Mudanças entre as edições de "SSL no Gandi"
De MochilaWiki
Ir para navegaçãoIr para pesquisar (→2015) |
|||
| Linha 33: | Linha 33: | ||
* https://weakdh.org/ | * https://weakdh.org/ | ||
* https://en.wikipedia.org/wiki/Forward_secrecy | * https://en.wikipedia.org/wiki/Forward_secrecy | ||
| + | http://fatorbinario.com/tutorial-ssl-aprenda-a-instalar-um-certificado-de-baixo-custo-para-o-seu-site/ | ||
usar sha2 | usar sha2 | ||
| Linha 80: | Linha 81: | ||
} | } | ||
ssl on; | ssl on; | ||
| + | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||
ssl_certificate /etc/nginx/ssl/quijaua-me.crt22; | ssl_certificate /etc/nginx/ssl/quijaua-me.crt22; | ||
ssl_certificate_key /etc/nginx/ssl/priv/myserver.key; | ssl_certificate_key /etc/nginx/ssl/priv/myserver.key; | ||
| − | + | ssl_prefer_server_ciphers on; | |
| + | ssl_stapling on; | ||
| + | ssl_stapling_verify on; | ||
| + | ssl_dhparam /etc/ssl/private/dhparams.pem; | ||
| + | add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; | ||
| + | ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | ||
} | } | ||
</source> | </source> | ||
Edição das 14h17min de 5 de dezembro de 2015
- Autentique no painel
- clique em SSL
- selecione o domínio
- clique em get
- copie o conteúdo e salve num arquivo com o nome nuevo.crt
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
cat nuevo.crt GandiStandardSSLCA.pem > quijaua-me.crt
mkdir /etc/nginx/ssl/
mv quijaua-me.crt /etc/nginx/ssl/
referencias:
- https://library.linode.com/web-servers/nginx/configuration/ssl
- http://docs.nkosi.org/IRedMail_com_Nginx
- https://nicolas.perriault.net/code/2012/gandi-standard-ssl-certificate-nginx/
- http://wiki.gandi.net/en/hosting/using-linux/tutorials/ubuntu/ssl
- http://wiki.gandi.net/en/ssl/csr
- IRedMail com Nginx
- Certifcado SSL
2015
com base em
conforme
faltou
- https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know
- https://weakdh.org/
- https://en.wikipedia.org/wiki/Forward_secrecy
usar sha2
documentação atual
- http://jlecour.github.io/ssl-gandi-nginx-debian/
- https://fak3r.com/2014/08/04/howto-serve-gandi-ssl-certs-in-nginx/
- http://charlieharvey.org.uk/page/gandi_sha2_intermediate_cert_ssl_tls
no nginx ficou assim
*
server {
listen 80;
server_name quijaua.me www.quijaua.me;
access_log /var/log/nginx/iredmail-access.log;
error_log /var/log/nginx/iredmail-error.log info;
location / {
rewrite ^ https://quijaua.me/mail permanent;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME /usr/share/apache2/roundcubemail$fastcgi_script_name;
}
}
server {
listen 443;
server_name quijaua.me;
location / {
root /usr/share/apache2/;
index index.php index.html;
}
location ~ \.php$ {
root /usr/share/apache2;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /usr/share/apache2$fastcgi_script_name;
fastcgi_param SERVER_NAME $http_host;
fastcgi_ignore_client_abort on;
}
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/ssl/quijaua-me.crt22;
ssl_certificate_key /etc/nginx/ssl/priv/myserver.key;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/private/dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
}
