ssl 原理、生成ssl密鑰、配置nginx ssl```

ssl 原理

SSL工做流程

1.瀏覽器發送一個https的請求給服務器；

2.服務器要有一套數字證書，能夠本身製做（後面的操做就是阿銘本身製做的證書），也能夠向組織申請，區別就是本身頒發的證書須要客戶端驗證經過，才能夠繼續訪問，而使用受信任的公司申請的證書則不會彈出>提示頁面，這套證書其實就是一對公鑰和私鑰； 服務器會把公鑰傳輸給客戶端； 客戶端（瀏覽器）收到公鑰後，會驗證其是否合法有效，無效會有警告提醒，有效則會生成一串隨機數，並用收到的公鑰加密； 客戶端把加密後的隨機字符串傳輸給服務器； 服務器收到加密隨機字符串後，先用私鑰解密（公鑰加密，私鑰解密），獲取到這一串隨機數後，再用這串隨機字符串加密傳輸的數據（該加密爲對稱加密，所謂對稱加密，就是將數據和私鑰也就是這個隨機字符串>經過某種算法混合在一塊兒，這樣除非知道私鑰，不然沒法獲取數據內容）； 服務器把加密後的數據傳輸給客戶端； 客戶端收到數據後，再用本身的私鑰也就是那個隨機字符串解密；

http和https區別： https通訊是加密的。數據包在傳輸的時候可能被***抓包截取。若是是作https的話，抓取的包是加密的也不能解密

生成SSL密鑰對

cd /usr/local/nginx/conf
 openssl genrsa -des3 -out tmp.key 2048//key文件爲私鑰
 openssl rsa -in tmp.key -out aminglinux.key //轉換key，取消密碼 
 rm -f tmp.key
 openssl req -new -key aminglinux.key -out aminglinux.csr//生成證書請求文件，須要拿這個文件和私鑰一塊兒生產公鑰文件
 openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
 這裏的aminglinux.crt爲公鑰

1.首先須要安裝一個工具 openssl ，rpm -qf which openssl

[root@xuexi-001 conf]# rpm -qf `which openssl`
openssl-1.0.2k-12.el7.x86_64
[root@xuexi-001 conf]# yum -y install openssl

2.openssl genrsa -des3 -out tmp.key 2048 //rsa形式的key文件爲私鑰

[root@xuexi-001 conf]# openssl genrsa -des3 -out tmp.key 2048 
Generating RSA private key, 2048 bit long modulus
..............................................+++
....................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:111111
Verifying - Enter pass phrase for tmp.key:111111

3.openssl rsa -in tmp.key -out aminglinux.key //-in轉換key，取消密碼

-out輸出的

[root@xuexi-001 conf]# openssl rsa -in tmp.key -out aminglinux.key 
Enter pass phrase for tmp.key:111111
writing RSA key

4.rm -f tmp.key // aminglinux.key和tmp.key其實是一個私鑰，只不過tmp有密碼，aming 沒有密碼，這時候能夠刪除tmp.key

[root@xuexi-001 conf]# rm -rf tmp.key

5.openssl req -new -key aminglinux.key -out aminglinux.csr //生成證書請求文件，須要拿這個文件和私鑰一塊兒生產公鑰文件

[root@xuexi-001 conf]# openssl req -new -key aminglinux.key -out aminglinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:china
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [XX]:11
State or Province Name (full name) []:Beijing  
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:guo
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:guo

這裏面的信息能夠本身自定義，若是是正式購買的證書，須要填寫真實的信息

6.openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt 這裏的aminglinux.crt爲公鑰

[root@xuexi-001 conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
Signature ok
subject=/C=11/ST=Beijing/L=Beijing/O=guo
Getting Private key
[root@xuexi-001 conf]# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crt
Signature ok
subject=/C=11/ST=Beijing/L=Beijing/O=guo
Getting Private key

7.這時已經生成了公鑰和私鑰 ，就能夠配置Nginx ssl

[root@xuexi-001 conf]# ls aminglinux.
aminglinux.crt  aminglinux.csr  aminglinux.key

Nginx配置ssl目錄概要

vim /usr/local/nginx/conf/vhost/ssl.conf//加入以下內容
server
{
    listen 443;
    server_name aming.com;
    index index.html index.php;
    root /data/wwwroot/aming.com;
    ssl on;
    ssl_certificate aminglinux.crt;
    ssl_certificate_key aminglinux.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
-t && -s reload //若報錯unknown directive 「ssl」 ，須要從新編譯nginx，加上--with-http_ssl_module
mkdir /data/wwwroot/aming.com
echo 「ssl test page.」>/data/wwwroot/aming.com/index.html
編輯hosts，增長127.0.0.1 aming.com
curl https://aming.com/

Nginx配置ssl

1.上一節已經配置好了公鑰和私鑰，接下來配置Nginx.生成新的配置文件 vi/usr/local/nginx/conf/vhost/ssl.conf

[root@xuexi-001 conf]# vim /usr/local/nginx/conf/vhost/ssl.conf

server
{
    listen 443;    // 監聽端口爲443
    server_name aming.com;  //主機名
    index index.html index.php;
    root /data/wwwroot/aming.com;  //root 目錄
    ssl on;    //開啓ssl
    ssl_certificate aminglinux.crt; //指定公鑰
    ssl_certificate_key aminglinux.key;//指定私鑰
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;//ssl 的協議
}

ssl 的協議，通常狀況下，三種協議都配置上

2.建立/data/wwwroot/aming.com目錄

[root@xuexi-001 conf]# mkdir /data/wwwroot/aming.com

3.檢測配置文件並從新加載文件

[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

報錯：

由於不知道這個 ssl 配置，在編譯nginx的時候，並無指定支持ssl

[root@xuexi-001 conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.15.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) 
configure arguments: --prefix=/usr/local/nginx

解決辦法：

從新編譯

4.從新編譯Nginx

[root@xuexi-001 conf]# cd /usr/local/src/nginx-1.15.1
[root@xuexi-001 nginx-1.15.1]# ./configure --help |grep -i ssl
  --with-http_ssl_module             enable ngx_http_ssl_module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --with-stream_ssl_module           enable ngx_stream_ssl_module
  --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module
  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL

編譯的時候須要加上--with-http_ssl_module

5.初始化./configure --prefix=/usr/local/nginx --with-http_ssl_module

[root@xuexi-001 conf]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@xuexi-001 conf]#  make
[root@xuexi-001 conf]#  make install

6.編譯安裝完成後 查看nginx的編譯參數，會看到增長了 --with-http_ssl_module

[root@xuexi-001 nginx-1.15.1]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.15.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module

7.檢測配置文件和重啓nginx

[root@xuexi-001 nginx-1.15.1]# /usr/local/nginx/sbin/nginx -t
 /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@xuexi-001 nginx-1.15.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl):                          [  肯定  ]

8. 查看監聽端口，此時會發現多出一個443端口

[root@xuexi-001 nginx-1.15.1]#
netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1533/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5716/nginx: master  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5716/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1205/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1533/master         
tcp6       0      0 :::3306                 :::*                    LISTEN      1576/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      1205/sshd

php-fpm的pool

爲了不因多站點使用同一個pool時因一個站點故障致使pool出問題，進而影響使用同一個pool的其餘站點的正常運行，要對每一個站點配置一個單獨的pool。

爲php-fpm增長pool

1.編輯php-fpm配置文件：

[root@xuexi-001 ~]# vim /usr/local/php-fpm/etc/php-fpm.conf
[aming.com]
listen = /tmp/aming.sock
#listen = 127.0.0.1:9000
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

2.檢測配置文件及從新加載

[root@xuexi-001 ~]# /usr/local/php-fpm/sbin/php-fpm -t
[13-Jul-2018 09:49:18] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@xuexi-001 ~]# /etc/init.d/php-fpm reload
Reload service php-fpm  done

3.查看進程

[root@xuexi-001 ~]# ps aux |grep php-fpm

······
php-fpm: pool aming.com
php-fpm    1585  0.0  0.2 229336  4736 ?        S    09:49   0:00php-fpm: pool aming.com
php-fpm    1586  0.0  0.2 229336  4740 ?        S    09:49   0:00php-fpm: pool aming.com

4.爲站點配置pool

[root@xuexi-001 ~]# cd /usr/local/nginx/conf/vhost/
[root@xuexi-001 vhost]# ls
aaa.com.conf  load.conf  proxy.conf  ssl.conf  test.com.conf
[root@xuexi-001 vhost]# vi aaa.com.conf 
location ~ \.php$
    {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/aming.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /data/wwwroot/default$fastcgi_script_name;
    }

說明： 把fastcgi_pass地址改成和php-fpm.conf中同樣的地址就能夠。

添加php-fpm.conf子配置文件

爲了便於管理，能夠將php-fpm中的每一個pool單獨進行管理。進行以下操做，添加php-fpm子配置文件：

[root@xuexi-001 vhost]# vim /usr/local/php-fpm/etc/php-fpm.conf


[global]
pid = /usr/local/php-fpm/var/run/php-fpm.pid
error_log = /usr/local/php-fpm/var/log/php-fpm.log
include = etc/php-fpm.d/*.conf

說明： 在全局變量版塊添加參數「include = etc/php-fpm.d/*.conf」。而後能夠清除php-fpm配置文件中其餘參數，再到php-fpm.d目錄下進行單獨設置。

1.建立指定目錄

[root@xuexi-001 vhost]# cd /usr/local/php-fpm/etc/
[root@xuexi-001 etc]# mkdir php-fpm.d
[root@xuexi-001 etc]# cd php-fpm.d/
[root@xuexi-001 php-fpm.d]#

2.建立php-fpm子配置文件：

[root@xuexi-001 php-fpm.d]# vim www.conf

[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024



[root@xuexi-001 php-fpm.d]# vim 1111.cof

[1111.com]
listen = /tmp/1111.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024

3.檢測語法錯誤並從新加載

[root@xuexi-001 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[13-Jul-2018 10:38:07] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@xuexi-001 php-fpm.d]# /etc/init.d/php-fpm reload
Reload service php-fpm  done

配置完成後使用ps查看php-fpm進程信息。

12.22 php-fpm的慢執行日誌

開啓慢執行日誌：

1.加入如下內容

request_slowlog_timeout = 1

//當請求超過1秒開始記錄日誌

slowlog = /usr/local/php-fpm/var/log/www-slow.log

//日誌存放地址

[root@xuexi-001 php-fpm.d]# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf

[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log

2.檢測語法錯誤並從新加載

[root@xuexi-001 php-fpm.d]# /usr/local/php-fpm/sbin/php-fpm -t
[13-Jul-2018 10:58:15] NOTICE: configuration file /usr/local/php-fpm/etc/php-fpm.conf test is successful

[root@xuexi-001 php-fpm.d]#  /etc/init.d/php-fpm reload
Reload service php-fpm  done

試驗：

在使用www pool的站點添加文件：

建立一個.php文件：

[root@xuexi-001 php-fpm.d]# vim /data/wwwroot/test.com/sleep.php

<?php
echo "test slow log";
sleep(2);
echo "done";
?>

檢測

[root@xuexi-001 php-fpm.d]# curl -x127.0.0.1:80 test.com/sleep.php 
test slow logdone

查看慢日誌：

[root@xuexi-001 php-fpm.d]# tail /usr/local/php-fow.log log/www-sl 

[13-Jul-2018 11:00:43]  [pool www] pid 2058
script_filename = /data/wwwroot/test.com/sleep.php
[0x00007fdc23027280] sleep() /data/wwwroot/test.com/sleep.php:3

12.23 php-fpm中指定open_basedir

當一臺服務器跑多個站點時，使用open_basedir限定各個站點所能訪問的服務器上的目錄的範圍。在php-fpm服務中，能夠針對每一個pool設定open _ basedir。

1.核心配置參數：

增長一行內容 php_admin_value[open_basedir]=/data/wwwroot/test.com:/tmp/

[root@xuexi-001 php-fpm.d]# vim /usr/local/php-fpm/etc/php-fpm.d/www.conf  

[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35
pm.max_requests = 500
rlimit_files = 1024
request_slowlog_timeout = 1
slowlog = /usr/local/php-fpm/var/log/www-slow.log
php_admin_value[open_basedir]=/data/wwwroot/test.com:/tmp/

2.建立測試PHP腳本：

[root@xuexi-001 php-fpm.d]# vim /data/wwwroot/test.com/1.php

<?php
echo "This is a test php of open_basedir";

3.測試

[root@xuexi-001 php-fpm.d]# curl -x127.0.0.1:80 test.com/1.php
This is a test php of open_basedir

12.24 php-fpm進程管理

php-fpm中pool配置參數解析：

[www]
listen = /tmp/php-fcgi.sock
listen.mode = 666
user = php-fpm
group = php-fpm
pm = dynamic
;定義進程啓動方式（dynamic表示動態，static表示靜態）
;只有此處設置爲dynamic，下面的配置才生效
pm.max_children = 50
;最多可啓動的子進程數量
pm.start_servers = 20
;設定初始啓動的進程數量
pm.min_spare_servers = 5
;表示php-fpm空閒時最少要有幾個子進程
pm.max_spare_servers = 35
;表示php-fpm空閒時最多要有幾個子進程
pm.max_requests = 500
;表示一個子進程最多可接受多少個請求
rlimit_files = 1024
;表示每一個子進程打開的多少個文件句柄
request_slowlog_timeout = 1
;當請求超過1秒開始記錄日誌
slowlog = /usr/local/php-fpm/var/log/www-slow.log
;日誌存放地址
php_admin_value[open_basedir]=/data/wwwroot/test.com:/tmp/