed certificate after they have performed any required verification steps.
To install the certificate in BigBlueButton, you will need to have files for the certificate, private key, and any intermediate certificates in PEM format.
Configure nginx to use HTTPSAnchor link for: configure nginx to use https
Depending on your CA, you should now have 2 or more files, as follows:
- Certificate
- Private key
- Intermediate certificate (there may be more than one, or could be none)
The next step is to install the files on the server.
Create the directory /etc/nginx/ssl:
mkdir /etc/nginx/ssl
And now create the private key file for nginx to use (replace the hostname in the filename with your own). In addition, fix the permissions so that only root can read the private key:
cat >/etc/nginx/ssl/bigbluebutton.example.com.key <<'END'
Paste the contents of your key file here
END
chmod 0600 /etc/nginx/ssl/bigbluebutton.example.com.key
And the certificate file. Note that nginx needs your server certificate and the list of intermediate certificates together in one file (replace the hostname in the filename with your own):
cat >/etc/nginx/ssl/bigbluebutton.example.com.crt <<'END'
Paste (in order) the contents of the following files:
1. The signed certificate from the CA
2. In order, each intermediate certificate provided by the CA (but do not include the root).
END
In addition, we’ll generate a set of 2048-bit diffie-hellman parameters to improve security for some types of ciphers. This step can take several minutes to complete, particularly if run on a virtual machine.
openssl dhparam -out /etc/nginx/ssl/dhp-2048.pem 2048
Now we can edit the nginx configuration to use SSL. Edit the file /etc/nginx/sites-available/bigbluebutton
to add the marked lines. Ensure that you’re using the correct filenames to match the certificate and key files you created above.
server {
server_name bigbluebutton.example.com;
listen 80;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/bigbluebutton.example.com.crt;
ssl_certificate_key /etc/nginx/ssl/bigbluebutton.example.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhp-2048.pem;
[...]
For reference, note that the SSL settings used above are based on those proposed in https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ and provide support for all modern browsers (including IE8, but not IE6, on Windows XP). Please note that recommended SSL settings are subject to change as new vulnerabilities are found.
Test your HTTPS configurationAnchor link for: test your https configuration
In order to ensure you didn’t make any mistakes that could cause security compromises, please test your HTTPS configuration. A well-respected site that can do a series of automated tests is https://www.ssllabs.com/ssltest/ - simply enter your server’s hostname, optionally check the “Do not show results” checkbox if you would like to keep it private, then Submit.
At time of writing, the configuration shown on this page should achieve an “A” ranking in the SSL Labs test page.
配置nginx支持ssl服务器—HTTPS的更多相关文章
- 配置Nginx支持SSL SNI(一个IP绑定多个证书) 以及Haproxy实现多域名证书
概述 传统的每个SSL证书签发,每个证书都需要独立ip,假如你编译openssl和nginx时候开启TLS SNI (Server Name Identification) 支持,这样你可以安装多个S ...
- CentOS 6.7 配置nginx支持SSL/https访问
一.安装必要的包 yum install openssl openssl-devel 二.配置编译参数,增加对SSL的支持 ./configure –with-http_ssl_module 三.修改 ...
- 配置nginx支持Https
配置nginx支持Https一定要先使用stop停止nginx然后重新代开不能使用reload 一:安装letsencrypt 1.从git上克隆下来git clone https://github. ...
- 使用HttpClient发送HTTPS请求以及配置Tomcat支持SSL
这里使用的是HttpComponents-Client-4.1.2 package com.jadyer.util; import java.io.File; import java.io.FileI ...
- nginx支持ssl双向认证配置
nginx支持ssl双向认证配置 listen 443; server_name test.com; ssl on; ssl_certificate server.crt; //server端公钥 s ...
- Linux - 配置php-fpm 以及 配置nginx支持php
配置php-fpm [root@localhost php7]# which php-fpm /usr/local/php7/sbin/php-fpm [root@localhost php7]# p ...
- centos下配置nginx支持php
添加nginx 默认主页index.php vim .../etc/nginx/conf.d/default.conf location / { root /usr/share/nginx/htm ...
- LNMP搭建04 -- 配置Nginx支持PHP
首先建立存放网页文件的目录,执行 mkdri /usr/local/server/www 然后进入到该目录中 cd /usr/local/server/www 然后创建一个测试文件: phpinfo ...
- Ubuntu下安装LNMP之php7的安装并配置Nginx支持php及卸载php
据了解,php7是比之前的版本性能快很多的.http://php.net/get/php-7.2.2.tar.gz/from/a/mirror 安装前也可提前将相关依赖库安装好,或者在安装php时若安 ...
随机推荐
- C#字符串排序效率
前几天看到个node.js和C#比较性能的文章,在那篇文章中C#的性能居然输了,按理说这是不可能的,除非有什么特殊的情况拖慢了性能.查看其异步的写法,最终发现没有什么问题,起码不是主要问题.后来用VS ...
- Hello World of OpenCascade
Hello World of OpenCascade eryar@163.com 摘要Abstract:以一个经典的Hello World程序为例开始对开源几何造型内核OpenCascade的学习. ...
- 关于Android多项目依赖在Eclipse中无法关联源代码的问题解决
被Eclipse中Android依赖项目无法关联源代码的问题困扰了许久,网上搜索了一下,终于得到解决,大大提高了开发效率. 问题描述: 项目有A,B两个Android Project组成, B是And ...
- 在Objective-C中浅谈面向对象
接触面向对象也有一段时间了,当时是通过C++学习的OOP,后来又接触到了PHP和Java.每种OOP的语言在面向对象上或多或少都会有不同的地方,现在在学习OC的面向对象部分,又感觉到OC面向对象的特点 ...
- react-native 学习之TextInput组件篇
/** * Sample React Native App * https://github.com/facebook/react-native */ 'use strict'; import Rea ...
- mouseenter以及mouseleave兼容性
在IE的全系列中都实现了mouseenter和mouseleave事件,但是在早期的w3c浏览器中却没有实现这两个事件.有时候,我们需要使用 mouseenter事件来防止子元素的冒泡,这就涉及到事件 ...
- SQL Server SQL性能优化之--数据库在“简单”参数化模式下,自动参数化SQL带来的问题
数据库参数化的模式 数据库的参数化有两种方式,简单(simple)和强制(forced),默认的参数化默认是“简单”,简单模式下,如果每次发过来的SQL,除非完全一样,否则就重编译它(特殊情况会自动参 ...
- Net设计模式实例之建造者模式(Builder Pattern)
一.建造者模式简介(Brief Introduction) 建造者模式(Builder Pattern),将一个复杂对象的构建与它的表示分离,使的同样的构建过程可以创建不同的表示. 建造者模式的优点是 ...
- 自定义UIButton
偶尔逛简书能看见很多值得记下来的东西,有的接触过有的没接触过,接触过的也可能过段时间就忘记了,再上手的时候可能手足无措,所以决定有些觉得值得记下来的东西还是记录一下.博客是个好地方,因为很多人都能搜索 ...
- 分享一个UI与业务逻辑分层的框架(一)
序言 .NET(C#)的WinForm如何简单易行地进行UI与业务逻辑分层?本系列文章介绍一个WinForm分层框架,该框架针对WinForm中的TextBox,CheckBox,RadioButto ...