Nginx下配置SSL安全協議

時間 2019-11-09

標籤 nginx 配置 ssl 安全協議欄目 Nginx 简体版

原文原文鏈接

Synopsis

This module enables HTTPS support. nginx

It supports checking client certificates with two limitations: app

it's not possible to assign a Certificate Revocation List for Nginx versions below 0.8.7.
if you have a chain of certificates — by having intermediate certificates between the server certificate and the CA root certificate — they're not specified separately like you would do for Apache. Instead you'll need to concatenate all the certificates, starting with the server certificate, and going deeper in the chain running through all the intermediate certificates. This can be done with "cat chain.crt >> mysite.com.crt" on the command line. Once this is done there's no further use for all the intermediate certificates in what Nginx is concerned. You'll indicate in the Nginx configuration the file with all the (concatenated) certificates.

By default the module is not built, it is necessary to state it explicitly: give the --with-http_ssl_module parameter to ./configure. Building this module requires the OpenSSL library and respective include files; quite often the library and include files live in separate packages in your platform, the later being named like libssl-dev or similar. dom

The following is an example configuration, to reduce the CPU load it is recommended to run one worker process only and to enable keep-alive connections: ide

worker_processes 1; http { server { listen 443; ssl on; ssl_certificate /usr/local/nginx/conf/cert.pem; ssl_certificate_key /usr/local/nginx/conf/cert.key; keepalive_timeout 70; } }

When using a chain of certificates, just append the extra certificates to your .crt file (cert.pem in the example). The server certificate needs to be the first on the file, otherwise you'll get a mismatch between private and public keys. ui

Since Nginx version 0.7.14 the preferred way of enabling SSL is by using the `ssl` parameter of the `listen` directive: this

server { listen 443 default_server ssl; ssl_certificate /usr/local/nginx/conf/cert.pem; ssl_certificate_key /usr/local/nginx/conf/cert.key; ... }

Generate Certificates

To generate private (dummy) certificates you can perform the following list of openssl commands. spa

First change directory to where you want to create the certificate and private key, for example: .net

$ cd /usr/local/nginx/conf

Now create the server private key, you'll be asked for a passphrase: code

$ openssl genrsa -des3 -out server.key 1024

Create the Certificate Signing Request (CSR):

$ openssl req -new -key server.key -out server.csr

Remove the necessity of entering a passphrase for starting up nginx with SSL using the above private key:

$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key

Finally sign the certificate using the above private key and CSR:

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Update Nginx configuration by including the newly signed certificate and private key:

server { 
server_name YOUR_DOMAINNAME_HERE; 
listen 443; 
ssl on; 
ssl_certificate /usr/local/nginx/conf/server.crt; 
ssl_certificate_key /usr/local/nginx/conf/server.key; 
}

Restart Nginx.

Now we're ready to access the above host using:

https://YOUR_DOMAINNAME_HERE

Using Wildcard certificates with multiple servers

In some instances you may wish to provide a number of secure subdomains amongst unsecured ones, and possibly share resources across both HTTP and HTTPS subdomains. To do this one would require a wildcard subdomain, for example *.nginx.org. An example configuration follows which shows how to configure a standard www subdomain, a secured subdomain, and share images across both subdomains using a third.

When using a configuration like this it's more efficient memory wise to place the certificate file containing the certificate(s) for all domain names and the corresponding private key file directives in a http context, such that it's inherited by all active servers/virtual hosts:

ssl_certificate common.crt; 
ssl_certificate_key common.key;   
server { 
listen 80; 
server_name www.nginx.org; ... 

}
 server { 
listen 443 default_server ssl; 
server_name secure.nginx.org; 
... 
}   
server { 


listen 80; 
listen 443; 
server_name images.nginx.org; 
... 
}