SSL/TLS深度解析--在 Nginx 上部署 TLS
利用 openssl 源代碼安裝 Nginx
[root@localhost software]# tar xf nginx-1.15.5.tar.gz
[root@localhost software]# cd nginx-1.15.5/
[root@localhost nginx-1.15.5]# groupadd nginx
[root@localhost nginx-1.15.5]# useradd nginx -M -s /sbin/nologin -g nginx
[root@localhost nginx-1.15.5]# mkdir -p /project/nginx1.15.0
[root@localhost nginx-1.15.5]# mkdir -p /project/{logs/nginx,cache/nginx}
[root@localhost nginx-1.15.5]# ll /project/
總用量 0
drwxr-xr-x. 3 root root 19 11月 1 21:48 cache
drwxr-xr-x. 3 root root 19 11月 1 21:48 logs
drwxr-xr-x. 2 root root 6 11月 1 21:48 nginx1.15.0
[root@localhost nginx-1.15.5]# ./configure --prefix=/project/nginx1.15.0 --with-openssl=/opt/software/openssl-1.1.1 --with-openssl-opt="enable-ec_nistp_64_gcc_128" --with-http_ssl_module --user=nginx --group=nginx --error-log-path=/project/logs/nginx/error.log --http-log-path=/project/logs/nginx/access.log --http-client-body-temp-path=/project/cache/nginx/client_temp --http-proxy-temp-path=/project/cache/nginx/proxy_temp --http-fastcgi-temp-path=/project/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/project/cache/nginx/uwsgi_temp --http-scgi-temp-path=/project/cache/nginx/scgi_temp --with-file-aio --with-http_v2_module
[root@localhost nginx-1.15.5]# make -j 2
[root@localhost nginx-1.15.5]# make install
[root@localhost nginx-1.15.5]# make clean
rm -rf Makefile objs
[root@localhost nginx-1.15.5]# cd ..
[root@localhost software]# cd /project/nginx1.15.0/
[root@localhost nginx1.15.0]# sbin/nginx
[root@localhost nginx1.15.0]# netstat -tulnp |grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:*
[root@localhost nginx1.15.0]# ps -ef |grep nginx
root 7420 1 0 22:22 ? 00:00:00 nginx: master process sbin/nginx
nginx 7421 7420 0 22:22 ? 00:00:00 nginx: worker process
nginx 7422 7420 0 22:22 ? 00:00:00 nginx: worker process
nginx 7423 7420 0 22:22 ? 00:00:00 nginx: worker process
nginx 7424 7420 0 22:22 ? 00:00:00 nginx: worker process
root 7430 1869 0 22:23 pts/0 00:00:00 grep --color=auto nginx
[root@localhost nginx1.15.0]# mkdir conf/certs
[root@localhost nginx1.15.0]# mkdir html/tls
[root@localhost nginx1.15.0]# echo "Hello TLS" > html/tls/index.html
[root@localhost nginx1.15.0]# cat html/tls/index.html
Hello TLS
[root@localhost nginx1.15.0]# vim conf/nginx.conf
.......
# HTTPS server
#
server {
listen 443 ssl;
server_name www.linuxplus.com;
ssl_certificate certs/rsa_01cert.crt;
ssl_certificate_key certs/rsa_2048prikey.pem;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html/tls;
index index.html index.htm;
}
}
[root@localhost nginx1.15.0]# cd conf/certs/
[root@localhost certs]# openssl genrsa -out rsa_2048prikey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........................+++++
.....................................................................................+++++
e is 65537 (0x010001)
[root@localhost certs]# ll
總用量 4
-rw-------. 1 root root 1679 10月 28 19:14 rsa_2048prikey.pem
[root@localhost certs]# openssl req -new -key rsa_2048prikey.pem -out rsa_01cert.csr -subj /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/emailAddress=admin@linuxplus.com
[root@localhost certs]# ll
總用量 8
-rw-r--r--. 1 root root 1066 10月 28 19:18 rsa_01cert.csr
-rw-------. 1 root root 1679 10月 28 19:14 rsa_2048prikey.pem
[root@localhost certs]# openssl ca -in rsa_01cert.csr -days 300 -md sha384 -out rsa_01cert.crt -batch -notext
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/root_prikey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
3b:f9:bc:72:54:4e:25:a7:07:2d:92:42:06:a7:61:59
Validity
Not Before: Oct 28 11:20:49 2022 GMT
Not After : Aug 24 11:20:49 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = ShanDong
localityName = QingDao
organizationName = Devops
organizationalUnitName = Devops
commonName = www.linuxplus.com
emailAddress = admin@linuxplus.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DB:39:F0:61:40:3D:0B:4A:0A:20:1C:02:AF:3C:49:2B:86:78:22:C6
X509v3 Authority Key Identifier:
keyid:9F:7A:42:AF:E4:36:0D:01:CD:FF:27:57:18:2A:3E:CC:8A:77:C0:D7
Certificate is to be certified until Aug 24 11:20:49 2023 GMT (300 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost certs]# ll
總用量 12
-rw-r--r--. 1 root root 1241 10月 28 19:20 rsa_01cert.crt
-rw-r--r--. 1 root root 1066 10月 28 19:18 rsa_01cert.csr
-rw-------. 1 root root 1679 10月 28 19:14 rsa_2048prikey.pem
[root@localhost certs]# cd ../../sbin/
[root@localhost sbin]# ./nginx -t
nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok
nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful
[root@localhost sbin]# ./nginx -s reload
TLS 協議的配置
Nginx協議配置有3個主要的配置項
- ssl_protocols :用來指定所開啓協議的版本,目前1.2是主流並且更高效。不安全的SSLv2 和 SSLv3 都要禁用。
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
目前最新的TLS是1.3版本,不過目前也沒有大範圍使用,不過要支持TLS1.3,要使用openssl的1.1.1系列版本,因此要使用TLS1.3,升級openssl 而且在編譯安裝nginx的時候指定。ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- ssl_prefer_server_ciphers ,在服務器與客戶端TLS握手時啓用服務器算法優先,由
服務器端選擇算法,這樣能夠避免不少客戶端被***或比較老舊而引發的安全問題。
ssl_prefer_server_ciphers on;
- ssl_ciphers ,指定使用的算法套件以及它們的優先順序。
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM -SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA ECDHE-RSA-RC4-SHA RC4-SHA"; #排在前面的優先使用
- 通配符證書是證書的CN採用通配形式,即 *.linuxplus.com 這樣的模式。若是肯定採用全站https的話,這樣的通配證書是可行的,不少大站點也是這樣作的,例如淘寶。
- 若是多個不一樣域名(二級域名)的站點使用同一個證書,能夠把它們部署在同一個IP地址上。仍是建議使用SNI,使每一個站點有本身單獨的證書。
配置雙證書
[root@localhost certs]# openssl ecparam -genkey -name prime256v1 -out ecdsa_01prikey.pem
[root@localhost certs]# openssl req -new -key ecdsa_01prikey.pem -out ecc01.csr -subj /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/emailAddress=admin@linuxplus.com
[root@localhost certs]# openssl ca -in ecc01.csr -days 365 -out ecc_01cert.crt -batch -notext Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/root_prikey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
92:f4:3b:df:f9:ac:3b:5c:aa:31:89:d6:61:c6:9a:fc
Validity
Not Before: Nov 10 14:32:15 2018 GMT
Not After : Nov 10 14:32:15 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = ShanDong
localityName = QingDao
organizationName = Devops
organizationalUnitName = Devops
commonName = www.linuxplus.com
emailAddress = admin@linuxplus.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
67:7B:E7:71:A6:D5:63:C7:C3:E7:6F:E4:40:B4:06:1C:D5:B6:84:58
X509v3 Authority Key Identifier:
keyid:7A:15:85:5F:24:70:45:4C:86:C3:FD:AA:9A:88:3E:5B:E6:63:70:56
Certificate is to be certified until Nov 10 14:32:15 2019 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost ~]# cd /project/nginx1.15.0/conf/
[root@localhost conf]# vim nginx.conf
......
ssl_certificate certs/ecc_01cert.crt;
ssl_certificate_key certs/ecdsa_01prikey.pem;
ssl_certificate certs/rsa_01cert.crt;
ssl_certificate_key certs/rsa_2048prikey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
[root@localhost conf]# ../sbin/nginx -t
nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok
nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful
[root@localhost conf]# ../sbin/nginx -s reload
客戶端身份驗證
客戶端驗證,是爲了實現只有有證書的客戶端才能訪問那個站點或服務,證書由站點管理和頒發html
[root@www certs]# openssl genrsa -out client01.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...........................................................................................................+++++
........................+++++
e is 65537 (0x010001)
[root@www certs]# openssl req -new -key client01.key -out client01.csr -subj /C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=Devops01/CN=www.linuxplus.com/emailAddress=adm@linuxplus.com
[root@www certs]# openssl ca -in client01.csr -md sha384 -out client01_cert.crt -batch -notext
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/root_prikey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
92:f4:3b:df:f9:ac:3b:5c:aa:31:89:d6:61:c6:9a:fd
Validity
Not Before: Nov 11 06:06:53 2018 GMT
Not After : Nov 11 06:06:53 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = ShanXi
localityName = XiAn
organizationName = Devops01
organizationalUnitName = Devops01
commonName = www.linuxplus.com
emailAddress = adm@linuxplus.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AC:6C:C1:A7:5A:C5:91:BD:97:3C:4A:2D:CA:03:53:91:38:E9:3B:E6
X509v3 Authority Key Identifier:
keyid:7A:15:85:5F:24:70:45:4C:86:C3:FD:AA:9A:88:3E:5B:E6:63:70:56
Certificate is to be certified until Nov 11 06:06:53 2019 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
[root@www certs]# openssl pkcs12 -export -clcerts -passout pass:123456 -in client01_cert.crt -inkey client01.key -out client01.p12
[root@www ~]# cd /project/nginx1.15.0/conf/
[root@www conf]# vim nginx.conf
ssl_certificate certs/ecc_01cert.crt;
ssl_certificate_key certs/ecdsa_01prikey.pem;
ssl_certificate certs/rsa_01cert.crt;
ssl_certificate_key certs/rsa_2048prikey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# 開啓客戶端身份驗證
ssl_verify_client on;
# 指定客戶端證書到根證書的深度
# ssl_verify_depth 2;
# 指定簽發客戶端證書的CA證書
ssl_client_certificate /usr/local/openssl/CA/root_cacert_ecc.pem;
# 完整證書鏈中須要包含的其餘CA證書
# ssl_trusted_certificate rootca.crt;
# 證書吊銷列表,有更新時Nginx須要從新加載
ssl_crl /usr/local/openssl/CA/crl.pem;
#on:是開啓只接有客戶端證書的請求。若是請求未包含證書或者證書校驗失敗,nginx會返回一個400錯誤響應。
#off:是關閉
#optional:不會強制阻斷訪問,不返回400。可在 $ssl_client_verify 變量中查看各類狀態, NONE表示沒有證書, FAILED表示證書未經過驗證, SUCCESS 表示證書有效。
[root@www conf]# ../sbin/nginx -t
nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok
nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful
[root@www conf]# ../sbin/nginx -s reload
-
沒有導入證書
linux -
Firefox 導入證書
nginx - 360瀏覽器導入證書
[root@www certs]# openssl ca -in rsa_01cert.csr -days 300 -md sha384 -out rsa_01cert.crt -batch -notext^C
[root@www certs]# openssl req -new -key client02.key -out client02.csr -subj /C=CN/ST=ShanXi/L=XiAn/O=Devops02/OU=Devops02/CN=www.linuxplus.com/emailAddress=adm@linuxplus.com
[root@www certs]# openssl ca -in client02.csr -md sha384 -out client02_cert.crt -batch -notext
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/root_prikey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
92:f4:3b:df:f9:ac:3b:5c:aa:31:89:d6:61:c6:9a:fe
Validity
Not Before: Nov 11 14:00:18 2018 GMT
Not After : Nov 11 14:00:18 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = ShanXi
localityName = XiAn
organizationName = Devops02
organizationalUnitName = Devops02
commonName = www.linuxplus.com
emailAddress = adm@linuxplus.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6D:D2:63:9D:21:B1:82:4A:0F:19:B8:76:0F:B5:EA:E8:F0:F6:A3:6F
X509v3 Authority Key Identifier:
keyid:7A:15:85:5F:24:70:45:4C:86:C3:FD:AA:9A:88:3E:5B:E6:63:70:56
Certificate is to be certified until Nov 11 14:00:18 2019 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
[root@www certs]# openssl pkcs12 -export -clcerts -passout pass:123456 -in client02_cert.crt -inkey client02.key -out client02.p12
#吊銷證書
[root@www certs]# openssl x509 -in client01_cert.crt -serial -noout
serial=92F43BDFF9AC3B5CAA3189D661C69AFD
[root@www certs]# openssl ca -revoke /usr/local/openssl/CA/newcerts/92F43BDFF9AC3B5CAA3189D661C69AFD.pem
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/root_prikey_ecdsa.pem:
Revoking Certificate 92F43BDFF9AC3B5CAA3189D661C69AFD.
Data Base Updated
[root@www certs]# openssl ca -gencrl -out /usr/local/openssl/CA/crl.pem
Using configuration from /usr/local/openssl/openssl.cnf
Enter pass phrase for /usr/local/openssl/CA/private/root_prikey_ecdsa.pem:
[root@www certs]# openssl crl -in /usr/local/openssl/CA/crl.pem -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = CN, ST = BeiJing, L = BeiJing, O = CAdevops, OU = CAdevops, CN = root_ca, emailAddress = admin@linuxplus.com
Last Update: Nov 11 14:33:36 2018 GMT
Next Update: Dec 11 14:33:36 2018 GMT
CRL extensions:
X509v3 CRL Number:
1048577
Revoked Certificates:
Serial Number: 92F43BDFF9AC3B5CAA3189D661C69AFD
Revocation Date: Nov 11 14:26:37 2018 GMT
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:e3:76:00:d4:07:22:2a:7f:43:1f:aa:8c:f5:
be:c7:f7:a9:bd:1f:fb:65:f0:0b:d8:0c:a0:15:7c:f3:37:5d:
63:02:20:08:d6:b8:4b:6b:3f:d2:7d:89:5f:2d:88:b5:ee:18:
cd:81:6d:fe:80:4f:0c:ef:78:b8:81:c1:dc:ca:85:a3:9b
-----BEGIN X509 CRL-----
MIIBTjCB9QIBATAKBggqhkjOPQQDAjCBjTELMAkGA1UEBhMCQ04xEDAOBgNVBAgM
B0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxETAPBgNVBAoMCENBZGV2b3BzMREw
DwYDVQQLDAhDQWRldm9wczEQMA4GA1UEAwwHcm9vdF9jYTEiMCAGCSqGSIb3DQEJ
ARYTYWRtaW5AbGludXhwbHVzLmNvbRcNMTgxMTExMTQzMzM2WhcNMTgxMjExMTQz
MzM2WjAkMCICEQCS9Dvf+aw7XKoxidZhxpr9Fw0xODExMTExNDI2MzdaoBAwDjAM
BgNVHRQEBQIDEAABMAoGCCqGSM49BAMCA0gAMEUCIQDjdgDUByIqf0Mfqoz1vsf3
qb0f+2XwC9gMoBV88zddYwIgCNa4S2s/0n2JXy2Ite4YzYFt/oBPDO94uIHB3MqF
o5s=
-----END X509 CRL-----
[root@www conf]# vim nginx.conf log_format tls "$ssl_client_verify $pid $scheme $server_name $time_local $remote_addr $connection $connection_requests $ssl_protocol $ssl_cipher $ssl_session_id $ssl_session_reused $ssl_curves"; access_log /project/logs/nginx/access.log tls; #$scheme:使用哪一種協議 #$connection:TCP鏈接序號 #$connection_requests:表示在一個鏈接(長鏈接)裏面有多少次請求 [root@www logs]# tail -f access.log SUCCESS 20481 https www.linuxplus.com 23/Nov/2018:23:12:03 +0800 172.16.216.181 315 1 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 - . X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101 SUCCESS 20481 https www.linuxplus.com 23/Nov/2018:23:12:03 +0800 172.16.216.181 315 2 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 - . X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101 SUCCESS 20481 https www.linuxplus.com 23/Nov/2018:23:12:28 +0800 172.16.216.181 315 3 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 - . X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101 SUCCESS 20481 https www.linuxplus.com 23/Nov/2018:23:12:28 +0800 172.16.216.181 315 4 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 - . X25519:prime256v1:secp384r1:secp521r1:0x0100:0x0101 ........ #SUCCESS:表示成功 #20481:Nginx的PID #ECDHE-ECDSA-AES128-GCM-SHA256:密鑰套件
會話緩存
- 獨立會話緩存
[root@www nginx1.15.0]# vim conf/nginx.conf ssl_session_tickets off; ssl_session_cache shared:SSL:1m; #分配1MB的共享內存緩存,使用1 MB的內存能夠緩存大約4000個會話 ssl_session_timeout 5m; #設置會話緩存過時時間,默認的會話緩存過時時間只有5分鐘 SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:22 +0800 172.16.216.181 331 1 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r - SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:22 +0800 172.16.216.181 331 2 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r - SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:24 +0800 172.16.216.181 331 3 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r - SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:24 +0800 172.16.216.181 331 4 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r - SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:24 +0800 172.16.216.181 331 5 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r - SUCCESS 20574 https www.linuxplus.com 23/Nov/2018:23:43:24 +0800 172.16.216.181 331 6 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 20dfe772e67ea1fd9792ad5718cd416be900c51df38bf05ed87371049c1c41ed r - #r 則表示被重用,若是是.表示沒有重用
-
配置項使用格式:算法
ssl_session_cache off | none | [builtin[:size]] [shared:name:size]
默認選項是 none;
off :禁用緩存 。
none:禁用緩存,可是通知客戶端能夠重用會話(session),可是並不實際存儲。
builtin:內建,這個緩存只能被一個worker進程使用(nginx能夠有過個worker進程),與builtin 配合的單位參數是個數 builtin:100 表示緩存100個session;若是沒有寫明數量 那麼默認是20480個session。使用builtin會引發一些內存碎片。
shared:共享, shared:xx_name:xxM;,在多個worker進程中共享session,單位是M(兆字節),1M能夠存放大概4000個session,共享的緩存能夠有1個名稱,名稱同樣的緩存能夠在多個 nginx 上配置的 server 塊上共享使用。
還能夠混合使用 builtin 和 shared
ssl_session_cache builtin:1000 shared:SSL:10m; 只用共享緩存而不用內置緩存應該更有效率。根據項目狀況來決定。vim - 分佈式會話票證
[root@www nginx1.15.0]# cd conf/certs/
[root@www certs]# openssl rand -out ticket48.key 48
[root@www certs]# openssl rand -out ticket80.key 80
[root@www certs]# ll -l ticket48.key
-rw-r--r--. 1 root root 48 11月 24 14:23 ticket48.key
[root@www certs]# ll -l ticket80.key
-rw-r--r--. 1 root root 80 11月 24 14:31 ticket80.key
[root@www certs]# cd ../..
[root@www nginx1.15.0]# vim conf/nginx.conf
ssl_session_tickets on;
ssl_session_ticket_key certs/ticket48.key; #設置新密鑰,用於新票證的加解密
ssl_session_ticket_key certs/ticket80.key; #保留前一個密鑰用於老票證的解密
[root@www nginx1.15.0]# sbin/nginx -s reload
[root@www nginx1.15.0]# openssl s_client -connect 172.16.216.188:443
.......
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: 0734C4A2519DD91A6B03BA6E1A572FA2E8DAB69CC23A41A249E4219B6B16934E
Session-ID-ctx:
Master-Key: AC6A686B930A886990E031117F1032F5829C57EAFA2C363D9917973E401FE420D5F566BA5F5CD5ED2E922F5E6E6E1F1B
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 95 0a 94 18 66 9c fa fb-bb e7 79 81 19 46 a5 77 ....f.....y..F.w
0010 - ec a8 37 e6 6e a2 34 0d-4e 2b e2 ce 58 3c a8 23 ..7.n.4.N+..X<.#
0020 - 8f 73 59 fd 30 0a bf 37-e2 47 6d 9e 10 76 1a 90 .sY.0..7.Gm..v..
0030 - f5 5d 7c 8c e0 32 a5 d4-3a a5 c5 e9 dc 62 e5 eb .]|..2..:....b..
0040 - fc 7d c0 98 df dd 76 4c-29 d6 51 79 d9 6a c2 f7 .}....vL).Qy.j..
0050 - e2 a5 ec a3 46 d1 27 3c-75 12 38 18 ec 20 b1 18 ....F.'<u.8.. ..
0060 - 41 13 be 58 45 96 a5 1f-7a 90 aa a1 73 17 8b 27 A..XE...z...s..'
0070 - 89 7b 63 2a 2f ad 61 53-3d d8 4e 13 c6 41 97 1f .{c*/.aS=.N..A..
0080 - ec 75 d7 bf 7f 96 29 4d-cf f6 3e 0d 23 35 fc 9a .u....)M..>.#5..
0090 - 57 98 2a 81 2c e7 b0 e1-27 33 aa d7 fb 13 01 c3 W.*.,...'3......
00a0 - 91 86 f5 63 5c b5 be 1a-58 a5 99 61 1a 82 36 de ...c\...X..a..6.
......
使用兩個密鑰輪轉的方式,在密鑰更新時服務器就不會丟棄更新前創建的會話。
在集羣中實施會話票證密鑰的輪替是不可靠的,由於沒法完美的實現新的密鑰在同一個時刻被全部節點同時更新。若是某個節點在其餘節點前使用了新密鑰,並給某個客戶端生成了票據,隨後客戶端再次發送過來的請求被分配到其餘節點處理,而其餘節點可能沒法解密數據(集羣未採起流量保持機制),而致使SSL從新握手,這樣會形成性能降低,甚至會出現一個瓶頸期;歸根結底是各個節點在從新加載配置的時候會不可避免的存在時間差。若是選擇使用會話票證,不要過於頻繁的更新密鑰,儘可能在設計上會使用流量保持,把同一個用戶分發到相同節點。
若是要完美地實現集羣的會話票證密鑰輪轉,而且不介意操做兩次集羣配置,能夠按如下步驟操做。
(1) 生成一個新密鑰。
(2) 將新的密鑰替換掉只用於解密的老密鑰,重啓各個節點;加載配置,使全部節點都只使用新密鑰。
(3) 將兩個密鑰交換位置,新密鑰做爲加解密的密鑰,以前的密鑰做爲只解密的老密鑰。
能夠從容的依次重啓各個節點,由於全部節點在第一次配置中已經加載了新密鑰,因此能夠正常解密由新密鑰加密的票據,不會有任什麼時候間差帶來的問題。瀏覽器
相關文章
- 1. SSL/TLS深度解析--在 MySQL5.6 上部署 TLS
- 2. SSL/TLS深度解析--在 vsftpd 上部署 TLS
- 3. SSL/TLS深度解析--在 Nginx上配置 HSTS、CSP 與其餘
- 4. SSL/TLS深度解析--在Nginx上配置證書鏈及多域名證書
- 5. Nginx在ubutu上的部署
- 6. SSL/TLS深度解析--TLS性能優化
- 7. SSL/TLS深度解析--測試TLS/SSL加密
- 8. Nginx上部署HTTPS + HTTP2
- 9. Nginx SSL TLS部署最佳實踐
- 10. Linux上部署Nginx
- 更多相關文章...
- • Maven 自動化部署 - Maven教程
- • TCP滑動窗口機制深度剖析 - TCP/IP教程
- • 算法總結-深度優先算法
- • 使用阿里雲OSS+CDN部署前端頁面與加速靜態資源
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
