Nginx add SSL 證書 基礎配置

1） 查看證書信息

openssl x509 -noout -text -in ca.crt

2）證書配置：

a:基礎配置信息

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}

ssl_certificate:服務端公有的證書，會被髮送到客戶端。

ssl_certificate_key ：是服務端的私鑰，被存儲在一個文件中，須要被nginx的master進程訪問。

ssl_protocols 和ssl_ciphers是用來限制connection到指定的SSL/TLS的版本，ssl_protocols 和ssl_ciphers 是nginx的默認值，也能夠不配。

b:Https 服務優化

SSL握手是CPU密集型操做，每次SSL握手操做都會消耗CPU.對於每一個客戶端有兩種方式來減小SSL握手操做：

 1）設置keepalive_timeout值，確保每一個鏈接可以發送多個請求。

2）重用SSL session,避免SSL握手操做。這些共享的SSL session是被存儲在在多個work進程之間共享的SSL session cache中

   它由 ssl_session_cache 指示符來配置。默認1M的緩存空間能夠存儲4000個sessions.每一個session緩存的默認失效時間是5minute.它能夠經過 ssl_session_timeout  修改

worker_processes auto;

http {
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    server {
        listen              443 ssl;
        server_name         www.example.com;
        keepalive_timeout   70;

        ssl_certificate     www.example.com.crt;
        ssl_certificate_key www.example.com.key;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        ...

3. SSL證書連接

當服務器的證書是中間證書時候，則須要將從該證書到根證書的全部證書文件-稱爲證書鏈，一塊兒合併到服務器證書中。合併的順序是，

 服務器的證書-》證書鏈

$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt

 合併成的新證書文件 則會被配置到ssl_certificate 中。

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.chained.crt;
    ssl_certificate_key www.example.com.key;
    ...
}

如何合併的時候順序搞錯，Nginx 啓動的時候則會報：

SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed
   (SSL: error:0B080074:x509 certificate routines:
    X509_check_private_key:key values mismatch)

 

由於nginx 是對該服務器證書鏈的第一部分使用private key,這從而致使出錯。

如何查看服務端發送出了全部的證書鏈，

$ openssl s_client -connect payment.celcomescape.com:443

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = MY, ST = Kuala Lumpur, L = Kuala Lumpur, O = Escape Axiata Sdn Bhd, OU = Escape Axiata, CN = *.celcomescape.com
verify return:1
---
Certificate chain
0 s:/C=MY/ST=Kuala Lumpur/L=Kuala Lumpur/O=Escape Axiata Sdn Bhd/OU=Escape Axiata/CN=*.celcomescape.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---

4.配置一個單一的Http/Https 服務器

配置一個單一的Http/Https 服務器

server {
    listen              80;
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ...
}

6.同一個Ip地址，不一樣域名

1）只能是一個證書，即便配置了多個證書，則會取default server 對應的那個證書。這是由於在SSL 握手中不含有domain信息。

ssl_certificate     common.crt;
ssl_certificate_key common.key;

server {
    listen          443 ssl;
    server_name     www.example.com;
    ...
}

server {
    listen          443 ssl;
    server_name     www.example.org;
    ...
}

2）若是必定要使用，則須要添加TLS Server Name Indication extension (SNI, RFC 6066)，容許瀏覽器在SSL握手階段傳入domain.

    前置條件：nginx 編譯支持SNI

            openssl編譯支持SNI. 「--enable-tlsext」

             瀏覽器須要支持能夠傳入域名。目前以下瀏覽器能夠支持：

Opera 8.0;
MSIE 7.0 (but only on Windows Vista or higher);
Firefox 2.0 and other browsers using Mozilla Platform rv:1.8.1;
Safari 3.2.1 (Windows version supports SNI on Vista or higher);
and Chrome (Windows version supports SNI on Vista or higher, too).

7.版本匹配特性            

The SNI support status has been shown by the 「-V」 switch since 0.8.21 and 0.7.62.
The ssl parameter of the listen directive has been supported since 0.7.14. Prior to 0.8.21 it could only be specified along with the default parameter.
SNI has been supported since 0.5.32.
The shared SSL session cache has been supported since 0.5.6.
Version 1.9.1 and later: the default SSL protocols are TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2, SSLv3, and TLSv1.
Version 1.0.5 and later: the default SSL ciphers are 「HIGH:!aNULL:!MD5」.
Version 0.7.65, 0.8.20 and later: the default SSL ciphers are 「HIGH:!ADH:!MD5」.
Version 0.8.19: the default SSL ciphers are 「ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM」.
Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are
「ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP」.

8.參考文檔

http://nginx.org/en/docs/http/configuring_https_servers.html