Answer the question
In order to leave comments, you need to log in
How to properly configure security in nginx?
Good day to all.
Story.
The company raised PKI (based on windows 2012 R2) with oscp and http check. The root certificate has been distributed to all interested parties.
Sites are distributed through nginx.
In the end, everything is fine, but there is a nuance - when connecting, chrome writes "this site uses outdated security settings" and draws a gray padlock with a yellow triangle.
Tell me who knows how to make the lock turn green?
PS I know that this is not important, but I really want everything to be beautiful.
Answer the question
In order to leave comments, you need to log in
I saw a gray lock with a yellow triangle in three cases:
1) A certificate with SHA1 is used in the certificate chain, instead of SHA256 ... Chrome considers SHA1 not reliable enough and suggests changing ALL certificates in the chain to more secure ones the next time the certificate is replaced.
2) There are javascripts in the https page, etc., the path to which is registered through http, and not through https, and Chrome shows that the page contains unsafe components
3) AdBlock. Sometimes it starts blocking ads on the site and Chrome also starts to react. If you disable AdBlock, then everything becomes ok, but ads are also displayed.
Settings in the studio, well, the manual is not superfluous to read
nginx.org/ru/docs/http/configuring_https_servers.html
Manual read.
Config:
server {
listen 443 ssl;
server_name site.comp.com;
error_page 497 https://$host:$server_port$request_uri;
keepalive_timeout 70;
charset utf-8;
sendfile on;
server_tokens off;
client_max_body_size 500m;
access_log /var/log/nginx/site.comp.com.log ;
error_log /var/log/nginx/site.comp.com.log;
ssl_certificate /etc/nginx/ssl/site.comp.com.crt;
ssl_certificate_key /etc/nginx/ssl/site.comp.com.key;
ssl_verify_depth 1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://site.comp.local;
proxy_redirect http://site.comp.com/ /;
proxy_read_timeout 1800;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 80;
server_name site.comp.com;
proxy_set_header Host site.comp.com;
location / {
rewrite ^(.*)$ https://site.comp.com$1 permanent;
}
}
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question