配置nginx支持ssl服务器—HTTPS
下文摘自: http://docs.bigbluebutton.org/install/install.html
Configuring HTTPS on BigBlueButtonAnchor link for: configuring https on bigbluebutton
You’ll want to add HTTPS support to your BigBlueButton server for increased security. Also, as of Chrome 47, Chrome users will be unable to share their microphone via WebRTC unless BigBlueButton is loaded via HTTPS.
Configure BigBlueButton to use a domain nameAnchor link for: configure bigbluebutton to use a domain name
In order to obtain a valid SSL certificate for your server, you must configure the server to use a domain name that you own or control.
For the purposes of documentation, we will be using the domain name “example.com”, with a BigBlueButton server hosted at “bigbluebutton.example.com”.
Please run the commands as root.
Once you have a domain name and have configured it with a DNS host, add an A record pointing to your server. You can then use the bbb-conf setip command to configure BigBlueButton to use that domain name, for example:
bbb-conf --setip bigbluebutton.example.com
Obtain an SSL certificateAnchor link for: obtain an ssl certificate
In order to serve BigBlueButton over HTTPS, you need to have a valid SSL certificate. A domain validated (sometimes called “class 1”) certificate with a 2048 bit RSA key and SHA-256 checksum is the current recommended minimum, and it should be sufficient.
There are a number of providers that you could obtain a certificate from. Many domain name sales companies also offer certificates.
Some well known large providers of SSL certificates include Comodo, Symantec, GoDaddy, GlobalSign, and DigiCert. In addition, free SSL certificates are available from StartSSL and CACert, with some caveats: StartSSL certificates can’t be revoked without paying a service fee, and most people do not have the root for CACert installed in their web browser.
Each provider will give you a series of steps for generating the certificate, but they will normally include generating a private key and certificate request locally, sending the certificate request to be signed, and then receiving back the signed certificate after they have performed any required verification steps.
To install the certificate in BigBlueButton, you will need to have files for the certificate, private key, and any intermediate certificates in PEM format.
Configure nginx to use HTTPSAnchor link for: configure nginx to use https
Depending on your CA, you should now have 2 or more files, as follows:
- Certificate
- Private key
- Intermediate certificate (there may be more than one, or could be none)
The next step is to install the files on the server.
Create the directory /etc/nginx/ssl:
mkdir /etc/nginx/ssl
And now create the private key file for nginx to use (replace the hostname in the filename with your own). In addition, fix the permissions so that only root can read the private key:
cat >/etc/nginx/ssl/bigbluebutton.example.com.key <<'END'
Paste the contents of your key file here
END
chmod 0600 /etc/nginx/ssl/bigbluebutton.example.com.key
And the certificate file. Note that nginx needs your server certificate and the list of intermediate certificates together in one file (replace the hostname in the filename with your own):
cat >/etc/nginx/ssl/bigbluebutton.example.com.crt <<'END'
Paste (in order) the contents of the following files:
1. The signed certificate from the CA
2. In order, each intermediate certificate provided by the CA (but do not include the root).
END
In addition, we’ll generate a set of 2048-bit diffie-hellman parameters to improve security for some types of ciphers. This step can take several minutes to complete, particularly if run on a virtual machine.
openssl dhparam -out /etc/nginx/ssl/dhp-2048.pem 2048
Now we can edit the nginx configuration to use SSL. Edit the file /etc/nginx/sites-available/bigbluebutton
to add the marked lines. Ensure that you’re using the correct filenames to match the certificate and key files you created above.
server {
server_name bigbluebutton.example.com;
listen 80;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/bigbluebutton.example.com.crt;
ssl_certificate_key /etc/nginx/ssl/bigbluebutton.example.com.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!AES256";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhp-2048.pem;
[...]
For reference, note that the SSL settings used above are based on those proposed in https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ and provide support for all modern browsers (including IE8, but not IE6, on Windows XP). Please note that recommended SSL settings are subject to change as new vulnerabilities are found.
Test your HTTPS configurationAnchor link for: test your https configuration
In order to ensure you didn’t make any mistakes that could cause security compromises, please test your HTTPS configuration. A well-respected site that can do a series of automated tests is https://www.ssllabs.com/ssltest/ - simply enter your server’s hostname, optionally check the “Do not show results” checkbox if you would like to keep it private, then Submit.
At time of writing, the configuration shown on this page should achieve an “A” ranking in the SSL Labs test page.
配置nginx支持ssl服务器—HTTPS的更多相关文章
- 配置Nginx支持SSL SNI(一个IP绑定多个证书) 以及Haproxy实现多域名证书
概述 传统的每个SSL证书签发,每个证书都需要独立ip,假如你编译openssl和nginx时候开启TLS SNI (Server Name Identification) 支持,这样你可以安装多个S ...
- CentOS 6.7 配置nginx支持SSL/https访问
一.安装必要的包 yum install openssl openssl-devel 二.配置编译参数,增加对SSL的支持 ./configure –with-http_ssl_module 三.修改 ...
- 配置nginx支持Https
配置nginx支持Https一定要先使用stop停止nginx然后重新代开不能使用reload 一:安装letsencrypt 1.从git上克隆下来git clone https://github. ...
- 使用HttpClient发送HTTPS请求以及配置Tomcat支持SSL
这里使用的是HttpComponents-Client-4.1.2 package com.jadyer.util; import java.io.File; import java.io.FileI ...
- nginx支持ssl双向认证配置
nginx支持ssl双向认证配置 listen 443; server_name test.com; ssl on; ssl_certificate server.crt; //server端公钥 s ...
- Linux - 配置php-fpm 以及 配置nginx支持php
配置php-fpm [root@localhost php7]# which php-fpm /usr/local/php7/sbin/php-fpm [root@localhost php7]# p ...
- centos下配置nginx支持php
添加nginx 默认主页index.php vim .../etc/nginx/conf.d/default.conf location / { root /usr/share/nginx/htm ...
- LNMP搭建04 -- 配置Nginx支持PHP
首先建立存放网页文件的目录,执行 mkdri /usr/local/server/www 然后进入到该目录中 cd /usr/local/server/www 然后创建一个测试文件: phpinfo ...
- Ubuntu下安装LNMP之php7的安装并配置Nginx支持php及卸载php
据了解,php7是比之前的版本性能快很多的.http://php.net/get/php-7.2.2.tar.gz/from/a/mirror 安装前也可提前将相关依赖库安装好,或者在安装php时若安 ...
随机推荐
- v-if VS v-show
在vue实现轮播图效果 中分别用到 v-if和 v-show 下面讲讲我理解的他们的区别: v-if: 根据表达式的值的真假条件渲染元素.在切换时元素及它的数据绑定 / 组件被销毁并重建.如果元素是 ...
- CodeIgniter笔记-去掉index.php
1.修改Apache 的配置文件把LoadModule rewrite_module modules/mod_rewrite.so该行前的#去掉. 2.将 AllowOverride None ,修改 ...
- C# 设置word文档页面大小
我们知道,在MS word中,默认的页面大小是letter(8.5’’x11’’),除此之外,word还提供了其他一些预定义的页面大小,如Legal (5.4’’x14’’),A3 (11.69’’x ...
- hibernate笔记--单向一对多映射方法
上一篇讲的是单向多对一的表关系,与单向一对多的关系正好相反,如下图所示关系: ,可以看出年级表和学生表是一对多的关系,一条年级信息对应多条学生信息,在hibernate中成为单向的一对多的映射关系,应 ...
- TreeView控件使用
treeView1.SelectedNode = treeView1.Nodes[0]; //选中当前treeview控件的根节点为当前节点添加子节点: TreeNode tmp; tmp = n ...
- 给ubuntu中的软件设置desktop快捷方式(以android studio为例)
ubuntu的快捷方式都在/usr/share/applications/路径下有很多*.desktop(eclipse的快捷方式也可以类似设置) 下面就建立我们的studio sudo gedit ...
- Android TextView中显示图片
Android官方给我们提供的Html类下面的fromHtml方法 当你需要转换的HTML代码是带图片的,比如<IMG/>,那么你就需要使用到重载的第二个方法了,这个方法里面有个Image ...
- Android之消息机制Handler,Looper,Message解析
PS:由于感冒原因,本篇写的有点没有主干,大家凑合看吧.. 学习内容: 1.MessageQueue,Looper,MessageQueue的作用. 2.子线程向主线程中发送消息 3.主线程向子线程中 ...
- html5 canvas 画图表
(function () { var canvas = document.createElement("canvas"); canvas.width = 800; canvas.h ...
- webControls与客户端脚本路径
网上有用的资料不多,在一本电子书中摘抄了内容如下 webControls配置节只有一个clientScriptsLocation属性,此属性用于指定ASP.NET客户端脚本的默认存放路径.这些文件是包 ...