Nginx Https配置

時間 2021-08-12

標籤 php html nginx 數據庫 apache 瀏覽器服務器 markdown session app 欄目 Nginx 简体版

原文原文鏈接

30.1 文檔目的... 2
30.2 文檔內容... 2
30.3 單向認證與雙向認證的概念... 2
30.3.1 什麼是單向認證... 2
30.3.2 什麼是雙向認證... 2
30.4 openssl的介紹... 3
30.5 Nginx單雙向ssl的配置前提... 4
30.6 使用openssl製做證書... 4
30.6.1 服務器單項認證... 4
30.6.1.1 建立並進入sslkey存放目錄... 4
30.6.1.2 生成RSA密鑰... 4
30.6.1.3 生成一個證書請求... 5
30.6.1.4 修改nginx的主配置文件... 5
30.6.1.5 驗證結果... 7
30.6.2 服務器客戶端雙向認證... 7
30.6.2.1 分別建立證書各自存放目錄... 7
30.6.2.2 使用腳本建立新根CA證書... 9
30.6.2.3 使用腳本生成服務器證書... 12
30.6.2.4 配置Nginx的主配置文件... 16
30.6.2.5 驗證結果... 18
30.6.2.6 訪問出現400 BadReques解決辦法生成客戶端證書... 18
30.6.2.7 再次驗證結果... 23
30.6.2.8 作Nginx-SSL注意事項... 24
30.1 文檔目的php

本文目的提升本身文檔的寫做能力及排版能力,增強上課所講的內容得以鍛鍊也方便本身之後查閱特寫此文檔。

30.2 文檔內容html

本章內容包括:單向和雙向認證的概念、openssl的介紹、Nginx單向ssl的配置前提、使用openssl製做證書(單向認證與雙向認證)。

30.3 單向認證與雙向認證的概念
30.3.1 什麼是單向認證
單項認證就是好比你有個密碼用戶名而後和服務器上的用戶信息進行比對一致的話大家就能夠創建鏈接.
30.3.2 什麼是雙向認證
SSL的雙向認證就是客戶端要獲取服務端的證書，檢查下服務端是否是我能夠信任的主機，不然我就認爲那個站點的內容不可信任，不該該去訪問你（瀏覽器會告訴你），同時服務端也要檢查客戶端的證書，客戶端若是不是服務端所信任的，那服務端也會認爲，你不是個人合法用戶，我拒絕給你提供服務。因此要讓 HTTPS的雙向認證順利完成，就要在服務端給定一個證書，這個證書是瀏覽器可信任的，同時客戶端（瀏覽器）也要發送給服務端一個證書，服務器端也要信任這個證書。
要想讓瀏覽器純天然地就去信任服務端的證書，那服務端所使用的證書就得是那幾大已經被你們所信任的證書機構給他簽名，不過通常要錢。
通俗點來說就是你有個密碼用戶名你先發給服務器進行比對，若是一致服務器再把它的密碼用戶名發到你機器上與你機器上保留的用戶信息進行比對若是還一致則創建連接！
30.4 openssl的介紹
openssl爲開源軟件，在Linux（或UNIX/Cygwin）下建立一個簡單的CA。（certification authority）是以構建在公鑰基礎設施pki（public key infrastructure）基礎之上的產生和肯定數字證書的第三方可信機構）咱們能夠利用這個CA進行PKI、數字證書相關的測試。好比，在測試用Tomcat或Apache構建HTTPS雙向認證時，咱們能夠利用本身創建的測試CA來爲服務器端頒發服務器數字證書，爲客戶端（瀏覽器）生成文件形式的數字證書（能夠同時利用openssl生成客戶端私鑰。
30.5 Nginx單雙向ssl的配置前提
LNMP環境的前提下
編譯安裝Nginx時候安裝的兩個參數--with-http_stub_status_module、(是爲了啓用nginx的NginxStatus 功能,用來監控nginx的當前狀態)--with-http_ssl_module(啓動ssl模塊)
安裝openssl openssl-devel
[root@LNMP ~]# /application/nginx/sbin/nginx -V
nginx version: nginx/1.6.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11)(GCC)
configure arguments: --user=nginx --group=nginx--prefix=/application/nginx-1.6.2 --with-http_stub_status_module--with-http_ssl_module
30.6 使用openssl製做證書
30.6.1 服務器單項認證
30.6.1.1 建立並進入sslkey存放目錄
[root@LNMP ~]# mkdir -p /application/nginx/sslkey
[root@LNMP ~]# cd /application/nginx/sslkey/
30.6.1.2 生成RSA密鑰
[root@LNMP sslkey]# openssl genrsa -out key.pem2048
30.6.1.3 生成一個證書請求
[root@LNMP sslkey]# openssl req -new -key key.pem-out cert.csr
You are about to be asked to enter informationthat will be incorporatedThere are quite a few fields but you can leave someblank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:cn //輸入國家名字
State or Province Name (full name) []:bj //輸入省市
Locality Name (eg, city) [Default City]:bj //輸入省市
Organization Name (eg, company) [Default CompanyLtd]:bj //輸入公司名稱
Organizational Unit Name (eg, section) []:bj //組織名字
Common Name (eg, your name or your server'shostname) []:www.etiantian.org //要配置的ssl域名
Email Address []:260428042@qq.com //Email地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 //密碼
An optional company name []:123456 //密碼
30.6.1.4 修改nginx的主配置文件
[root@LNMP ~]# cat/application/nginx/conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server{
listen 443;
server_name www.etiantian.org;
ssl on;
ssl_certificate /application/nginx/sslkey/server.crt;
ssl_certificate_key /application/nginx/sslkey/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;
ssl_prefer_server_ciphers on;
location/ {
root html/blog;
index index.html index.htm;
}
}
}
[root@LNMP ~]# /application/nginx/sbin/nginx –t //檢查語法
[root@LNMP ~]# /application/nginx/sbin/nginx -sreload //從新啓動
30.6.1.5驗證結果
wKiom1ht-wDzzfqUAADeZ4TByaw255.png
wKiom1ht-wCBSptaAABFO5py01A163.png
30.6.2 服務器客戶端雙向認證
30.6.2.1 分別建立證書各自存放目錄
[root@LNMP~]# mkdir /application/nginx/ca
[root@LNMP~]# cd /application/nginx/ca
[root@LNMPca]# mkdir newcerts private conf server
newcerts子目錄將存放CA簽署（頒發）過的數字證書（證書備份目錄）。
private目錄用於存放CA的私鑰。
conf只是用於存放一些簡化參數。
Server 目錄用於存放本身的證書。
一、在conf目錄建立文件openssl.conf配置文件
[root@LNMP~]# cat /application/nginx/ca/conf/openssl.conf
[ ca ]
default_ca = foo #默認ca的段名配置好後 openssl 就會
尋找相同段名的配置
[ foo ]
dir =/application/nginx/ca #ca 的頂級目錄
database =/application/nginx/ca/index.txt #的數據庫索引文件
new_certs_dir = /application/nginx/ca/newcerts#新生成的CA目錄
certificate = /application/nginx/ca/private/ca.crt #CA證書
serial = /application/nginx/ca/serial #CA序列號文件
private_key = /application/nginx/ca/private/ca.key # CA私鑰
RANDFILE =/application/nginx/ca/private/.rand #隨機數文件
default_days = 365 # CA證書的有效期
default_crl_days= 30 #CA證書過時前多久提示
default_md = md5 # 加密方法
#unique_subject = no
policy =policy_any #客戶端默認設置
[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
localityName = optional
commonName = supplied
emailAddress = optional
30.6.2.2 使用腳本建立新根CA證書
一、查看腳本內容
[root@LNMP ~]# cat/application/nginx/ca/new_ca.sh
#!/bin/sh
生成CA私鑰
openssl genrsa -out private/ca.key
生成證書請求
openssl req -new -key private/ca.key -outprivate/ca.csr
簽名 CA 證書請求，使用本身的私鑰來給這個 CA 證書請求籤名
openssl x509 -req -days 365 -in private/ca.csr-signkey private/ca.key -out private/ca.crt
如下三行與建立 CA 祕鑰數據庫索引文件有關
echo FACE > serial
touch index.txt
openssl ca -gencrl -out/application/nginx/ca/private/ca.crl -crldays 7 -config"/application/nginx/ca/conf/openssl.conf"
二、執行腳本建立根CA證書
[root@LNMP ca]# sh new_ca.sh
Generating RSA private key, 1024 bit long modulus
.......................................++++++
.++++++
e is 65537 (0x10001)
You are about to be asked to enter informationthat will be incorporated
into your certificate request.
What you are about to enter is what is called aDistinguished Name or a DN.
There are quite a few fields but you can leavesome blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Create us a key. Don't bother putting apassword on it since you will need it to start apache. If you have a betterwork around I'd love to hear it.

建立服務器私鑰
openssl genrsa -out server/server.key
利用私鑰建立一個證書籤名請求
openssl req -new -key server/server.key -outserver/server.csr
openssl ca -in server/server.csr -certprivate/ca.crt -keyfile private/ca.key -out server/server.crt -config"/application/nginx/ca/conf/openssl.conf"
二、執行腳本建立生成服務器證書
[root@LNMP ca]#sh new_server.sh
Generating RSAprivate key, 1024 bit long modulus
.....................++++++
...........................................................++++++
e is 65537(0x10001)
You are about tobe asked to enter information that will be incorporated
into yourcertificate request.
What you areabout to enter is what is called a Distinguished Name or a DN.
There are quitea few fields but you can leave some blank
For some fieldsthere will be a default value,
If you enter'.', the field will be left blank.
Country Name (2letter code) [XX]:cn
State orProvince Name (full name) []:bj
Locality Name(eg, city) [Default City]:bj
OrganizationName (eg, company) [Default Company Ltd]:bj
OrganizationalUnit Name (eg, section) []:bj
Common Name (eg,your name or your server's hostname) []:www.etiantian.org
Email Address[]:260428042@qq.com
Please enter thefollowing 'extra' attributes
to be sent withyour certificate request
A challengepassword []:123456
An optionalcompany name []:123456
Using configurationfrom /application/nginx/ca/conf/openssl.conf
Check that therequest matches the signature
Signature ok
The Subject'sDistinguished Name is as follows
countryName :PRINTABLE:'cn'
stateOrProvinceName :ASN.1 12:'bj'
localityName :ASN.1 12:'bj'
organizationName :ASN.1 12:'bj'
organizationalUnitName:ASN.112:'bj'
commonName :ASN.1 12:'www.etiantian.org'
emailAddress :IA5STRING:'60428042@qq.com'
Certificate isto be certified until Mar 5 10:14:252016 GMT (365 days)
Sign thecertificate? [y/n]:y
1 out of 1certificate requests certified, commit? [y/n]y
Write outdatabase with 1 new entries
三、查看生成的服務器證書裏邊有內容不然後邊會報錯
30.6.2.4 配置Nginx的主配置文件
[root@LNMP ~]#cat /application/nginx/conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65; 數據庫

HTTPSserver

server {
listen 443;
root html/blog;
index index.phpindex.html index.htm;
server_name www.etiantian.org;
ssi on;
ssi_silent_errorson;
ssi_typestext/shtml;
ssl on;
ssl_certificate /application/nginx/ca/server/server.crt;
ssl_certificate_key /application/nginx/ca/server/server.key;
ssl_client_certificate/application/nginx/ca/private/ca.crt;
ssl_session_timeout 5m;
ssl_verify_clienton;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphersALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root html/blog;
index index.php index.html index.htm;
}
}
}
[root@LNMP ~]#/application/nginx/sbin/nginx –t //檢查語法
[root@LNMP ~]#/application/nginx/sbin/nginx -s reload //從新啓動
30.6.2.5 驗證結果
wKiom1huA63h-eXXAABp00EvXU4594.png
30.6.2.6 訪問出現400 Bad Reques解決辦法生成客戶端證書
一、查看腳本內容
[root@LNMP ~]#cat /application/nginx/ca/new_user.sh
#!/bin/sh
base="/application//nginx/ca"
mkdir -p$base/users/
生成客戶端私鑰
openssl genrsa-des3 -out $base/users/client.key 1024
根據證書生成私鑰請求
openssl req -new-key $base/users/client.key -out $base/users/client.csr
生成客戶端證書
openssl ca -in$base/users/client.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key-out $base/users/client.crt -config "/application/nginx/ca/conf/openssl.conf"
將客戶端證書轉爲PKCS(Personal Information Exchange)12 後綴，使大多數瀏覽器都能接
openssl pkcs12-export -clcerts -in $base/users/client.crt -inkey $base/users/client.key -out$base/users/client.p12
二、執行腳本生成客戶端證書
[root@LNMP ca]#sh new_user.sh
Generating RSAprivate key, 1024 bit long modulus
....++++++
...................................................++++++
e is 65537(0x10001)
Enter passphrase for /application//nginx/ca/users/client.key:
Verifying -Enter pass phrase for /application//nginx/ca/users/client.key:
Enter pass phrasefor /application//nginx/ca/users/client.key:
You are about tobe asked to enter information that will be incorporated
into yourcertificate request.
What you areabout to enter is what is called a Distinguished Name or a DN.
There are quitea few fields but you can leave some blank
For some fieldsthere will be a default value,
If you enter'.', the field will be left blank.

Country Name (2letter code) [XX]:cn
State orProvince Name (full name) []:bj
Locality Name(eg, city) [Default City]:bj
OrganizationName (eg, company) [Default Company Ltd]:bj
OrganizationalUnit Name (eg, section) []:bj
Common Name (eg,your name or your server's hostname) []:www.etiantian.org
Email Address[]:260428042@qq.com
Please enter thefollowing 'extra' attributes
to be sent withyour certificate request
A challengepassword []:123456
An optionalcompany name []:123456
Usingconfiguration from /application/nginx/ca/conf/openssl.conf
Check that therequest matches the signature
Signature ok
The Subject'sDistinguished Name is as follows
countryName :PRINTABLE:'cn'
stateOrProvinceName :ASN.1 12:'bj'
localityName :ASN.1 12:'bj'
organizationName :ASN.1 12:'bj'
organizationalUnitName:ASN.112:'bj'
commonName :ASN.1 12:'www.etiantian.org'
emailAddress :IA5STRING:'60428042@qq.com'
Certificate isto be certified until Mar 5 10:24:172016 GMT (365 days)
Sign thecertificate? [y/n]:y
1 out of 1certificate requests certified, commit? [y/n]y
Write outdatabase with 1 new entries
Data BaseUpdated
Enter passphrase for /application//nginx/ca/users/client.key:
Enter ExportPassword:
Verifying -Enter Export Password:
三、查看生成的證書
將client.p12下載到本地桌面
[root@LNMP ~]#cd /application/nginx-1.6.2/ca/users/
[root@LNMPusers]# sz -y client.p12
30.6.2.7 再次驗證結果
在瀏覽器中輸入https://www.etiantian.org訪問添加剛纔下載下來的證書就能夠正常訪問了！
wKiom1huAzzirDOjAABv48gdUB4144.png
在這裏是將你剛纔從服務器上下載下來的client.p12導入就OK了！
wKioL1huAzzw4VqvAABtkL24bRY788.png
wKiom1huA0DDDcjOAABcsvxn0LM352.png
wKiom1huA0Di8jKbAABVRRB2xMM800.png
wKioL1huA0DTesTFAABVyBPtHxs566.png
30.6.2.8 作Nginx-SSL注意事項
一、製做證書時會提示輸入密碼，服務器證書和客戶端證書密碼能夠不相同。
二、服務器證書和客戶端證書製做時提示輸入省份、城市、域名信息等，需保持一致。
三、Nginx默認未開啓SSI，上面配置已開啓。apache