Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Anton2015-01-19 22:30:41
Nginx
Anton, 2015-01-19 22:30:41

How to properly configure security in nginx?

Good day to all.
Story.
The company raised PKI (based on windows 2012 R2) with oscp and http check. The root certificate has been distributed to all interested parties.
Sites are distributed through nginx.
In the end, everything is fine, but there is a nuance - when connecting, chrome writes "this site uses outdated security settings" and draws a gray padlock with a yellow triangle.
Tell me who knows how to make the lock turn green?
PS I know that this is not important, but I really want everything to be beautiful.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
M
MaySky, 2015-01-24
@Dr_Wut

I saw a gray lock with a yellow triangle in three cases:
1) A certificate with SHA1 is used in the certificate chain, instead of SHA256 ... Chrome considers SHA1 not reliable enough and suggests changing ALL certificates in the chain to more secure ones the next time the certificate is replaced.
2) There are javascripts in the https page, etc., the path to which is registered through http, and not through https, and Chrome shows that the page contains unsafe components
3) AdBlock. Sometimes it starts blocking ads on the site and Chrome also starts to react. If you disable AdBlock, then everything becomes ok, but ads are also displayed.

Report
E
Eugene, 2015-01-19
@Nc_Soft

Settings in the studio, well, the manual is not superfluous to read
nginx.org/ru/docs/http/configuring_https_servers.html

Report
A
Anton, 2015-01-19
@Dr_Wut

Manual read.
Config:

server {
        listen  443 ssl;
        server_name     site.comp.com;
        error_page 497 https://$host:$server_port$request_uri;
        keepalive_timeout 70;
        charset utf-8;
        sendfile on;
        server_tokens off;
        client_max_body_size 500m;
        access_log /var/log/nginx/site.comp.com.log ;
        error_log /var/log/nginx/site.comp.com.log;
        ssl_certificate /etc/nginx/ssl/site.comp.com.crt;
        ssl_certificate_key /etc/nginx/ssl/site.comp.com.key;
        ssl_verify_depth        1;
        ssl_session_timeout     10m;
        ssl_session_cache       shared:SSL:10m;
        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        location / {
                proxy_pass      http://site.comp.local;
                proxy_redirect  http://site.comp.com/ /;
                proxy_read_timeout 1800;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Port $server_port;
                proxy_set_header X-Real-Ip $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                }
}
server {
        listen 80;
        server_name site.comp.com;
        proxy_set_header Host site.comp.com;
        location / {
                rewrite ^(.*)$ https://site.comp.com$1 permanent;
                }
}

Similar questions
I
Ingerniated2017-05-30 20:25:42
Will Soviet speakers fit a foreign amplifier? 3Reply
D
Dmitry2018-12-22 14:31:57
How to set up a WordPress server for high load and DDOS? 4Reply
V
Vadim Timoshenko2018-12-25 19:43:00
How to set NGX_PageSpeed? 1Reply
E
Evgeny Ivanov2018-12-26 12:51:41
How to install https on the server? 4Reply
S
sandrain2014-07-04 17:29:37
Nginx image_resize - what could be wrong? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question