基於Nginx的https服務

時間  2019-11-09
標籤 基於 nginx https 服務 欄目 Nginx 简体版
原文   原文鏈接

一、HTTPS協議的實現


一、爲何須要HTTPS?

緣由:HTTP不安全html

  • 一、傳輸數據被中間人盜用、信息泄露
  • 二、數據內容劫持、篡改

對傳輸內容進行加密以及身份驗證node

二、對稱加密

image


非對稱加密nginx

image

三、HTTPS加密協議原理

53343562

四、中間人僞造客戶端和服務端

53398921

53426000

證書是在客戶端的,進行校驗。web

二、生成密鑰和CA證書

#openssl version算法

OpenSSL 1.0.1e-fips 11 Feb 2013緩存

#nginx-v安全

-with-http_ssl_module服務器

步驟1、生成key密鑰session

[root@web-01 ssl_key]# openssl genrsa -idea -out lewen.key 1024
Generating RSA private key, 1024 bit long modulus
......................................++++++
..............................++++++
e is 65537 (0x10001)
Enter pass phrase for lewen.key:                #密碼要寫.或者不寫
Verifying - Enter pass phrase for lewen.key:
View Code

步驟2、生成證書籤名請求文件(csr文件)app

[root@web-01 ssl_key]# openssl req -new -key lewen.key -out lewen.csr
Enter pass phrase for lewen.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SZ
Locality Name (eg, city) [Default City]:futian
Organization Name (eg, company) [Default Company Ltd]:fadewalk
Organizational Unit Name (eg, section) []:fadewalk.com
Common Name (eg, your name or your server's hostname) []:fadewalk.com
Email Address []:fadewalk@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:        #沒有要求就爲空
An optional company name []:
[root@web-01 ssl_key]# ls
lewen.csr lewen.key
View Code

步驟3、生成證書籤名文件(CA文件)

[root@web-01 ssl_key]# openssl x509 -req -days 3650 -in lewen.csr -signkey lewen.key -out lewen.crt
Signature ok
subject=/C=CN/ST=SZ/L=futian/O=fadewalk/OU=fadewalk.com/CN=fadewalk.com/emailAddress=fadewalk@163.com
Getting Private key
Enter pass phrase for lewen.key:
[root@web-01 ssl_key]# ls
lewen.crt lewen.csr lewen.key
View Code 
 


 

 


 

三、Nginx的HTTPS語法配置
 

  
 

 
 
  例子
  server {
        listen              443 ssl;
        keepalive_timeout   70;

        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
        ssl_certificate     /usr/local/nginx/conf/cert.pem;
        ssl_certificate_key /usr/local/nginx/conf/cert.key;
        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;

        ...
    }

[root@web-01 ~]# nginx -s reload

nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/cp4/test_https.conf:4

key設置了密碼,每次重啓都要輸入密碼很麻煩

 

 

四、場景-配置蘋果要求的證書
 

a、服務器全部的鏈接使用TLS1.2以上版本(openssl 1.0.2)
 

b、HTTPS證書必須使用SHA 256以上哈希算法簽名
 

C、HTTPS證書必須使用RSA 2048位或ECC256位以上公鑰算法
 

d、使用前向加密技術
 

查看證書信息
 

[root@web-01 ssl_key]# openssl x509 -noout -text -in ./lewen_apple.crt
 

 一鍵生成證書
 

 
  
  
 
 
  
[root@web-01 ssl_key]# openssl req -days 3650 -x509 -sha256 -nodes -newkey rsa:2048 -keyout lewen.key -out lewen_apple.crt
Generating a 2048 bit RSA private key
......................................................................................+++
..+++
writing new private key to 'lewen.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:sz
Organization Name (eg, company) [Default Company Ltd]:fadewlak
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@web-01 ssl_key]# ls
lewen_apple.crt  lewen.key

 
 
 
 View Code 

 

 

nginx 1.15 之後開啓ssl的正確姿式 
 

 
 
2019/06/17 17:06:54 [warn] 36807#36807: the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/cp4/test_https.conf:4
不推薦使用「ssl」指令,而是在/etc/nginx/conf.d/cp4/test_https中使用「listen ... ssl」指令。CONF:4
ssl on 這種方式開啓ssl已經不行了
listen 443 ssl     採用這種

 

 

測試網頁本身生成的證書,會被提示不安全
 

d9660f00-78f6-4526-82ec-0fb3d764a307
 

去掉以前分步生成輸入的保護碼
 

openssl rsa -in ./lewen.key -out ./lewen_nopassword.key
 


 

五、HTTPS服務優化
 

方法1、激活keepalive長鏈接
 

方法2、設置ssl session緩存
 

 
 
server {
    listen 443 ssl;
    server_name web01.fadewalk.com;
    # ssl on;  nginx 1.15以後這樣配置無效

    keepalive_timeout 100;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    ssl_certificate /etc/nginx/ssl_key/lewen_apple.crt;
    ssl_certificate_key /etc/nginx/ssl_key/lewen.key;
    #ssl_certificate_key /etc/nginx/ssl_key/lewen_nopass.key;

    location / {
        root  /opt/app/code/cp4/code;
        index lewen.html lewen.htm;
    }
}

 



        

            

        	





    

		

            
相關文章

            

                

                

                    

                

            


            
相關標籤/搜索

            
        


    

        

            

        

        

        
        

        

        

    




	

    





    

    	

    

        每日一句
    

    
    
    	每一个你不满意的现在,都有一个你没有努力的曾经。
    







    

    


    



    

        本站公眾號
    

    

           歡迎關注本站公眾號,獲取更多信息

        
    




    

    




	


	







    

        聯繫我們
        最近搜索
        最新文章
        
        沪ICP备13005482号-10

            MyBatis教程
            SQL 教程
            MySQL教程
            Java 教程
            Thymeleaf 教程
            Hibernate教程
            Spring教程 
            Redis教程