Instalace SSL certifikátu na server je otázkou jen několika minut. Abychom vám ušetřili čas, připravili jsme pro vás návody ke konfiguraci serveru s SSL certifikátem AlpiroSSL na nejrozšířenějších platformách.
Níže najdete konfiguraci serveru s SSL certifikátem dle doporučení komunitou Mozilla.
# Apache 2.4.41, OpenSSL 1.1.1d
<VirtualHost *:443>
...
SSLEngine on
SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs
SSLCertificateKeyFile /path/to/private/key
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
...
</VirtualHost>
# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
# nginx 1.17.7, OpenSSL 1.1.1d
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
# replace with the IP address of your resolver
resolver 127.0.0.1;
....
}
# lighttpd 1.4.59, OpenSSL 1.1.1d
$SERVER["socket"] == "[::]:80" { }
$HTTP["scheme"] == "http" {
url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
}
$HTTP["scheme"] == "https" {
# HTTP Strict Transport Security (63072000 seconds)
setenv.add-response-header = (
"Strict-Transport-Security" => "max-age=63072000"
)
}
# select one TLS module: "mod_openssl" "mod_mbedtls" "mod_gnutls" "mod_wolfssl" "mod_nss"
#server.modules += ("mod_openssl")
# lighttpd 1.4.56 and later will inherit ssl.* from the global scope if
# $SERVER["socket"] contains ssl.engine = "enable" and no other ssl.* options
# (to avoid having to repeat ssl.* directives in both ":443" and "[::]:443")
$SERVER["socket"] == ":443" { ssl.engine = "enable" }
$SERVER["socket"] == "[::]:443" { ssl.engine = "enable" }
ssl.privkey = "/path/to/private_key"
ssl.pemfile = "/path/to/signed_cert_followed_by_intermediates"
ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.2")
ssl.openssl.ssl-conf-cmd += ("Options" => "-ServerPreference")
# TLS modules besides mod_openssl might name ciphers differently
# See https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384")
# OCSP stapling (input file must be maintained by external script)
# https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL#OCSP-Stapling
ssl.stapling-file = "/path/to/cert-staple.der"
...
}
# HAProxy 2.1, OpenSSL 1.1.1d
global
# intermediate configuration
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
ssl-dh-param-file /path/to/dhparam
frontend ft_test
mode http
bind :443 ssl crt /path/to/ alpn h2,http/1.1
bind :80
redirect scheme https code 301 if !{ ssl_fc }
# HSTS (63072000 seconds)
http-response set-header Strict-Transport-Security max-age=63072000
AWSTemplateFormatVersion: 2010-09-09
Description: Mozilla ELB configuration, https://ssl-config.mozilla.org/#server=awselb&version=2014.2.19&config=intermediate&guideline=5.6
Parameters:
SSLCertificateId:
Description: The ARN of the ACM SSL certificate to use
Type: String
AllowedPattern: ^arn:aws:acm:[^:]*:[^:]*:certificate/.*$
ConstraintDescription: >
SSL Certificate ID must be a valid ACM ARN.
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-arns
Resources:
ExampleELB:
Type: AWS::ElasticLoadBalancing::LoadBalancer
Properties:
Listeners:
- LoadBalancerPort: '443'
InstancePort: '80'
PolicyNames:
- Mozilla-intermediate-v5-0
SSLCertificateId: !Ref SSLCertificateId
Protocol: HTTPS
AvailabilityZones:
Fn::GetAZs: !Ref 'AWS::Region'
Policies:
- PolicyName: Mozilla-intermediate-v5-0
PolicyType: SSLNegotiationPolicyType
Attributes:
- Name: Protocol-TLSv1.2
Value: true
- Name: Server-Defined-Cipher-Order
Value: false
- Name: ECDHE-ECDSA-AES128-GCM-SHA256
Value: true
- Name: ECDHE-RSA-AES128-GCM-SHA256
Value: true
- Name: ECDHE-ECDSA-AES256-GCM-SHA384
Value: true
- Name: ECDHE-RSA-AES256-GCM-SHA384
Value: true
- Name: DHE-RSA-AES128-GCM-SHA256
Value: true
- Name: DHE-RSA-AES256-GCM-SHA384
Value: true
Outputs:
ELBURL:
Description: URL of the ELB load balancer
Value: !Join [ '', [ 'https://', !GetAtt 'ExampleELB.DNSName', '/' ] ]
# MySQL 8.0.19, OpenSSL 1.1.1d [mysqld] require_secure_transport = on ssl-cert = /path/to/signed_cert_plus_intermediates ssl-key = /path/to/private_key ssl-cipher = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 tls_version = TLSv1.2,TLSv1.3
# PostgreSQL 12.1, OpenSSL 1.1.1d ssl = on ssl_cert_file = '/path/to/signed_cert_plus_intermediates' ssl_key_file = '/path/to/private_key' # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam ssl_dh_params_file = '/path/to/dhparam' ssl_ciphers = 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384' ssl_min_protocol_version = 'TLSv1.2'
# Postfix 3.4.8, OpenSSL 1.1.1d smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_cert_file = /path/to/signed_cert_plus_intermediates smtpd_tls_key_file = /path/to/private_key smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_ciphers = medium # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam # not actually 1024 bits, this applies to all DHE >= 1024 bits smtpd_tls_dh1024_param_file = /path/to/dhparam tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 tls_preempt_cipherlist = no
# Dovecot 2.3.9, OpenSSL 1.1.1d ssl = required ssl_cert = </path/to/signed_cert_plus_intermediates ssl_key = </path/to/private_key # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam ssl_dh = </path/to/dhparam # intermediate configuration ssl_min_protocol = TLSv1.2 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl_prefer_server_ciphers = no
| Jméno a příjmení: | E-mail: |
 Odeslat |
|