Friday, April 8, 2016

Seting unsigned ssl pada nginx

Berikut ini adalah cara seting unsigned ssl dengan webservice menggunakan nginx. saya asumsikan nginx anda sudah terinstall. Langsung saja masuk ke direktori conf nya nginx di /etc/nginx/conf.d
backup kemudian hapus semua file yang berakiran .conf
kemudian di ssl.conf isi seperti ini

#
# HTTPS server configuration
#
server {
listen 443 default deferred;
server_name 172.18.14.x; #ip ssl
proxy_pass_header Server;
# auth_basic "Restricted";
# auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
ssl on;
ssl_certificate /etc/nginx/cert/server.crt;
ssl_certificate_key /etc/nginx/cert/server.key;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/cert/dhparam.pem;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
# OCSP Stapling
#ssl_stapling on;
#ssl_stapling_verify on;
#resolver 8.8.4.4 8.8.8.8 valid=300s;
#resolver_timeout 10s;
# HTTP Strict Transport Security
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Public-Key-Pins 'pin-sha256="oNjWucIG3GySyZEWXu9Ov7TaWSMCBQBJGEiET1ne+Rg="; max-age=2592000; includeSubDomains';
location / {
proxy_pass https://172.18.14.37:8081;#ip web
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
send_timeout 300;
proxy_read_timeout 300;
proxy_connect_timeout 300;
error_page 502 /50xweb.html;
}
location /ib {
proxy_pass https://172.18.14.37:8081;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
send_timeout 300;
proxy_read_timeout 300;
proxy_connect_timeout 300;
error_page 502 /50xweb.html;
}
error_page 403 /40x.html;
location = /40x.html {
root /usr/share/nginx/html;
}
location = /50xweb.html {
root /usr/share/nginx/html;
}
location = /undermaintenance.jpg {
root /usr/share/nginx/html;
}
location = /50xjson.html {
root /usr/share/nginx/html;
}
## Only allow these request methods ##
if ($request_method !~ ^(GET|POST)$ ) {
return 444;
}
}
-----
langkah selanjutnya adalah generate ssl certificate. caranya pindah ke direktori /etc/nginx/cert, kalau belum ada silahkan buat dulu. selanjutnya jalankan saja perintah-perintah berikut ini
sudo openssl genrsa -des3 -out server.key 1024
sudo openssl req -new -key server.key -out server.csr
sudo cp server.key server.key.org
sudo openssl rsa -in server.key.org -out server.key
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl dhparam -out dhparam.pem 4096
setelah itu restart nginx anda

No comments:

Post a Comment