Самоподписанный сертификат для nginx

Генерация сертификата

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/private.key -out /etc/ssl/certs/pub-cert.crt
$
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

Пример конфигурации nginx

server {
listen 4343 ssl;

    root /path/to/web;
    server_name _;

    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    #resolver 8.8.8.8 8.8.4.4 valid=300s;
    #resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_certificate /etc/ssl/certs/pub-cert.crt;
    ssl_certificate_key /etc/ssl/private/private.key;

    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    location / {
        try_files $uri $uri/ =404;
    }
}

Опубликовано

02.06.2023

SSL/TLS

от

voodoomg

Метки:

self-signed

Самоподписанный сертификат для nginx

Генерация сертификата

Пример конфигурации nginx

Комментарии

Добавить комментарий Отменить ответ