引言
随着技术的方法,http传输协议并不能保证数据传输的安全性,随后https技术应运而生,nginx服务器支持https协议,配置的代码也比较难记,记录下以防遗忘。
HTTPS数据传输过程
- 客户端向服务器发送https请求;
- 服务器上存储了一套数字证书,其实质为一对公私钥。数字证书可以自己制作,也可以向组织申请。前者在客户端访问时需要验证才能继续访问;后者不会弹出验证提示;
- 服务器将公钥传输给客户端;
- 客户端验证公钥是否合法:无效(自己制作的)会弹出警告,有效的则生成一串随机数,用此随机数加密公钥;
- 客户端将加密后的字符串传输给服务器
- 服务器收到字符串后,先使用私钥进行解密,获取加密使用的随机数,并以此随机数加密传输的数据(对称机密);
- 服务器将加密后的数据传输给客户端;
- 客户端收到数据后,使用自己的私钥(即随机字符串)进行解密。
对称加密:将数据和私钥(随机字符串)通过某种算法混合在一起,除非知道私钥,否则无法解密。
前期准备
nginx支持https所需的ngx-http_ssl_module在编译时默认是不安装的,需要二次编译安装(一开始就安装了的就不用再编译了)。
查看安装的nginx是否已安装ssl模块
[[email protected] conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/ 安装前需要注意一点:重新编译后可能导致之前做的某些修改重置,例如虚拟主机文件被清除,因此最好对重要配置文件先进行备份。
# 切换到你之前安装所使用的nginx软件包内
[[email protected] conf]# cd /usr/local/src/nginx-1.12.2/
[[email protected] nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[[email protected] nginx-1.12.2]# make && make install
[[email protected] conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/ --with-http_ssl_module
创建自定义证书文件
- 创建私钥key
[[email protected] ~]# cd /usr/local/nginx/conf
# 创建私钥key文件,必须输入密码,否则无法生成key文件
[[email protected] conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
..............................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:- 转换key,取消密码
[[email protected] conf]# openssl rsa -in tmp.key -out test.key
Enter pass phrase for tmp.key:
writing RSA key
[[email protected] conf]# rm -f tmp.key - 生成证书
[[email protected] conf]# openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZheJiang
Locality Name (eg, city) [Default City]:QuZhou
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) []:
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 需要使用csr文件与私钥一起生成.crt文件
[[email protected] conf]# openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt
Signature ok
subject=/C=CN/ST=ZheJiang/L=QuZhou/O=Default Company Ltd
Getting Private key这样一个自定义创建的数字证书文件就创建成功了
SSL配置代码
- 创建新虚拟主机配置文件
[[email protected] conf]#vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
listen 443;
server_name test.com;
index index.html index.php;
root /data/www/test.com;
ssl on;
# 指定自定义的数字证书
ssl_certificate test.crt;
# 指定对应的key文件
ssl_certificate_key test.key;
ssl_protocols TLSv1 TLS1.1 TLS1.2;
}- 创建对应目录及文件
[[email protected] conf]# mkdir -p /data/www/test.com
[[email protected] conf]# vim /data/www/test.com/index.php
ssl test page.- 重启服务
[[email protected] conf]# /usr/local/nginx/sbin/nginx -t
[[email protected] conf]# /usr/local/nginx/sbin/nginx -s reload
# 查看443端口是否开放
[[email protected] conf]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
...
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4953/nginx: master
...神奇的nginx之https支持
原文地址:http://blog.51cto.com/castiel/2060000
时间: 2024-07-30 02:23:03