Nginx HTTPS功能部署實踐

SSL的雙向認證就是客戶端要獲取服務端的證書，檢查下服務端是否是我能夠信任的主機，不然我就認爲那個站點的內容不可信任，不該該去訪問你（瀏覽器會告訴你），同時服務端也要檢查客戶端的證書，客戶端若是不是服務端所信任的，那服務端也會認爲，你不是個人合法用戶，我拒絕給你提供服務。因此要讓 HTTPS的雙向認證順利完成，就要在服務端給定一個證書，這個證書是瀏覽器可信任的，同時客戶端（瀏覽器）也要發送給服務端一個證書，服務器端也要信任這個證書。

要想讓瀏覽器純天然地就去信任服務端的證書，那服務端所使用的證書就得是那幾大已經被你們所信任的證書機構給他簽名，不過通常要錢。

通俗點來說就是你有個密碼用戶名你先發給服務器進行比對，若是一致服務器再把它的密碼用戶名發到你機器上與你機器上保留的用戶信息進行比對若是還一致則創建連接！

30.4 openssl 的介紹

openssl爲開源軟件，在Linux（或UNIX/Cygwin）下建立一個簡單的CA。（certification authority）是以構建在公鑰基礎設施pki（public key infrastructure）基礎之上的產生和肯定數字證書的第三方可信機構）咱們能夠利用這個CA進行PKI、數字證書相關的測試。好比，在測試用Tomcat或Apache構建HTTPS雙向認證時，咱們能夠利用本身創建的測試CA來爲服務器端頒發服務器數字證書，爲客戶端（瀏覽器）生成文件形式的數字證書（能夠同時利用openssl生成客戶端私鑰。

30.5 Nginx 單雙向 ssl 的配置前提

LNMP環境的前提下
編譯安裝Nginx時候安裝的兩個參數--with-http_stub_status_module、(是爲了啓用nginx的NginxStatus 功能,用來監控nginx的當前狀態)--with-http_ssl_module(啓動ssl模塊)
安裝openssl openssl-devel

[root@LNMP ~]# /application/nginx/sbin/nginx -V

nginx version: nginx/1.6.2

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11)(GCC)

configure arguments: --user=nginx --group=nginx--prefix=/application/nginx-1.6.2 --with-http_stub_status_module--with-http_ssl_module

30.6 使用 openssl 製做證書

30.6.1 服務器單項認證

30.6.1.1 建立並進入sslkey存放目錄

[root@LNMP ~]# mkdir -p /application/nginx/sslkey

[root@LNMP ~]# cd /application/nginx/sslkey/

30.6.1.2 生成RSA密鑰

[root@LNMP sslkey]# openssl genrsa -out key.pem2048

30.6.1.3 生成一個證書請求

[root@LNMP sslkey]# openssl req -new -key key.pem-out cert.csr

You are about to be asked to enter informationthat will be incorporatedThere are quite a few fields but you can leave someblank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

Country Name (2 letter code) [XX]:cn //輸入國家名字

State or Province Name (full name) []:bj //輸入省市

Locality Name (eg, city) [Default City]:bj //輸入省市

Organization Name (eg, company) [Default CompanyLtd]:bj //輸入公司名稱

Organizational Unit Name (eg, section) []:bj //組織名字

Common Name (eg, your name or your server'shostname) []:www.etiantian.org //要配置的ssl域名

Email Address []:260428042@qq.com //Email地址

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456 //密碼

An optional company name []:123456 //密碼

30.6.1.4 修改nginx的主配置文件

[root@LNMP ~]# cat/application/nginx/conf/nginx.conf

worker_processes 1;

events {

worker_connections 1024;

}

http {

include mime.types;

default_type application/octet-stream;

sendfile on;

keepalive_timeout 65;

server{

listen 443;

server_name www.etiantian.org;

ssl on;

ssl_certificate /application/nginx/sslkey/server.crt;

ssl_certificate_key /application/nginx/sslkey/server.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;

ssl_ciphers HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;

ssl_prefer_server_ciphers on;

location/ {

root html/blog;

index index.html index.htm;

}

[root@LNMP ~]# /application/nginx/sbin/nginx –t //檢查語法

[root@LNMP ~]# /application/nginx/sbin/nginx -sreload //從新啓動

30.6.1.5驗證結果

30.6.2 服務器客戶端雙向認證

30.6.2.1 分別建立證書各自存放目錄

[root@LNMP~]# mkdir /application/nginx/ca

[root@LNMP~]# cd /application/nginx/ca

[root@LNMPca]# mkdir newcerts private conf server

newcerts子目錄將存放CA簽署（頒發）過的數字證書（證書備份目錄）。

private目錄用於存放CA的私鑰。

conf只是用於存放一些簡化參數。

Server 目錄用於存放本身的證書。

1、在conf目錄建立文件openssl.conf配置文件

[root@LNMP~]# cat /application/nginx/ca/conf/openssl.conf

[ ca ]

default_ca = foo #默認ca的段名配置好後 openssl 就會

尋找相同段名的配置

[ foo ]

dir =/application/nginx/ca #ca 的頂級目錄

database =/application/nginx/ca/index.txt #的數據庫索引文件

new_certs_dir = /application/nginx/ca/newcerts#新生成的CA目錄

certificate = /application/nginx/ca/private/ca.crt #CA證書

serial = /application/nginx/ca/serial #CA序列號文件

private_key = /application/nginx/ca/private/ca.key # CA私鑰

RANDFILE =/application/nginx/ca/private/.rand #隨機數文件

default_days = 365 # CA證書的有效期

default_crl_days= 30 #CA證書過時前多久提示

default_md = md5 # 加密方法

#unique_subject = no

policy =policy_any #客戶端默認設置

[ policy_any ]

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = match

localityName = optional

commonName = supplied

emailAddress = optional

30.6.2.2 使用腳本建立新根CA證書

1、查看腳本內容

[root@LNMP ~]# cat/application/nginx/ca/new_ca.sh

#!/bin/sh

生成CA私鑰

openssl genrsa -out private/ca.key

生成證書請求

openssl req -new -key private/ca.key -outprivate/ca.csr

簽名 CA 證書請求，使用本身的私鑰來給這個 CA 證書請求籤名

openssl x509 -req -days 365 -in private/ca.csr-signkey private/ca.key -out private/ca.crt

如下三行與建立 CA 祕鑰數據庫索引文件有關

echo FACE > serial

touch index.txt

openssl ca -gencrl -out/application/nginx/ca/private/ca.crl -crldays 7 -config"/application/nginx/ca/conf/openssl.conf"

2、執行腳本建立根CA證書

[root@LNMP ca]# sh new_ca.sh

Generating RSA private key, 1024 bit long modulus

.......................................++++++

.++++++

e is 65537 (0x10001)

You are about to be asked to enter informationthat will be incorporated

into your certificate request.

What you are about to enter is what is called aDistinguished Name or a DN.

There are quite a few fields but you can leavesome blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:cn

State or Province Name (full name) []:bj

Locality Name (eg, city) [Default City]:bj

Organization Name (eg, company) [Default CompanyLtd]:bj

Organizational Unit Name (eg, section) []:bj

Common Name (eg, your name or your server'shostname) []:www.etiantian.org

Email Address []:260428042@qq.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:123456

Signature ok

subject=/C=cn/ST=bj/L=bj/O=bj/OU=bj/CN=www.etiantian.org/emailAddress=60428042@qq.com

Getting Private key

Using configuration from/application/nginx/ca/conf/openssl.conf

3、查看生成的CA證書並保證裏邊有內容

30.6.2.3 使用腳本生成服務器證書

1、查看腳本內容

[root@LNMP ~]# cd /application/nginx/ca/

[root@LNMP ca]# cat new_server.sh

# Create us a key. Don't bother putting apassword on it since you will need it to start apache. If you have a betterwork around I'd love to hear it.

建立服務器私鑰

openssl genrsa -out server/server.key

利用私鑰建立一個證書籤名請求

openssl req -new -key server/server.key -outserver/server.csr

openssl ca -in server/server.csr -certprivate/ca.crt -keyfile private/ca.key -out server/server.crt -config"/application/nginx/ca/conf/openssl.conf"

2、執行腳本建立生成服務器證書

[root@LNMP ca]#sh new_server.sh

Generating RSAprivate key, 1024 bit long modulus

.....................++++++

...........................................................++++++

e is 65537(0x10001)

You are about tobe asked to enter information that will be incorporated

into yourcertificate request.

What you areabout to enter is what is called a Distinguished Name or a DN.

There are quitea few fields but you can leave some blank

For some fieldsthere will be a default value,

If you enter'.', the field will be left blank.

Country Name (2letter code) [XX]:cn

State orProvince Name (full name) []:bj

Locality Name(eg, city) [Default City]:bj

OrganizationName (eg, company) [Default Company Ltd]:bj

OrganizationalUnit Name (eg, section) []:bj

Common Name (eg,your name or your server's hostname) []:www.etiantian.org

Email Address[]:260428042@qq.com

Please enter thefollowing 'extra' attributes

to be sent withyour certificate request

A challengepassword []:123456

An optionalcompany name []:123456

Using configurationfrom /application/nginx/ca/conf/openssl.conf

Check that therequest matches the signature

Signature ok

The Subject'sDistinguished Name is as follows

countryName :PRINTABLE:'cn'

stateOrProvinceName :ASN.1 12:'bj'

localityName :ASN.1 12:'bj'

organizationName :ASN.1 12:'bj'

organizationalUnitName:ASN.112:'bj'

commonName :ASN.1 12:'www.etiantian.org'

emailAddress :IA5STRING:'60428042@qq.com'

Certificate isto be certified until Mar 5 10:14:252016 GMT (365 days)

Sign thecertificate? [y/n]:y

1 out of 1certificate requests certified, commit? [y/n]y

Write outdatabase with 1 new entries

3、查看生成的服務器證書裏邊有內容不然後邊會報錯

30.6.2.4 配置Nginx的主配置文件

[root@LNMP ~]#cat /application/nginx/conf/nginx.conf

worker_processes 1;

events {

worker_connections 1024;

}

http {

include mime.types;

default_type application/octet-stream;

sendfile on;

keepalive_timeout 65;

# HTTPSserver

server {

listen 443;

root html/blog;

index index.phpindex.html index.htm;

server_name www.etiantian.org;

ssi on;

ssi_silent_errorson;

ssi_typestext/shtml;

ssl on;

ssl_certificate /application/nginx/ca/server/server.crt;

ssl_certificate_key /application/nginx/ca/server/server.key;

ssl_client_certificate/application/nginx/ca/private/ca.crt;

ssl_session_timeout 5m;

ssl_verify_clienton;

ssl_protocols SSLv2 SSLv3 TLSv1;

ssl_ciphersALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

ssl_prefer_server_ciphers on;

location / {

root html/blog;

index index.php index.html index.htm;

}

[root@LNMP ~]#/application/nginx/sbin/nginx –t //檢查語法

[root@LNMP ~]#/application/nginx/sbin/nginx -s reload //從新啓動

30.6.2.5 驗證結果

30.6.2.6 訪問出現400 Bad Reques解決辦法生成客戶端證書

1、查看腳本內容

[root@LNMP ~]#cat /application/nginx/ca/new_user.sh

#!/bin/sh

base="/application//nginx/ca"

mkdir -p$base/users/

生成客戶端私鑰

openssl genrsa-des3 -out $base/users/client.key 1024

根據證書生成私鑰請求

openssl req -new-key $base/users/client.key -out $base/users/client.csr

生成客戶端證書

openssl ca -in$base/users/client.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key-out $base/users/client.crt -config "/application/nginx/ca/conf/openssl.conf"

將客戶端證書轉爲PKCS(Personal Information Exchange)12 後綴，使大多數瀏覽器都能接

openssl pkcs12-export -clcerts -in $base/users/client.crt -inkey $base/users/client.key -out$base/users/client.p12

2、執行腳本生成客戶端證書

[root@LNMP ca]#sh new_user.sh

Generating RSAprivate key, 1024 bit long modulus

....++++++

...................................................++++++

e is 65537(0x10001)

Enter passphrase for /application//nginx/ca/users/client.key:

Verifying -Enter pass phrase for /application//nginx/ca/users/client.key:

Enter pass phrasefor /application//nginx/ca/users/client.key:

You are about tobe asked to enter information that will be incorporated

into yourcertificate request.

What you areabout to enter is what is called a Distinguished Name or a DN.

There are quitea few fields but you can leave some blank

For some fieldsthere will be a default value,

If you enter'.', the field will be left blank.

-----

Country Name (2letter code) [XX]:cn

State orProvince Name (full name) []:bj

Locality Name(eg, city) [Default City]:bj

OrganizationName (eg, company) [Default Company Ltd]:bj

OrganizationalUnit Name (eg, section) []:bj

Common Name (eg,your name or your server's hostname) []:www.etiantian.org

Email Address[]:260428042@qq.com

Please enter thefollowing 'extra' attributes

to be sent withyour certificate request

A challengepassword []:123456

An optionalcompany name []:123456

Usingconfiguration from /application/nginx/ca/conf/openssl.conf

Check that therequest matches the signature

Signature ok

The Subject'sDistinguished Name is as follows

countryName :PRINTABLE:'cn'

stateOrProvinceName :ASN.1 12:'bj'

localityName :ASN.1 12:'bj'

organizationName :ASN.1 12:'bj'

organizationalUnitName:ASN.112:'bj'

commonName :ASN.1 12:'www.etiantian.org'

emailAddress :IA5STRING:'60428042@qq.com'

Certificate isto be certified until Mar 5 10:24:172016 GMT (365 days)

Sign thecertificate? [y/n]:y

1 out of 1certificate requests certified, commit? [y/n]y

Write outdatabase with 1 new entries

Data BaseUpdated

Enter passphrase for /application//nginx/ca/users/client.key:

Enter ExportPassword:

Verifying -Enter Export Password:

3、查看生成的證書

將client.p12下載到本地桌面

[root@LNMP ~]#cd /application/nginx-1.6.2/ca/users/

[root@LNMPusers]# sz -y client.p12

30.6.2.7 再次驗證結果

在瀏覽器中輸入https://www.etiantian.org訪問添加剛纔下載下來的證書就能夠正常訪問了！

在這裏是將你剛纔從服務器上下載下來的client.p12導入就OK了！

30.6.2.8 作Nginx-SSL注意事項

1、製做證書時會提示輸入密碼，服務器證書和客戶端證書密碼能夠不相同。

2、服務器證書和客戶端證書製做時提示輸入省份、城市、域名信息等，需保持一致。

3、Nginx默認未開啓SSI，上面配置已開啓。

說明：本內容來自老男孩教育（www.oldboyedu.com）王同窗的筆記！

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。