Shulou(Shulou.com)06/02 Report--

About platform configuration https Certificate

Prepare the content:

1. Certificate files that can be authorized

2. Configure certificates on Nginx

3. Configure the certificate on the site on the backend iis

4. Program code adjustment judgment

Configure the certificate on Nginx

Listen 443 ssl

Ssl on

Ssl_certificate / usr/local/nginx/keys/xxx.com.pem

Ssl_certificate_key / usr/local/nginx/keys/xxx.com.key

Ssl_session_timeout 5m

Ssl_protocols SSLv3 TLSv1

Ssl_ciphers Higg rig ADH rig EXPORT56 RC4 RSA rig medim

Ssl_prefer_server_ciphers on

Server_name xxx.xxx.com

Index index.html

Access_log logs/ssl.lan.xxx.xxx.com access_log

In Nginx, the configured load backend service information

It should be noted that in proxy_pass configuration, https method is required.

II. Configure certificates on iis

1. Import certificate

Open the mmc console and add a certificate configuration entry

By importing the corresponding certificate file, importing "personal" and "Intermediate Certificate Authority" these two nodes require import operation.

2. Application site configuration certificate

After the certificate has been imported correctly before, and after selecting the https type when configuring the site, you can see the certificate information of the successful import in the SSL certificate.

It should be noted here that the domain names authorized by the certificate need to be the same, and there should be no more than one "." number appears.

The configuration port 30011 here is provided for the load used in the Nginx configuration

Description: the hostname here can not be configured, but can be found through ip and port during nginx load.

Third, the configuration in the program supports https

In the program, the relevant exam, timing, video, login address, according to the IsSecureConnection in the context to determine the connection information

/ /

/ / Summary:

/ / gets a value indicating whether the HTTP connection uses a secure socket (that is, HTTPS).

/ /

/ / return result:

/ / true; if the connection is a SSL connection; otherwise, false.

Public bool IsSecureConnection {get;}

The corresponding nodes are configured in the corresponding web.config. Here, it is mainly considered to support http and https in two different ways. In addition, there are two different addresses in the convenient test environment, because the configuration of the two nodes is done, and theoretically, the configuration of the two types of domain names and addresses is the same.

(different resource addresses can be configured according to the type)

In the platform, if the cas service is used for login, the web.config needs to be configured as follows after checking tickets with cas at the platform side:

In web.config, add the configuration of the node above, otherwise the following exception message will appear and the user will not be able to log in

Ticket validation error: DotNetCasClient.Validation.TicketValidationException: CAS server ticket validation threw an Exception-- > System.Net.WebException: the server submitted a protocol violation. Section=ResponseHeader Detail=CR must be followed by LF

Additional instructions:

1. If you need to see the corresponding log information when using DotNetCasClient components, you need to add the following configuration to web.config

The following is the nginx configuration of the platform

Server {

Listen 443 ssl

Ssl on

Ssl_certificate / usr/local/nginx/keys/xxx.com.pem

Ssl_certificate_key / usr/local/nginx/keys/xxx.com.key

Ssl_session_timeout 5m

# ssl_protocols SSLv3 TLSv1

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2

Ssl_ciphers Higg rig ADH rig EXPORT56 RC4 RSA rig medim

Ssl_prefer_server_ciphers on

Server_name xxx.xxx.com

Index index.html

Access_log logs/ssl.lan.xxx.xxx.com access_log

Configure permanent http redirect https

[dangzheng@db1 extra] $cat xxx-http-test.conf

Server {

Listen 80

Server_name xxx.xxx.com

Access_log logs/xxx.xxx.com.access.log access_log

Location / {

Rewrite ^ (. *) https://xxx.xxx.com/$1 permanent

}

}

Permanent means permanent redirection

$1 indicates the parameter information followed by the domain name

Configuration reference: http://blog.csdn.net/zhanglinjian21/article/details/7631515

Configure default in Nginx

To solve the problem of low-version (similar to xp ie8) browsers, only one https certificate can be recognized. If there is no configuration, when there are multiple certificates, it is possible for browser access to find incorrect certificates, and the access is abnormal.

V. SSL configuration optimization

1 、 HSTS

HSTS (HTTP Strict Transport Security). The server returns a http header of HSTS. After the browser gets the HSTS header, for a period of time, whether the user enters www.baidu.com or http://www.baidu.com, the request will be transferred to https://www.baidu.com by default.

Add the following line to the server block of your HTTPS configuration:

Add_header Strict-Transport-Security "max-age=31536000"

Ssl_session_cache shared:SSL:20m

Ssl_session_timeout 20m

Referring to the official document of Nginx, 1MB memory can store about 4000 session, and as an example, 20m can store about 80000 session. Set up reasonably according to the demand

Ssl_prefer_server_ciphers On; # specifies that the server password algorithm takes precedence over the client password algorithm

You need both https and http,http to jump to https.

New version, recreating a new server configuration

Server {

Listen 80

Server_name www. Domain name .com

Return 301 https://$server_name$request_uri; (to jump)

}

Server {

Listen 443 ssl

Server_name www. Domain name .com

Ssl_certificate / usr/share/nginx/html/zhengshu/XX.XX.crt; (Certificate)

Ssl_certificate_key / usr/share/nginx/html/zhengshu/XX.XX.key; (Certificate key)

}

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.