Nginx HTTPS功能部署实践

本文出处:http://oldboy.blog.51cto.com/2561410/1889346

30.1 文档目的

本文目的提高自己文档的写作能力及排版能力,加强上课所讲的内容得以锻炼也方便自己以后查阅特写此文档。

30.2 文档内容

本章内容包括:单向和双向认证的概念、openssl的介绍、Nginx单向ssl的配置前提、使用openssl制作证书(单向认证与双向认证)。

30.3 单向认证与双向认证的概念

30.3.1 什么是单向认证

单项认证就是比如你有个密码用户名然后和服务器上的用户信息进行比对一致的话你们就可以建立连接.

30.3.2 什么是双向认证

SSL的双向认证就是客户端要获取服务端的证书,检查下服务端是不是我可以信任的主机,否则我就认为那个站点的内容不可信任,不应该去访问你(浏览器会告诉你),同时服务端也要检查客户端的证书,客户端如果不是服务端所信任的,那服务端也会认为,你不是我的合法用户,我拒绝给你提供服务。所以要让 HTTPS的双向认证顺利完成,就要在服务端给定一个证书,这个证书是浏览器可信任的,同时客户端(浏览器)也要发送给服务端一个证书,服务器端也要信任这个证书。

要想让浏览器纯自然地就去信任服务端的证书,那服务端所使用的证书就得是那几大已经被大家所信任的证书机构给他签名,不过一般要钱。

通俗点来讲就是你有个密码用户名你先发给服务器进行比对,如果一致服务器再把它的密码用户名发到你机器上与你机器上保留的用户信息进行比对如果还一致则建立链接!

30.4 openssl的介绍

openssl为开源软件,在Linux(或UNIX/Cygwin)下创建一个简单的CA。(certification authority)是以构建在公钥基础设施pki(public key infrastructure)基础之上的产生和确定数字证书的第三方可信机构)我们可以利用这个CA进行PKI、数字证书相关的测试。比如,在测试用Tomcat或Apache构建HTTPS双向认证时,我们可以利用自己建立的测试CA来为服务器端颁发服务器数字证书,为客户端(浏览器)生成文件形式的数字证书(可以同时利用openssl生成客户端私钥。

30.5 Nginx单双向ssl的配置前提

  • LNMP环境的前提下
  • 编译安装Nginx时候安装的两个参数--with-http_stub_status_module、(是为了启用nginx的NginxStatus 功能,用来监控nginx的当前状态)--with-http_ssl_module(启动ssl模块)
  • 安装openssl openssl-devel

[[email protected] ~]# /application/nginx/sbin/nginx -V

nginx version: nginx/1.6.2

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11)(GCC)

configure arguments: --user=nginx --group=nginx--prefix=/application/nginx-1.6.2 --with-http_stub_status_module--with-http_ssl_module

30.6 使用openssl制作证书

30.6.1 服务器单项认证

30.6.1.1 创建并进入sslkey存放目录

[[email protected] ~]# mkdir -p /application/nginx/sslkey

[[email protected] ~]# cd /application/nginx/sslkey/

30.6.1.2 生成RSA密钥

[[email protected] sslkey]# openssl genrsa -out key.pem2048

30.6.1.3 生成一个证书请求

[[email protected] sslkey]# openssl req -new -key key.pem-out cert.csr

You are about to be asked to enter informationthat will be incorporatedThere are quite a few fields but you can leave someblank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

Country Name (2 letter code) [XX]:cn //输入国家名字

State or Province Name (full name) []:bj //输入省市

Locality Name (eg, city) [Default City]:bj //输入省市

Organization Name (eg, company) [Default CompanyLtd]:bj //输入公司名称

Organizational Unit Name (eg, section) []:bj //组织名字

Common Name (eg, your name or your server‘shostname) []:www.etiantian.org //要配置的ssl域名

Email Address []:[email protected] //Email地址

Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:123456  //密码

An optional company name []:123456 //密码

30.6.1.4 修改nginx的主配置文件

[[email protected] ~]# cat/application/nginx/conf/nginx.conf

worker_processes 1;

events {

worker_connections  1024;

}

http {

include       mime.types;

default_type application/octet-stream;

sendfile        on;

keepalive_timeout  65;

server{

listen       443;

server_name  www.etiantian.org;

ssl               on;

ssl_certificate      /application/nginx/sslkey/server.crt;

ssl_certificate_key  /application/nginx/sslkey/server.key;

ssl_session_timeout  5m;

ssl_protocols  SSLv3 TLSv1;

ssl_ciphers  HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;

ssl_prefer_server_ciphers   on;

location/ {

root   html/blog;

index  index.html index.htm;

}

}

}

[[email protected] ~]# /application/nginx/sbin/nginx –t //检查语法

[[email protected] ~]# /application/nginx/sbin/nginx -sreload //重新启动

30.6.1.5验证结果

30.6.2 服务器客户端双向认证

30.6.2.1 分别创建证书各自存放目录

[[email protected]~]# mkdir /application/nginx/ca

[[email protected]~]# cd /application/nginx/ca

[[email protected]]# mkdir newcerts private conf server

newcerts子目录将存放CA签署(颁发)过的数字证书(证书备份目录)。

private目录用于存放CA的私钥。

conf只是用于存放一些简化参数。

Server 目录用于存放自己的证书。

1、在conf目录创建文件openssl.conf配置文件

[[email protected]~]# cat /application/nginx/ca/conf/openssl.conf

[ ca ]

default_ca = foo  #默认ca的段名配置好后 openssl 就会

寻找相同段名的配置

[ foo ]

dir    =/application/nginx/ca    #ca 的顶级目录

database  =/application/nginx/ca/index.txt  #的数据库索引文件

new_certs_dir = /application/nginx/ca/newcerts#新生成的CA目录

certificate  = /application/nginx/ca/private/ca.crt #CA证书

serial      = /application/nginx/ca/serial   #CA序列号文件

private_key = /application/nginx/ca/private/ca.key # CA私钥

RANDFILE  =/application/nginx/ca/private/.rand  #随机数文件

default_days = 365   # CA证书的有效期

default_crl_days= 30   #CA证书过期前多久提示

default_md    = md5   # 加密方法

#unique_subject = no

policy    =policy_any  #客户端默认设置

[ policy_any ]

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = match

localityName         = optional

commonName       = supplied

emailAddress         = optional

30.6.2.2 使用脚本创建新根CA证书

1、查看脚本内容

[[email protected] ~]# cat/application/nginx/ca/new_ca.sh

#!/bin/sh

生成CA私钥

openssl genrsa -out private/ca.key

生成证书请求

openssl req -new -key private/ca.key -outprivate/ca.csr

签名 CA 证书请求,使用自己的私钥来给这个 CA 证书请求签名

openssl x509 -req -days 365 -in private/ca.csr-signkey private/ca.key -out private/ca.crt

以下三行与创建 CA 秘钥数据库索引文件有关

echo FACE > serial

touch index.txt

openssl ca -gencrl -out/application/nginx/ca/private/ca.crl -crldays 7 -config"/application/nginx/ca/conf/openssl.conf"

2、执行脚本创建根CA证书

[[email protected] ca]# sh new_ca.sh

Generating RSA private key, 1024 bit long modulus

.......................................++++++

.++++++

e is 65537 (0x10001)

You are about to be asked to enter informationthat will be incorporated

into your certificate request.

What you are about to enter is what is called aDistinguished Name or a DN.

There are quite a few fields but you can leavesome blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:cn

State or Province Name (full name) []:bj

Locality Name (eg, city) [Default City]:bj

Organization Name (eg, company) [Default CompanyLtd]:bj

Organizational Unit Name (eg, section) []:bj

Common Name (eg, your name or your server‘shostname) []:www.etiantian.org

Email Address []:[email protected]

Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:123456

Signature ok

subject=/C=cn/ST=bj/L=bj/O=bj/OU=bj/CN=www.etiantian.org/[email protected]

Getting Private key

Using configuration from/application/nginx/ca/conf/openssl.conf

3、查看生成的CA证书并保证里边有内容

30.6.2.3 使用脚本生成服务器证书

1、查看脚本内容

[[email protected] ~]# cd /application/nginx/ca/

[[email protected] ca]# cat new_server.sh

# Create us a key. Don‘t bother putting apassword on it since you will need it to start apache. If you have a betterwork around I‘d love to hear it.

创建服务器私钥

openssl genrsa -out server/server.key

利用私钥创建一个证书签名请求

openssl req -new -key server/server.key -outserver/server.csr

openssl ca -in server/server.csr -certprivate/ca.crt -keyfile private/ca.key -out server/server.crt -config"/application/nginx/ca/conf/openssl.conf"

2、执行脚本创建生成服务器证书

[[email protected] ca]#sh new_server.sh

Generating RSAprivate key, 1024 bit long modulus

.....................++++++

...........................................................++++++

e is 65537(0x10001)

You are about tobe asked to enter information that will be incorporated

into yourcertificate request.

What you areabout to enter is what is called a Distinguished Name or a DN.

There are quitea few fields but you can leave some blank

For some fieldsthere will be a default value,

If you enter‘.‘, the field will be left blank.

Country Name (2letter code) [XX]:cn

State orProvince Name (full name) []:bj

Locality Name(eg, city) [Default City]:bj

OrganizationName (eg, company) [Default Company Ltd]:bj

OrganizationalUnit Name (eg, section) []:bj

Common Name (eg,your name or your server‘s hostname) []:www.etiantian.org

Email Address[]:[email protected]

Please enter thefollowing ‘extra‘ attributes

to be sent withyour certificate request

A challengepassword []:123456

An optionalcompany name []:123456

Using configurationfrom /application/nginx/ca/conf/openssl.conf

Check that therequest matches the signature

Signature ok

The Subject‘sDistinguished Name is as follows

countryName           :PRINTABLE:‘cn‘

stateOrProvinceName   :ASN.1 12:‘bj‘

localityName          :ASN.1 12:‘bj‘

organizationName      :ASN.1 12:‘bj‘

organizationalUnitName:ASN.112:‘bj‘

commonName            :ASN.1 12:‘www.etiantian.org‘

emailAddress          :IA5STRING:‘[email protected]‘

Certificate isto be certified until Mar  5 10:14:252016 GMT (365 days)

Sign thecertificate? [y/n]:y

1 out of 1certificate requests certified, commit? [y/n]y

Write outdatabase with 1 new entries

3、查看生成的服务器证书里边有内容否则后边会报错

30.6.2.4 配置Nginx的主配置文件

[[email protected] ~]#cat /application/nginx/conf/nginx.conf

worker_processes  1;

events {

worker_connections  1024;

}

http {

include       mime.types;

default_type  application/octet-stream;

sendfile        on;

keepalive_timeout  65;

# HTTPSserver

server {

listen       443;

root html/blog;

index index.phpindex.html index.htm;

server_name  www.etiantian.org;

ssi on;

ssi_silent_errorson;

ssi_typestext/shtml;

ssl               on;

ssl_certificate     /application/nginx/ca/server/server.crt;

ssl_certificate_key  /application/nginx/ca/server/server.key;

ssl_client_certificate/application/nginx/ca/private/ca.crt;

ssl_session_timeout  5m;

ssl_verify_clienton;

ssl_protocols  SSLv2 SSLv3 TLSv1;

ssl_ciphersALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

ssl_prefer_server_ciphers   on;

location / {

root html/blog;

index index.php index.html index.htm;

}

}

}

[[email protected] ~]#/application/nginx/sbin/nginx –t //检查语法

[[email protected] ~]#/application/nginx/sbin/nginx -s reload //重新启动

30.6.2.5 验证结果

30.6.2.6 访问出现400 Bad Reques解决办法生成客户端证书

1、查看脚本内容

[[email protected] ~]#cat /application/nginx/ca/new_user.sh

#!/bin/sh

base="/application//nginx/ca"

mkdir -p$base/users/

生成客户端私钥

openssl genrsa-des3 -out $base/users/client.key 1024

根据证书生成私钥请求

openssl req -new-key $base/users/client.key -out $base/users/client.csr

生成客户端证书

openssl ca -in$base/users/client.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key-out $base/users/client.crt -config "/application/nginx/ca/conf/openssl.conf"

将客户端证书转为PKCS(Personal Information Exchange)12 后缀,使大多数浏览器都能接

openssl pkcs12-export -clcerts -in $base/users/client.crt -inkey $base/users/client.key -out$base/users/client.p12

2、执行脚本生成客户端证书

[[email protected] ca]#sh new_user.sh

Generating RSAprivate key, 1024 bit long modulus

....++++++

...................................................++++++

e is 65537(0x10001)

Enter passphrase for /application//nginx/ca/users/client.key:

Verifying -Enter pass phrase for /application//nginx/ca/users/client.key:

Enter pass phrasefor /application//nginx/ca/users/client.key:

You are about tobe asked to enter information that will be incorporated

into yourcertificate request.

What you areabout to enter is what is called a Distinguished Name or a DN.

There are quitea few fields but you can leave some blank

For some fieldsthere will be a default value,

If you enter‘.‘, the field will be left blank.

-----

Country Name (2letter code) [XX]:cn

State orProvince Name (full name) []:bj

Locality Name(eg, city) [Default City]:bj

OrganizationName (eg, company) [Default Company Ltd]:bj

OrganizationalUnit Name (eg, section) []:bj

Common Name (eg,your name or your server‘s hostname) []:www.etiantian.org

Email Address[]:[email protected]

Please enter thefollowing ‘extra‘ attributes

to be sent withyour certificate request

A challengepassword []:123456

An optionalcompany name []:123456

Usingconfiguration from /application/nginx/ca/conf/openssl.conf

Check that therequest matches the signature

Signature ok

The Subject‘sDistinguished Name is as follows

countryName           :PRINTABLE:‘cn‘

stateOrProvinceName   :ASN.1 12:‘bj‘

localityName          :ASN.1 12:‘bj‘

organizationName      :ASN.1 12:‘bj‘

organizationalUnitName:ASN.112:‘bj‘

commonName            :ASN.1 12:‘www.etiantian.org‘

emailAddress          :IA5STRING:‘[email protected]‘

Certificate isto be certified until Mar  5 10:24:172016 GMT (365 days)

Sign thecertificate? [y/n]:y

1 out of 1certificate requests certified, commit? [y/n]y

Write outdatabase with 1 new entries

Data BaseUpdated

Enter passphrase for /application//nginx/ca/users/client.key:

Enter ExportPassword:

Verifying -Enter Export Password:

3、查看生成的证书

将client.p12下载到本地桌面

[[email protected] ~]#cd /application/nginx-1.6.2/ca/users/

[[email protected]]# sz -y client.p12

30.6.2.7 再次验证结果

在浏览器中输入https://www.etiantian.org访问添加刚才下载下来的证书就可以正常访问了!

在这里是将你刚才从服务器上下载下来的client.p12导入就OK了!

30.6.2.8 做Nginx-SSL注意事项

1、制作证书时会提示输入密码,服务器证书和客户端证书密码可以不相同。

2、服务器证书和客户端证书制作时提示输入省份、城市、域名信息等,需保持一致。

3、Nginx默认未开启SSI,上面配置已开启。

时间: 2024-10-11 19:30:24

Nginx HTTPS功能部署实践的相关文章

https部署实践 (Let's Encrypt)

1 .获取 Let's Encrypt git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt chmod +x letsencrypt-auto 2 .执行安装证书 ./letsencrypt-auto certonly -a webroot --webroot-path=/home/www/demo.com --email [email protected] -d demo.com -d www.demo.com

HTTPS协议介绍—使用Nginx+SSL实现部署与性能优化

一.HTTPS协议简介 HTTPS 可以认为是 HTTP + TLS.HTTP 协议大家耳熟能详了,目前大部分 WEB 应用和网站都是使用 HTTP 协议传输的. TLS 是传输层加密协议,它的前身是 SSL 协议,最早由 netscape 公司于 1995 年发布,1999 年经过 IETF 讨论和规范后,改名为 TLS.如果没有特别说明,SSL 和 TLS 说的都是同一个协议. HTTP 和 TLS 在协议层的位置以及 TLS 协议的组成如下图: TLS 协议主要有五部分:应用数据层协议,握

ASP.NET Core在CentOS上的最小化部署实践

原文:ASP.NET Core在CentOS上的最小化部署实践 引言 本文从Linux小白的视角, 在CentOS 7.x服务器上搭建一个Nginx-Powered AspNet Core Web准生产应用. 在开始之前,我们还是重温一下部署原理,正如你所常见的.Net Core 部署图: 在Linux上部署.Net Core App最好的方式是在Linux机器上使用Kestrel 服务在端口5000上支撑web应用: 然后设置Nginx作为反向代理服务器,将输入请求转发给Kestrel服务器,

转:Nginx RTMP 功能研究

看点: 1.    Nginx 配置信息与使用.  (支持 rtmp与HLS配置) 2.    有ffmpeg 编译与使用,    命令行方式来测试验证客户端使用. 转自:http://blog.csdn.net/cccallen/article/details/8440191 Nginx-RTMP功能调研 1. RTMP协议介绍...2 2.RTMP server.3 2.1当前的流媒体server.3 2.2Wowza功能...3 3.Nginx-based RTMP server.5 3.

Nginx视频教程|Nginx从入门到实践

Nginx从入门到实践网盘地址:https://pan.baidu.com/s/1kXf6pH9 密码:0iud备用地址(腾讯微云):https://share.weiyun.com/76db50c30a433f512db3d80692fbb299 密码:WOrWdY 第1章 课程前言总览课程,介绍课程学习须知,环境准备,了解课程意义. 第2章 基础篇讲解Nginx的快速部署安装.模块.基础配置语法.Nginx的日志输出.Nginx默认配置模块.Nginx对于请求的处理,访问控制模块使用,并区别

Nginx+uWSGI+Django部署web服务器

目录 Nginx+uWSGI+Django部署web服务器 环境说明 前言 搭建项目 Django部署 编辑luffy/luffy/settings.py 编辑luffy/app01/views.py 编辑luffy/luffy/urls.py 运行并测试 uWSGI部署 测试运行uWSGI 使用uWSGI运行django项目 uWSGi热加载Djangoa项目 部署nginx nginx配置uwsgi和django django部署static文件 重新加载nginx进行测试 测试nginx

使用Nginx和uwsgi部署Flask项目

前言 之前用Flask框架开发了一个Python的Web项目,使用Nginx和uWSGI部署起来感觉挺麻烦,过程中还因为对Flask框架的不熟悉,花了好长时间才把应用完全部署起来.下面分享部署成功的相关配置以及部署Flask项目时极可能犯的一个小错误. 一. 配置 1. Flask Web项目源码 Nginx使用的版本是1.6.1,uWSGI是2.0.8,Flask是0.10.1.在Linux环境下安装好Nginx.uWSGI和Flask之后,将使用Flask框架开发的web项目源码放到Linu

Nginx主要功能及使用

序言 Nginx是lgor Sysoev为俄罗斯访问量第二的rambler.ru站点设计开发的.从2004年发布至今,凭借开源的力量,已经接近成熟与完善. Nginx功能丰富,可作为HTTP服务器,也可作为反向代理服务器,邮件服务器.支持FastCGI.SSL.Virtual Host.URL Rewrite.Gzip等功能.并且支持很多第三方的模块扩展. Nginx的稳定性.功能集.示例配置文件和低系统资源的消耗让他后来居上,在全球活跃的网站中有12.18%的使用比率,大约为2220万个网站.

HTTPS 常见部署问题及解决方案

在最近几年里,我写了很多有关 HTTPS 和 HTTP/2 的文章,涵盖了证书申请.Nginx 编译及配置.性能优化等方方面面.在这些文章的评论中,不少读者提出了各种各样的问题,我的邮箱也经常收到类似的邮件.本文用来罗列其中有代表性.且我知道解决方案的问题. 为了控制篇幅,本文尽量只给出结论和引用链接,不展开讨论,如有疑问或不同意见,欢迎留言讨论.本文会持续更新,欢迎大家贡献自己遇到的问题和解决方案. 实际上,遇到任何有关部署 HTTPS 或 HTTP/2 的问题,都推荐先用 Qualys SS