āĻāĻ˛ā§āĻā§āĻ¸āĻžāĻ° āĻļā§āĻ°ā§āĻˇāĻ¸ā§āĻĨāĻžāĻ¨ā§āĻ¯āĻŧ āĻ¸āĻžāĻāĻāĻā§āĻ˛āĻŋāĻ° āĻŽāĻ§ā§āĻ¯ā§ āĻāĻāĻāĻŋ (āĻā§āĻ¨ā§āĻĻā§āĻ°ā§āĻ¯āĻŧ āĻŦā§āĻ¤ā§āĻ¤), HTTPS āĻĻā§āĻŦāĻžāĻ°āĻž āĻ¸ā§āĻ°āĻā§āĻˇāĻŋāĻ¤, āĻ¸āĻžāĻŦāĻĄā§āĻŽā§āĻ¨ (āĻ§ā§āĻ¸āĻ°) āĻāĻŦāĻ āĻ¨āĻŋāĻ°ā§āĻāĻ°āĻ¤āĻž (āĻ¸āĻžāĻĻāĻž), āĻ¯āĻžāĻ° āĻŽāĻ§ā§āĻ¯ā§ āĻĻā§āĻ°ā§āĻŦāĻ˛ āĻ°āĻ¯āĻŧā§āĻā§ (āĻĄā§āĻ¯āĻžāĻļā§āĻĄ āĻļā§āĻĄāĻŋāĻ)
āĻāĻāĻāĻžāĻ˛, āĻāĻāĻāĻāĻŋāĻāĻŋāĻĒāĻŋāĻāĻ¸ āĻ¸ā§āĻ°āĻā§āĻˇāĻŋāĻ¤ āĻ¸āĻāĻ¯ā§āĻ āĻāĻāĻāĻ¨ āĻāĻāĻāĻŋ āĻ¸ā§āĻā§āĻ¯āĻžāĻ¨ā§āĻĄāĻžāĻ°ā§āĻĄ āĻāĻŦāĻ āĻāĻŽāĻ¨āĻāĻŋ āĻ¯ā§āĻā§āĻ¨ā§ āĻā§āĻ°ā§āĻ¤āĻ° āĻ¸āĻžāĻāĻā§āĻ° āĻāĻāĻāĻŋ āĻĒā§āĻ°āĻ¯āĻŧā§āĻāĻ¨ā§āĻ¯āĻŧ āĻŦā§āĻļāĻŋāĻˇā§āĻā§āĻ¯ āĻšāĻ¯āĻŧā§ āĻāĻ ā§āĻā§āĨ¤ āĻ¯āĻĻāĻŋ
āĻāĻŋāĻ¨ā§āĻ¤ā§ āĻĻā§āĻāĻž āĻ¯āĻžāĻā§āĻā§ āĻ¯ā§ āĻ āĻŋāĻāĻžāĻ¨āĻž āĻŦāĻžāĻ°ā§ āĻāĻāĻāĻŋ "āĻ˛āĻ" āĻāĻĒāĻ¸ā§āĻĨāĻŋāĻ¤āĻŋ āĻ¸āĻ°ā§āĻŦāĻĻāĻž āĻ¸ā§āĻ°āĻā§āĻˇāĻžāĻ° āĻā§āĻ¯āĻžāĻ°āĻžāĻ¨ā§āĻāĻŋ āĻĻā§āĻ¯āĻŧ āĻ¨āĻžāĨ¤
āĻāĻŦā§āĻˇāĻŖāĻžāĻ° āĻĢāĻ˛
āĻāĻŦā§āĻˇāĻŖāĻžāĻāĻŋ āĻā§āĻ¨āĻŋāĻ¸ āĻāĻāĻ¨āĻŋāĻāĻžāĻ°ā§āĻ¸āĻŋāĻāĻŋ āĻā§āĻ¯āĻž'āĻĢāĻ¸āĻāĻžāĻ°āĻŋ (āĻāĻ¤āĻžāĻ˛āĻŋ) āĻāĻŦāĻ āĻāĻŋāĻ¯āĻŧā§āĻ¨āĻž āĻā§āĻāĻ¨āĻŋāĻā§āĻ¯āĻžāĻ˛ āĻāĻāĻ¨āĻŋāĻāĻžāĻ°ā§āĻ¸āĻŋāĻāĻŋāĻ° āĻŦāĻŋāĻļā§āĻˇāĻā§āĻāĻĻā§āĻ° āĻĻā§āĻŦāĻžāĻ°āĻž āĻĒāĻ°āĻŋāĻāĻžāĻ˛āĻŋāĻ¤ āĻšāĻ¯āĻŧā§āĻāĻŋāĻ˛āĨ¤ āĻ¤āĻžāĻ°āĻž āĻ¸āĻžāĻ¨ āĻĢā§āĻ°āĻžāĻ¨ā§āĻ¸āĻŋāĻ¸āĻā§āĻ¤ā§ 40-20 āĻŽā§, 22-āĻ āĻ āĻ¨ā§āĻˇā§āĻ āĻŋāĻ¤ āĻ¨āĻŋāĻ°āĻžāĻĒāĻ¤ā§āĻ¤āĻž āĻāĻŦāĻ āĻā§āĻĒāĻ¨ā§āĻ¯āĻŧāĻ¤āĻžāĻ° āĻāĻĒāĻ° 2019 āĻ¤āĻŽ IEEE āĻ¸āĻŋāĻŽā§āĻĒā§āĻāĻŋāĻ¯āĻŧāĻžāĻŽā§ āĻāĻāĻāĻŋ āĻŦāĻŋāĻļāĻĻ āĻĒā§āĻ°āĻ¤āĻŋāĻŦā§āĻĻāĻ¨ āĻāĻĒāĻ¸ā§āĻĨāĻžāĻĒāĻ¨ āĻāĻ°āĻŦā§āĨ¤
āĻļā§āĻ°ā§āĻˇ 10 Alexa āĻ¤āĻžāĻ˛āĻŋāĻāĻž HTTPS āĻ¸āĻžāĻāĻ āĻāĻŦāĻ 000 āĻ¸āĻŽā§āĻĒāĻ°ā§āĻāĻŋāĻ¤ āĻšā§āĻ¸ā§āĻ āĻĒāĻ°ā§āĻā§āĻˇāĻž āĻāĻ°āĻž āĻšāĻ¯āĻŧā§āĻāĻŋāĻ˛āĨ¤ āĻĻā§āĻ°ā§āĻŦāĻ˛ āĻā§āĻ°āĻŋāĻĒā§āĻā§āĻā§āĻ°āĻžāĻĢāĻŋāĻ āĻāĻ¨āĻĢāĻŋāĻāĻžāĻ°ā§āĻļāĻ¨ 90 āĻšā§āĻ¸ā§āĻā§ āĻ¸āĻ¨āĻžāĻā§āĻ¤ āĻāĻ°āĻž āĻšāĻ¯āĻŧā§āĻā§, āĻ āĻ°ā§āĻĨāĻžā§, āĻŽā§āĻā§āĻ° āĻĒā§āĻ°āĻžāĻ¯āĻŧ 816%:
- 4818 MITM-āĻāĻ° āĻāĻ¨ā§āĻ¯ āĻā§āĻāĻāĻŋāĻĒā§āĻ°ā§āĻŖ
- 733 āĻ¸āĻŽā§āĻĒā§āĻ°ā§āĻŖ TLS āĻĄāĻŋāĻā§āĻ°āĻŋāĻĒāĻļāĻ¨ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻā§āĻāĻāĻŋāĻĒā§āĻ°ā§āĻŖ
- 912 āĻāĻāĻļāĻŋāĻ TLS āĻĄāĻŋāĻā§āĻ°āĻŋāĻĒāĻļāĻ¨ā§āĻ° āĻāĻ¨ā§āĻ¯ āĻā§āĻāĻāĻŋāĻĒā§āĻ°ā§āĻŖ
898āĻāĻŋ āĻ¸āĻžāĻāĻ āĻ¸āĻŽā§āĻĒā§āĻ°ā§āĻŖāĻ°ā§āĻĒā§ āĻšā§āĻ¯āĻžāĻāĻŋāĻāĻ¯āĻŧā§āĻ° āĻāĻ¨ā§āĻ¯ āĻāĻ¨ā§āĻŽā§āĻā§āĻ¤, āĻ āĻ°ā§āĻĨāĻžā§, āĻ¤āĻžāĻ°āĻž āĻŦāĻšāĻŋāĻ°āĻžāĻāĻ¤ āĻ¸ā§āĻā§āĻ°āĻŋāĻĒā§āĻāĻā§āĻ˛āĻŋāĻā§ āĻāĻ¨āĻā§āĻāĻļāĻ¨ā§āĻ° āĻ āĻ¨ā§āĻŽāĻ¤āĻŋ āĻĻā§āĻ¯āĻŧ āĻāĻŦāĻ 977āĻāĻŋ āĻ¸āĻžāĻāĻ āĻāĻžāĻ°āĻžāĻĒāĻāĻžāĻŦā§ āĻ¸ā§āĻ°āĻā§āĻˇāĻŋāĻ¤ āĻĒā§āĻˇā§āĻ āĻžāĻā§āĻ˛āĻŋ āĻĨā§āĻā§ āĻ¸āĻžāĻŽāĻā§āĻ°ā§ āĻ˛ā§āĻĄ āĻāĻ°ā§ āĻ¯ā§āĻā§āĻ˛āĻŋāĻ° āĻ¸āĻžāĻĨā§ āĻāĻāĻāĻ¨ āĻāĻā§āĻ°āĻŽāĻŖāĻāĻžāĻ°ā§ āĻ¯ā§āĻāĻžāĻ¯ā§āĻ āĻāĻ°āĻ¤ā§ āĻĒāĻžāĻ°ā§ā§ˇ
āĻāĻŦā§āĻˇāĻāĻ°āĻž āĻā§āĻ° āĻĻāĻŋāĻ¯āĻŧā§āĻā§āĻ¨ āĻ¯ā§ 898āĻāĻŋ "āĻ¸āĻŽā§āĻĒā§āĻ°ā§āĻŖ āĻāĻĒā§āĻ¸āĻā§āĻ¤" āĻ¸āĻāĻ¸ā§āĻĨāĻžāĻ¨āĻā§āĻ˛āĻŋāĻ° āĻŽāĻ§ā§āĻ¯ā§ āĻ āĻ¨āĻ˛āĻžāĻāĻ¨ āĻ¸ā§āĻā§āĻ°, āĻāĻ°ā§āĻĨāĻŋāĻ āĻĒāĻ°āĻŋāĻˇā§āĻŦāĻž āĻāĻŦāĻ āĻ āĻ¨ā§āĻ¯āĻžāĻ¨ā§āĻ¯ āĻŦāĻĄāĻŧ āĻ¸āĻžāĻāĻāĻā§āĻ˛āĻŋāĨ¤ 660āĻāĻŋ āĻ¸āĻžāĻāĻā§āĻ° āĻŽāĻ§ā§āĻ¯ā§ 898āĻāĻŋ āĻĻā§āĻ°ā§āĻŦāĻ˛ āĻšā§āĻ¸ā§āĻ āĻĨā§āĻā§ āĻŦāĻžāĻšā§āĻ¯āĻŋāĻ āĻ¸ā§āĻā§āĻ°āĻŋāĻĒā§āĻ āĻĄāĻžāĻāĻ¨āĻ˛ā§āĻĄ āĻāĻ°ā§: āĻāĻāĻŋ āĻŦāĻŋāĻĒāĻĻā§āĻ° āĻĒā§āĻ°āĻ§āĻžāĻ¨ āĻā§āĻ¸āĨ¤ āĻ˛ā§āĻāĻāĻĻā§āĻ° āĻŽāĻ¤ā§, āĻāĻ§ā§āĻ¨āĻŋāĻ āĻāĻ¯āĻŧā§āĻŦ āĻ ā§āĻ¯āĻžāĻĒā§āĻ˛āĻŋāĻā§āĻļāĻ¨āĻā§āĻ˛āĻŋāĻ° āĻāĻāĻŋāĻ˛āĻ¤āĻž āĻāĻā§āĻ°āĻŽāĻŖā§āĻ° āĻĒā§āĻˇā§āĻ āĻā§ āĻŦā§āĻ¯āĻžāĻĒāĻāĻāĻžāĻŦā§ āĻŦā§āĻĻā§āĻ§āĻŋ āĻāĻ°ā§āĨ¤
āĻ āĻ¨ā§āĻ¯āĻžāĻ¨ā§āĻ¯ āĻ¸āĻŽāĻ¸ā§āĻ¯āĻžāĻā§āĻ˛āĻŋāĻ āĻĒāĻžāĻāĻ¯āĻŧāĻž āĻā§āĻā§: āĻ āĻ¨ā§āĻŽā§āĻĻāĻ¨ā§āĻ° āĻĢāĻ°ā§āĻŽāĻā§āĻ˛āĻŋāĻ° 10% āĻ¤āĻĨā§āĻ¯ā§āĻ° āĻ¨āĻŋāĻ°āĻžāĻĒāĻĻ āĻ¸āĻāĻā§āĻ°āĻŽāĻŖā§ āĻ¸āĻŽāĻ¸ā§āĻ¯āĻž āĻ°āĻ¯āĻŧā§āĻā§, āĻ¯āĻž āĻĒāĻžāĻ¸āĻāĻ¯āĻŧāĻžāĻ°ā§āĻĄ āĻĢāĻžāĻāĻ¸ āĻāĻ°āĻžāĻ° āĻšā§āĻŽāĻāĻŋ āĻĻā§āĻ¯āĻŧ, 412āĻāĻŋ āĻ¸āĻžāĻāĻ āĻā§āĻāĻŋāĻ āĻāĻŦāĻ āĻ¸ā§āĻļāĻ¨ āĻšāĻžāĻāĻā§āĻ¯āĻžāĻāĻŋāĻāĻ¯āĻŧā§āĻ° āĻŦāĻžāĻ§āĻž āĻĻā§āĻ¯āĻŧ āĻāĻŦāĻ 543āĻāĻŋ āĻ¸āĻžāĻāĻ āĻā§āĻāĻŋāĻ° āĻ āĻāĻŖā§āĻĄāĻ¤āĻžāĻ° āĻāĻĒāĻ° āĻāĻā§āĻ°āĻŽāĻŖā§āĻ° āĻļāĻŋāĻāĻžāĻ° āĻšāĻ¯āĻŧ (āĻ¸āĻžāĻŦāĻĄā§āĻŽā§āĻ¨ā§āĻ° āĻŽāĻžāĻ§ā§āĻ¯āĻŽā§) .
āĻ¸āĻŽāĻ¸ā§āĻ¯āĻž āĻšāĻ˛ āĻ¸āĻžāĻŽā§āĻĒā§āĻ°āĻ¤āĻŋāĻ āĻŦāĻāĻ°āĻā§āĻ˛āĻŋāĻ¤ā§ SSL/TLS āĻĒā§āĻ°ā§āĻā§āĻāĻ˛ āĻāĻŦāĻ āĻ¸āĻĢā§āĻāĻāĻ¯āĻŧā§āĻ¯āĻžāĻ°
āĻĒā§āĻ°āĻ¸ā§āĻ¤āĻžāĻŦāĻŋāĻ¤ āĻ¸ā§āĻāĻŋāĻāĻ¸
āĻĒā§āĻ°āĻ¸ā§āĻ¤āĻžāĻŦāĻŋāĻ¤ HTTPS āĻ¸ā§āĻāĻŋāĻāĻ¸ā§āĻ° āĻ¤āĻžāĻ˛āĻŋāĻāĻžāĻ¯āĻŧ āĻāĻ¨ā§āĻˇā§āĻ āĻžāĻ¨āĻŋāĻāĻāĻžāĻŦā§ āĻ
āĻ¨ā§āĻŽā§āĻĻāĻŋāĻ¤ āĻāĻŦāĻ āĻ¸āĻŽā§āĻŽāĻ¤ āĻā§āĻ āĻ¨ā§āĻāĨ¤ āĻ¤āĻžāĻ,
āĻāĻ§ā§āĻ¨āĻŋāĻ āĻŽā§āĻĄ
āĻĒā§āĻ°āĻžāĻā§āĻ¨āĻ¤āĻŽ āĻ¸āĻŽāĻ°ā§āĻĨāĻŋāĻ¤ āĻā§āĻ˛āĻžāĻ¯āĻŧā§āĻ¨ā§āĻ: Windows 27, Edge, Opera 30, Safari 11, Android 7, āĻāĻŦāĻ Java 17-āĻ Firefox 9, Chrome 5.0, IE 8
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration. tweak to your needs.
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
āĻŽāĻžāĻāĻžāĻ°āĻŋ āĻ¸āĻŽāĻ°ā§āĻĨāĻ¨
āĻĒā§āĻ°āĻžāĻā§āĻ¨āĻ¤āĻŽ āĻ¸āĻŽāĻ°ā§āĻĨāĻŋāĻ¤ āĻā§āĻ˛āĻžāĻ¯āĻŧā§āĻ¨ā§āĻ: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
āĻĒā§āĻ°āĻžāĻ¨ā§ āĻ¸āĻŽāĻ°ā§āĻĨāĻ¨
āĻĒā§āĻ°āĻžāĻā§āĻ¨āĻ¤āĻŽ āĻ¸āĻŽāĻ°ā§āĻĨāĻŋāĻ¤ āĻā§āĻ˛āĻžāĻ¯āĻŧā§āĻ¨ā§āĻ: āĻāĻāĻ¨ā§āĻĄā§āĻ āĻāĻā§āĻ¸āĻĒāĻŋ IE6, āĻāĻžāĻāĻž 6
server {
listen 80 default_server;
listen [::]:80 default_server;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /path/to/dhparam.pem;
# old configuration. tweak to your needs.
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
resolver <IP DNS resolver>;
....
}
āĻāĻāĻŋ āĻ¸ā§āĻĒāĻžāĻ°āĻŋāĻļ āĻāĻ°āĻž āĻšāĻ¯āĻŧ āĻ¯ā§ āĻāĻĒāĻ¨āĻŋ āĻ¸āĻ°ā§āĻŦāĻĻāĻž āĻ¸āĻŽā§āĻĒā§āĻ°ā§āĻŖ āĻ¸āĻžāĻāĻĢāĻžāĻ° āĻ¸ā§āĻ¯ā§āĻ āĻāĻŦāĻ OpenSSL āĻāĻ° āĻ¸āĻ°ā§āĻŦāĻļā§āĻˇ āĻ¸āĻāĻ¸ā§āĻāĻ°āĻŖ āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°ā§āĻ¨ā§ˇ āĻ¸āĻžāĻ°ā§āĻāĻžāĻ° āĻ¸ā§āĻāĻŋāĻāĻ¸ā§ āĻĨāĻžāĻāĻž āĻ¸āĻžāĻāĻĢāĻžāĻ° āĻ¸ā§āĻ¯ā§āĻāĻāĻŋ āĻā§āĻ˛āĻžāĻ¯āĻŧā§āĻ¨ā§āĻ āĻ¸ā§āĻāĻŋāĻāĻ¸ā§āĻ° āĻāĻĒāĻ° āĻ¨āĻŋāĻ°ā§āĻāĻ° āĻāĻ°ā§ āĻ¯ā§ āĻ āĻā§āĻ°āĻžāĻ§āĻŋāĻāĻžāĻ°ā§ āĻ¤āĻžāĻ°āĻž āĻŦā§āĻ¯āĻŦāĻšāĻžāĻ° āĻāĻ°āĻž āĻšāĻŦā§ āĻ¤āĻž āĻ¨āĻŋāĻ°ā§āĻĻāĻŋāĻˇā§āĻ āĻāĻ°ā§ā§ˇ
āĻāĻŦā§āĻˇāĻŖāĻž āĻĻā§āĻāĻžāĻ¯āĻŧ āĻ¯ā§ āĻļā§āĻ§ā§āĻŽāĻžāĻ¤ā§āĻ° āĻāĻāĻāĻŋ HTTPS āĻļāĻāĻ¸āĻžāĻĒāĻ¤ā§āĻ° āĻāĻ¨āĻ¸ā§āĻāĻ˛ āĻāĻ°āĻž āĻ¯āĻĨā§āĻˇā§āĻ āĻ¨āĻ¯āĻŧāĨ¤ "āĻ¯āĻĻāĻŋāĻ āĻāĻŽāĻ°āĻž 2005 āĻ¸āĻžāĻ˛ā§āĻ° āĻŽāĻ¤ā§ āĻā§āĻāĻŋāĻā§āĻ˛āĻŋ āĻĒāĻ°āĻŋāĻāĻžāĻ˛āĻ¨āĻž āĻāĻ°āĻŋ āĻ¨āĻž, āĻāĻŦāĻ 'āĻļāĻžāĻ˛ā§āĻ¨ TLS' āĻ¸āĻžāĻ§āĻžāĻ°āĻŖ āĻšāĻ¯āĻŧā§ āĻāĻ ā§āĻā§, āĻāĻāĻŋ āĻĻā§āĻāĻž āĻ¯āĻžāĻā§āĻā§ āĻ¯ā§ āĻāĻ āĻŽā§āĻ˛āĻŋāĻ āĻāĻŋāĻ¨āĻŋāĻ¸āĻā§āĻ˛āĻŋ āĻāĻļā§āĻāĻ°ā§āĻ¯āĻāĻ¨āĻāĻāĻžāĻŦā§ āĻ
āĻ¨ā§āĻ āĻāĻ¨āĻĒā§āĻ°āĻŋāĻ¯āĻŧ āĻ¸āĻžāĻāĻāĻā§āĻ˛āĻŋāĻā§ āĻ¸ā§āĻ°āĻā§āĻˇāĻŋāĻ¤ āĻāĻ°āĻžāĻ° āĻāĻ¨ā§āĻ¯ āĻ¯āĻĨā§āĻˇā§āĻ āĻ¨āĻ¯āĻŧ,"
āĻāĻ¤ā§āĻ¸: www.habr.com