nginx之从零开始搭建环境配置ssl证书
1.安装Nginx
#!/bin/bash
yum -y install epel-release
yum install -y pcre pcre-devel openssl openssl-devel
mkdir -p /home/dilusense/tools
cd /home/dilusense/tools
yum install -y wget
wget http://nginx.org/download/nginx-1.10.2.tar.gz
tar xf nginx-1.10.2.tar.gz
cd nginx-1.10.2/
useradd -s /sbin/nologin -M www
./configure --prefix=/usr/local/nginx-1.10.2 --user=www --group=www \
--with-http_stub_status_module --with-http_ssl_module
make && make install
ln -s /usr/local/nginx-1.10.2 /usr/local/nginx
echo 'export PATH=$PATH:/usr/local/nginx/sbin/' >>/etc/profile
source /etc/profile
/usr/local/nginx/sbin/nginx
2.检查Nginx的SSL模块是否安装
[root@nginx html]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.10.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx-1.10.2 --user=www --group=www --with-http_stub_status_module \
--with-http_ssl_module
3.openssl软件知识介绍
Netscape网景公司生产了最初的浏览器,但为了提高浏览器访问页面的安全性,对TCP/IP模型进行了一定改进,在传输层与应用层,创建了一个3.5层的概念,称为SSL层(Secure Sockers Layer 安全套接层),SSL不是一个软件,只是一个库,让应用层将数据传输到传输层前,调用了ssl层的功能对数据进行了加密,目前比较流行的版本是(SSL v2 v3),但是SSL是netscape公司进行定义的,不够开放性,因此为了使加密功能更加开放,TSL(传输层安全协议)协议就出现了。目前比较流行的是(TSLv1 == ssl v3),TSL更像是传输层上实现的数据加密。
3.1openssl软件详细说明
1.获取openssl软件的版本信息
[root@nginx key]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
2.获取openssl配置文件信息
/etc/pki/tls/openssl.cnf #<==openssl配置文件,主要用于配置成私有ca时进行使用
3.获取openssl命令详细参数
[root@nginx key]# openssl ?
4.举例说明,加密一个文件
[root@nginx key]# echo "hehe" >/root/1.txt [root@nginx key]# openssl enc -des3 -salt -a -in /root/1.txt -out initab.des3 enter des-ede3-cbc encryption password: <- 输入密码后即加密成功 Verifying - enter des-ede3-cbc encryption password: [root@nginx key]# ls initab.des3 [root@nginx key]# openssl enc -des3 -d -salt -a -in initab.des3 -out inittab <- 输入密钥后即解密成功 说明:其中命令中的salt参数,主要用于避免密码加密后,对密钥串的反推
4.准备私钥和证书
4.1创建服务器私钥
1、首先,进入你想创建证书和私钥的目录,例如:
[root@nginx ~]# mkdir /usr/local/nginx/key [root@nginx key]# cd /usr/local/nginx/key
2、创建服务器私钥,命令会让你输入一个口令:
[root@nginx key]# openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus ..............................++++++ .......................++++++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: ##命令说明:创建私钥,并指定私钥的长度为1024,将私钥信息直接进行保存,加密长度一定要放在输出文件后面
4.2.创建签名请求的证书:
1、创建签名请求的证书(CSR):
[root@nginx key]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN <- 定义生成证书的国家 State or Province Name (full name) []:BJ <- 定义生成证书的省份 Locality Name (eg, city) [Default City]:BJ <- 定义生成证书的城市 Organization Name (eg, company) [Default Company Ltd]:dilusense <- 定义生成证书的组织 Organizational Unit Name (eg, section) []:it <- 定义生成证书的职能部门 Common Name (eg, your name or your server's hostname) []:xionghaier.cn <- 定义主机服务器名称 说明:此输出信息非常重要,客户端在获取证书前,会利用主机名与相应服务器之间建立连接,然后获得证书 Email Address []:443060965@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:dilusense
2、在加载SSL支持的Nginx并使用上述私钥时除去必须的口令:
[root@nginx key]# cp server.key server.key.org [root@nginx key]# openssl rsa -in server.key.org -out server.key Enter pass phrase for server.key.org: writing RSA key
3、最后标记证书使用上述私钥和CSR:
[root@nginx key]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=dilusense/OU=it/CN=xionghaier.cn/emailAddress=443060965@qq.com
Getting Private key
命令参数说明:
req <- 用于创建新的证书
new <- 表示创建的是新的证书
x509 <- 表示定义证书的格式为标准格式
key <- 表示调用的私钥文件信息
out <- 表示输出证书文件信息
days <- 表示证书的有效期
5.配置Nginx SSL
[root@nginx conf]# cat /usr/local/nginx/conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
#listen 80;
listen 443;
server_name blog.xionghaier.cn;
ssl on;
ssl_certificate key/server.crt;
ssl_certificate_key key/server.key;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
5.1.加载nginx生效
[root@nginx conf]# nginx -t nginx: the configuration file /usr/local/nginx-1.10.2/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx-1.10.2/conf/nginx.conf test is successful [root@nginx conf]# nginx -s reload [root@nginx conf]# netstat -lntup|grep 443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 6573/nginx: master
5.2.测试https
由于该证书非第三方权威机构颁发,而是我们自己签发的,所以浏览器会警告,如果是对外的业务需要加密,必须使用商用第三方签名证书。
浏览器输入: http://localhost 进行测试
6.项目需要,由http访问 重定向到 https
6.1.添加server标签
[root@nginx conf]# sed -n "28,32p" nginx.conf server { listen 80; server_name blog.xionghaier.cn; rewrite ^(.*) https://$server_name$1 permanent; }
6.2.输入blog.xionghaier.cn进行访问
7.签发证书
1.若是签发证书,可以省去如上步骤,直接下载申请好的签发证书到服务器的相应位置,进行配置关联
2.下载完之后上传到服务器然后进行解压
3.进行配置关联
[root@izm5eh8g1nh0vcbupue6dnz cert]# vim /etc/nginx/conf.d/blog.conf
server {
listen 80 default_server;
server_name _;
rewrite ^(.*) https://www.xionghaier.cn/$1 permanent;
}
server {
listen 443;
server_name www.xionghaier.cn;
ssl on;
ssl_certificate /etc/nginx/conf.d/cert/214687464140432.pem;
ssl_certificate_key /etc/nginx/conf.d/cert/214687464140432.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root html/blog;
index index.php index.html index.htm;
# auth_basic "blog.xionghaizi.com";
# auth_basic_user_file /etc/nginx/conf/htpasswd;
}
location ~* .*\.(php|php5)?$ {
root html/blog;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
}
如无特殊说明,文章均为本站原创,转载请注明出处
- 转载请注明来源:nginx之从零开始搭建环境配置ssl证书
- 本文永久链接地址:https://www.xionghaier.cn/archives/57.html
该文章由 John 发布
