经过大量的search和Serverfault浏览我仍然有一个SSL问题:
Safari根本无法打开该页面,Firefox在5分钟不活动(不浏览任何内容)之后会发出“安全连接失败”的提示。 Chrome / Chromium返回403错误,然后快速重新加载页面,一切正常。
它是在Comodo安装SSL证书后发生的。 您可以在这里看到报告: https : //www.ssllabs.com/ssltest/analyze.html?d=marketplace.mercicapitaine.fr&hideResults=on
SSL购物者都很好: https : //www.sslshopper.com/ssl-checker.html#hostname=marketplace.mercicapitaine.fr
TLS是1.2 SSLlabs说:“服务器不支持参考浏览器的前向保密。” 和“此服务器支持弱Diffie-Hellman(DH)密钥交换参数”。
我做了一个TCP dump,但是我很难理解它..
我不是一个服务器的人,所以任何提示如何debugging/跟踪错误是值得欢迎的。 它在NGINX上托pipe,没有什么特别的错误日志。
非常感谢您的时间:)
编辑: nginxconfiguration:
server { listen *:80; listen *:443 ssl; ssl_certificate /home/ubuntu/ssl_2016/ssl-bundle.crt; ssl_certificate_key /home/ubuntu/ssl_2016/mckey.key; server_name marketplace.mercicapitaine.fr; access_log /var/log/nginx/marketplacemercicapitainefr.access.log; error_log /var/log/nginx/marketplacemercicapitainefr.error.log; root /srv/marketapp/; index index.html index.htm index.php; fastcgi_buffers 16 16k; fastcgi_buffer_size 16k; fastcgi_read_timeout 900; client_max_body_size 50M; if ($scheme = http) { return 301 https://$server_name$request_uri; } # This order might seem weird - this is attempted to match last if rules below fail. location / { try_files $uri $uri/ /index.php?$args; } # Add trailing slash to */wp-admin requests. rewrite /wp-admin$ $scheme://$host$uri/ permanent; # Directives to send expires headers and turn off 404 error logging. location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { access_log off; log_not_found off; expires max; } location = /favicon.ico { log_not_found off; access_log off; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~* \.(js|css|png|jpg|jpeg|gif|ico|wmv|3gp|avi|mpg|mpeg|mp4|flv|mp3|mid|wml|swf|pdf|doc|docx|ppt|pptx|zip)$ { expires max; log_not_found off; add_header Pragma public; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; } location ~* \.()$ { expires 31536000s; } location ~ [^/]\.php(/|$) { fastcgi_index index.php; include fcgi.conf; fastcgi_pass unix:/var/run/ajenti-v-php-fcgi-marketplacemercicapitainefr-php-fcgi-0.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; } }
在你的注释中检查链接的nginx sslconfiguration后,我会改变你的configuration中的一些东西。 让我继续:
server { # more_set_headers "Server: my web server :-)"; listen 80; server_name marketplace.mercicapitaine.fr; return 301 https://$server_name$request_uri; } server { # more_set_headers "Server: my web server :-)"; listen 443 ssl; server_name marketplace.mercicapitaine.fr; ssl_certificate /home/ubuntu/ssl_2016/ssl-bundle.crt; ssl_certificate_key /home/ubuntu/ssl_2016/mckey.key; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; # ssl_session_tickets off; # openssl dhparam -out dhparam.pem 2048 # ssl_dhparam /etc/nginx/SSL/dhparams.pem; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGC$ ssl_prefer_server_ciphers on; add_header Strict-Transport-Security "max-age=15768000;includeSubdomains; preload"; root /srv/marketapp/; index index.html index.htm index.php; client_max_body_size 20M; location / { try_files $uri $uri/ /index.php; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/ajenti-v-php-fcgi-marketplacemercicapitainefr-php-fcgi-0.sock; fastcgi_index index.php; include fastcgi_params; } location /doc/ { alias /usr/share/doc/; autoindex on; allow 127.0.0.1; deny all; } location ~/\.ht { deny all; } }
我假设你想设置一个WordPress的博客。
如果有任何问题,请随时询问。