我一直在尝试在Digital Ocean上的Droplet上安装RapidSSL证书 . 此Droplet正在运行NGINX / Ubuntu 16.1 x64 .
但是我到达了需要编辑“Nginx服务器块”的部分:
Now go to your Nginx server block configuration directory. Assuming that
is located at /etc/nginx/sites-enabled, use this command to change to it:
cd /etc/nginx/sites-enabled
Assuming want to add SSL to your default server block file, open the file
for editing:
sudo vi default
Find and modify the listen directive, and modify it so it looks like this:
listen 443 ssl;
Then find the server_name directive, and make sure that its value matches
the common name of your certificate. Also, add the ssl_certificate and
ssl_certificate_key directives to specify the paths of your certificate
and private key files (replace the highlighted part with the actual path
of your files):
server_name example.com;
ssl_certificate /home/sammy/example.com.chained.crt;
ssl_certificate_key /home/sammy/example.com.key;
To allow only the most secure SSL protocols and ciphers, add the following
lines to the file:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
“Sudo vi default”是一个空文件 . 那么我需要编辑文件? Nginx配置?
我有 :
/etc/nginx/nginx.conf
在/ etc / nginx的/网站可用/ nginxconfig
在/ etc / nginx的/启用的站点 - / nginxconfig
/家庭/用户/用户/部署/ nginxconfig
那么我需要编辑哪个文件?我真的很困惑..任何错误都可能因为破坏我的网站而结束
1 回答
编辑此文件(您会注意到您的/ sites-enabled /是sym链接)
找到上面文件的位置
ssl_ciphers正好在该行的上方添加行一个正确的TLS nginx配置有许多其他设置对安全站点至关重要...我建议您启动一个dev digitalocean droplet进行编辑...以及一个额外的测试TLS证书,以匹配您的开发人员的DNS地址box ...也可以从letsencrypt获得免费的TLS证书,工作正常,每3个月需要自动刷新一次 .
Mozilla的好朋友制作了一个nginx配置生成器
https://mozilla.github.io/server-side-tls/ssl-config-generator/
你指定哪个版本的nginx,它给你一个工作的配置文件