经过大量 Google 搜索和 Serverfault 浏览后,我仍然遇到 SSL 问题:
Safari 根本无法打开页面,Firefox 在 5 分钟不活动(没有浏览或任何操作)后会显示“安全连接失败”。Chrome/Chromium 返回 403 错误,然后快速重新加载页面,一切正常。
这是在安装 Comodo 的 SSL 证书后发生的。您可以在此处查看报告:https://www.ssllabs.com/ssltest/analyze.html?d=marketplace.mercicapitaine.fr&hideResults=on
SSL Shopper 非常好: https://www.sslshopper.com/ssl-checker.html#hostname=marketplace.mercicapitaine.fr
TLS 是 1.2 SSLlabs 说:“该服务器不支持参考浏览器的前向保密。”和“该服务器支持弱 Diffie-Hellman (DH) 密钥交换参数。”
我做了一个 TCPdump,但我很难理解它。
我不是服务器专家,所以欢迎任何有关如何调试/跟踪错误的提示。它托管在 NGINX 上,错误日志上没有什么特别的。
提前感谢您的时间:)
编辑: nginx配置:
server {
listen *:80;
listen *:443 ssl;
ssl_certificate /home/ubuntu/ssl_2016/ssl-bundle.crt;
ssl_certificate_key /home/ubuntu/ssl_2016/mckey.key;
server_name marketplace.mercicapitaine.fr;
access_log /var/log/nginx/marketplacemercicapitainefr.access.log;
error_log /var/log/nginx/marketplacemercicapitainefr.error.log;
root /srv/marketapp/;
index index.html index.htm index.php;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 16k;
fastcgi_read_timeout 900;
client_max_body_size 50M;
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
# This order might seem weird - this is attempted to match last if rules below fail.
location / {
try_files $uri $uri/ /index.php?$args;
}
# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
# Directives to send expires headers and turn off 404 error logging.
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off; log_not_found off; expires max;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|wmv|3gp|avi|mpg|mpeg|mp4|flv|mp3|mid|wml|swf|pdf|doc|docx|ppt|pptx|zip)$ {
expires max;
log_not_found off;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location ~* \.()$ {
expires 31536000s;
}
location ~ [^/]\.php(/|$) {
fastcgi_index index.php;
include fcgi.conf;
fastcgi_pass unix:/var/run/ajenti-v-php-fcgi-marketplacemercicapitainefr-php-fcgi-0.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
}
答案1
从评论中的链接检查 nginx ssl 配置后,我会更改配置中的某些内容。让我开始吧:
server {
# more_set_headers "Server: my web server :-)";
listen 80;
server_name marketplace.mercicapitaine.fr;
return 301 https://$server_name$request_uri;
}
server {
# more_set_headers "Server: my web server :-)";
listen 443 ssl;
server_name marketplace.mercicapitaine.fr;
ssl_certificate /home/ubuntu/ssl_2016/ssl-bundle.crt;
ssl_certificate_key /home/ubuntu/ssl_2016/mckey.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
# ssl_session_tickets off;
# openssl dhparam -out dhparam.pem 2048
# ssl_dhparam /etc/nginx/SSL/dhparams.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGC$
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=15768000;includeSubdomains; preload";
root /srv/marketapp/;
index index.html index.htm index.php;
client_max_body_size 20M;
location / {
try_files $uri $uri/ /index.php;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/ajenti-v-php-fcgi-marketplacemercicapitainefr-php-fcgi-0.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location /doc/ {
alias /usr/share/doc/;
autoindex on;
allow 127.0.0.1;
deny all;
}
location ~/\.ht {
deny all;
}
}
- 请考虑生成至少 2048 位 Diffie-Hellman 参数。
- 上述配置尝试采用您的大部分设置和路径,请检查以确保其正确无误。
- 我正在通过永久重定向将端口 80 重写到端口 443
- 非 SSL / SSL 部分拆分
- 看SSL实验室检查您的网页,查看是否有任何其他可以设置的安全选项。
我假设您想要建立一个 wordpress 博客。
如果有任何疑问,请随时提问。