Mudanças entre as edições de "SSL no Gandi"

De MochilaWiki
Ir para navegaçãoIr para pesquisar
Linha 33: Linha 33:
 
cd /etc/ssl/private
 
cd /etc/ssl/private
 
openssl dhparam -out dhparam.pem 2048
 
openssl dhparam -out dhparam.pem 2048
chmod 600 dhparams.pem
+
chmod 600 dhparam.pem
 
</source>
 
</source>
  

Edição das 21h45min de 11 de dezembro de 2015

  1. Autentique no painel
  2. clique em SSL
  3. selecione o domínio
  4. clique em get
  5. copie o conteúdo e salve num arquivo com o nome nuevo.crt
wget https://www.gandi.net/static/CAs/GandiStandardSSLCA.pem
cat nuevo.crt GandiStandardSSLCA.pem > quijaua-me.crt
mkdir /etc/nginx/ssl/
mv quijaua-me.crt /etc/nginx/ssl/

referencias:

2015

com base em

conforme

openssl req -nodes -newkey rsa:2048 -sha256 -keyout myserver.key -out server.csr
cd /etc/ssl/private
openssl dhparam -out dhparam.pem 2048
chmod 600 dhparam.pem

documentação atual

no nginx ficou assim

*
    server {
        listen          80;
        server_name quijaua.me www.quijaua.me;
        access_log   /var/log/nginx/iredmail-access.log;
        error_log  /var/log/nginx/iredmail-error.log info;

        location / {
                rewrite ^ https://quijaua.me/mail permanent;
        }
    location ~ \.php$ {
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME /usr/share/apache2/roundcubemail$fastcgi_script_name;
    }

}

server {
    listen       443;
    server_name  quijaua.me;

    location / {
        root   /usr/share/apache2/;
        index  index.php index.html;
    }
     location ~ \.php$ {
        root            /usr/share/apache2;
        include         fastcgi_params;
        fastcgi_pass    127.0.0.1:9000;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME /usr/share/apache2$fastcgi_script_name;
        fastcgi_param   SERVER_NAME $http_host;
        fastcgi_ignore_client_abort on;
    }
    ssl                  on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_certificate     /etc/nginx/ssl/quijaua-me.crt22;
    ssl_certificate_key  /etc/nginx/ssl/priv/myserver.key;
    ssl_prefer_server_ciphers on;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_dhparam /etc/ssl/private/dhparams.pem;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
}