In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/02 Report--
About platform configuration https Certificate
Prepare the content:
1. Certificate files that can be authorized
2. Configure certificates on Nginx
3. Configure the certificate on the site on the backend iis
4. Program code adjustment judgment
Configure the certificate on Nginx
Listen 443 ssl
Ssl on
Ssl_certificate / usr/local/nginx/keys/xxx.com.pem
Ssl_certificate_key / usr/local/nginx/keys/xxx.com.key
Ssl_session_timeout 5m
Ssl_protocols SSLv3 TLSv1
Ssl_ciphers Higg rig ADH rig EXPORT56 RC4 RSA rig medim
Ssl_prefer_server_ciphers on
Server_name xxx.xxx.com
Index index.html
Access_log logs/ssl.lan.xxx.xxx.com access_log
In Nginx, the configured load backend service information
It should be noted that in proxy_pass configuration, https method is required.
II. Configure certificates on iis
1. Import certificate
Open the mmc console and add a certificate configuration entry
By importing the corresponding certificate file, importing "personal" and "Intermediate Certificate Authority" these two nodes require import operation.
2. Application site configuration certificate
After the certificate has been imported correctly before, and after selecting the https type when configuring the site, you can see the certificate information of the successful import in the SSL certificate.
It should be noted here that the domain names authorized by the certificate need to be the same, and there should be no more than one "." number appears.
The configuration port 30011 here is provided for the load used in the Nginx configuration
Description: the hostname here can not be configured, but can be found through ip and port during nginx load.
Third, the configuration in the program supports https
In the program, the relevant exam, timing, video, login address, according to the IsSecureConnection in the context to determine the connection information
/ /
/ / Summary:
/ / gets a value indicating whether the HTTP connection uses a secure socket (that is, HTTPS).
/ /
/ / return result:
/ / true; if the connection is a SSL connection; otherwise, false.
Public bool IsSecureConnection {get;}
The corresponding nodes are configured in the corresponding web.config. Here, it is mainly considered to support http and https in two different ways. In addition, there are two different addresses in the convenient test environment, because the configuration of the two nodes is done, and theoretically, the configuration of the two types of domain names and addresses is the same.
(different resource addresses can be configured according to the type)
In the platform, if the cas service is used for login, the web.config needs to be configured as follows after checking tickets with cas at the platform side:
In web.config, add the configuration of the node above, otherwise the following exception message will appear and the user will not be able to log in
Ticket validation error: DotNetCasClient.Validation.TicketValidationException: CAS server ticket validation threw an Exception-- > System.Net.WebException: the server submitted a protocol violation. Section=ResponseHeader Detail=CR must be followed by LF
Additional instructions:
1. If you need to see the corresponding log information when using DotNetCasClient components, you need to add the following configuration to web.config
The following is the nginx configuration of the platform
Server {
Listen 443 ssl
Ssl on
Ssl_certificate / usr/local/nginx/keys/xxx.com.pem
Ssl_certificate_key / usr/local/nginx/keys/xxx.com.key
Ssl_session_timeout 5m
# ssl_protocols SSLv3 TLSv1
Ssl_protocols TLSv1 TLSv1.1 TLSv1.2
Ssl_ciphers Higg rig ADH rig EXPORT56 RC4 RSA rig medim
Ssl_prefer_server_ciphers on
Server_name xxx.xxx.com
Index index.html
Access_log logs/ssl.lan.xxx.xxx.com access_log
Configure permanent http redirect https
[dangzheng@db1 extra] $cat xxx-http-test.conf
Server {
Listen 80
Server_name xxx.xxx.com
Access_log logs/xxx.xxx.com.access.log access_log
Location / {
Rewrite ^ (. *) https://xxx.xxx.com/$1 permanent
}
}
Permanent means permanent redirection
$1 indicates the parameter information followed by the domain name
Configuration reference: http://blog.csdn.net/zhanglinjian21/article/details/7631515
Configure default in Nginx
To solve the problem of low-version (similar to xp ie8) browsers, only one https certificate can be recognized. If there is no configuration, when there are multiple certificates, it is possible for browser access to find incorrect certificates, and the access is abnormal.
V. SSL configuration optimization
1 、 HSTS
HSTS (HTTP Strict Transport Security). The server returns a http header of HSTS. After the browser gets the HSTS header, for a period of time, whether the user enters www.baidu.com or http://www.baidu.com, the request will be transferred to https://www.baidu.com by default.
Add the following line to the server block of your HTTPS configuration:
Add_header Strict-Transport-Security "max-age=31536000"
Ssl_session_cache shared:SSL:20m
Ssl_session_timeout 20m
Referring to the official document of Nginx, 1MB memory can store about 4000 session, and as an example, 20m can store about 80000 session. Set up reasonably according to the demand
Ssl_prefer_server_ciphers On; # specifies that the server password algorithm takes precedence over the client password algorithm
You need both https and http,http to jump to https.
New version, recreating a new server configuration
Server {
Listen 80
Server_name www. Domain name .com
Return 301 https://$server_name$request_uri; (to jump)
}
Server {
Listen 443 ssl
Server_name www. Domain name .com
Ssl_certificate / usr/share/nginx/html/zhengshu/XX.XX.crt; (Certificate)
Ssl_certificate_key / usr/share/nginx/html/zhengshu/XX.XX.key; (Certificate key)
}
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.