12.20 Nginx配置ssl

Nginx配置ssl目錄概要

• vim /usr/local/nginx/conf/vhost/ssl.conf//加入以下內容

server
{
    listen 443;
    server_name aming.com;
    index index.html index.php;
    root /data/wwwroot/aming.com;
    ssl on;
    ssl_certificate aminglinux.crt;
    ssl_certificate_key aminglinux.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

• -t && -s reload //若報錯unknown directive 「ssl」 ，須要從新編譯nginx，加上--with-http_ssl_module
• mkdir /data/wwwroot/aming.com
• echo 「ssl test page.」>/data/wwwroot/aming.com/index.html
• 編輯hosts，增長127.0.0.1 aming.com
• curl https://aming.com/

Nginx配置ssl

• 在有了公鑰和私鑰以後，配置nginx

1. 生成新的配置文件 vim /usr/local/nginx/conf/vhost/ssl.conf

[root@hf-01 conf]# vim /usr/local/nginx/conf/vhost/ssl.conf

添加如下內容
server
{
    listen 443;        //監聽端口爲443
    server_name aming.com;   //主機名
    index index.html index.php;
    root /data/wwwroot/aming.com;   //root 目錄
    ssl on;                                            //開啓ssl
    ssl_certificate gurui.crt;      //指定公鑰
    ssl_certificate_key gurui.key;   //指定私鑰
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;   //ssl 的協議
}
保存退出

• ssl 的協議，通常狀況下，三種協議都配置上

2. 建立/data/wwwroot/aming.com目錄

[root@hf-01 conf]# mkdir /data/wwwroot/aming.com
[root@hf-01 conf]#

3. 檢查配置文件語法

[root@hf-01 conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@hf-01 conf]#

• 報錯：
  • 由於不知道這個 ssl 配置，在編譯nginx的時候，並無指定支持ssl

[root@hf-01 conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
configure arguments: --prefix=/usr/local/nginx
[root@hf-01 conf]#

• 解決辦法
  • 從新編譯nginx

4. 從新編譯nginx

[root@hf-01 conf]# cd /usr/local/src/nginx-1.12.1/
[root@hf-01 nginx-1.12.1]# ./configure --help |grep -i ssl
  --with-http_ssl_module             enable ngx_http_ssl_module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --with-stream_ssl_module           enable ngx_stream_ssl_module
  --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module
  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL
[root@hf-01 nginx-1.12.1]#

• 編譯的時候須要加上--with-http_ssl_module

5. 初始化./configure --prefix=/usr/local/nginx --with-http_ssl_module

[root@hf-01 nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module

6. 編譯make

[root@hf-01 nginx-1.12.1]# make

7. 而後make install

[root@hf-01 nginx-1.12.1]# make install

8. 查看nginx的編譯參數，會看到增長了--with-http_ssl_module

[root@hf-01 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
[root@hf-01 nginx-1.12.1]#

9. 檢查配置文件語法錯誤

[root@hf-01 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 nginx-1.12.1]#

10. 重啓nginx

[root@hf-01 nginx-1.12.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl):                          [  肯定  ]
[root@hf-01 nginx-1.12.1]#

11. 查看監聽端口，會看到多出一個443端口

[root@hf-01 nginx-1.12.1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1533/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5716/nginx: master  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5716/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1205/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1533/master         
tcp6       0      0 :::3306                 :::*                    LISTEN      1576/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      1205/sshd           
[root@hf-01 nginx-1.12.1]#

12. 切換目錄路徑，並建立一個測試文件

[root@hf-01 nginx-1.12.1]# cd /data/wwwroot/aming.com/
[root@hf-01 aming.com]# ls
[root@hf-01 aming.com]# vim index.html

This is ssl.
保存退出

13. 測試，如果直接訪問會報400

[root@hf-01 aming.com]# curl -x127.0.0.1:443 https://aming.com/
curl: (56) Received HTTP code 400 from proxy after CONNECT
[root@hf-01 aming.com]#

14. 在虛擬機中 /etc/寫hosts

[root@hf-01 aming.com]# vim /etc/hosts

加入如下內容
127.0.0.1 aming.com

15. 測試，不指定-x訪問

[root@hf-01 aming.com]# curl https://aming.com/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[root@hf-01 aming.com]#

• 就是說你這個證書被標記爲不可信任了，由於這個證書是本身頒發的，其實是已經配置成功了

16. 在windows中的host文件添加，並保存

192.168.74.129  aming.com

17. 瀏覽器訪問aming.com，會看到加載超時

18. 這時查看虛擬機防火牆iptables -nvL，如果防火牆存在，能夠直接ipbables -F清空全部規則，若不想清空全部規則能夠增長443端口的規則

[root@hf-01 aming.com]# iptables -nvL

[root@hf-01 aming.com]# iptables -F
[root@hf-01 aming.com]#

19. 這時再來訪問aming.com，會提示是否信任證書，選擇 是 ，會訪問成功

20. 這個就是本身頒發證書，瀏覽器不被信任的時候，會顯示紅色 不安全 ，而不是綠色
21. 之後若想正常的訪問https，能夠去沃通買證書