nginx配置ssh

感谢大牛的技术分享,本文参照:http://blog.csdn.net/kunoy/article/details/8239653,进行,并修正为自己的配置,本文为双向验证的配置。

配置环境

系统:centos6.5

nginx:1.6.2(安装通过yum安装,添加源,这个是stable`稳定版本`,http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm)

开始配置

nginx配置文件位置:

> /etc/nginx/conf.d/example_ssl.conf

修改/etc/nginx/conf.d/example_ssl.conf

注:/etc/nginx/conf.d/example_ssl.conf是被/etc/nginx/nginx.conf包含到自身的一个文件。

改为内容如下

#HTTP-SERVER
server {
        listen       443;
        server_name  localhost;
        ssi on;
        ssi_silent_errors on;
        ssi_types text/shtml;  

        ssl                  on;
        ssl_certificate      /etc/nginx/ca/server/server.crt;
        ssl_certificate_key  /etc/nginx/ca/server/server.key;
        ssl_client_certificate /etc/nginx/ca/private/ca.crt;  

        ssl_session_timeout  5m;
        ssl_verify_client on;  

        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers   on;  

        location / {
           root   /usr/share/nginx/html;
           index  index.html index.htm;
      }

 }

以上就是简单的配置了,下面就是签发证书的一些工作了

签发证书

创建配置文件/etc/nginx/ca/conf/openssl.conf

[ ca ]
default_ca      = foo                   # The default ca section

[ foo ]
dir            = /etc/nginx/ca         # top dir
database       = /etc/nginx/ca/index.txt          # index file.
new_certs_dir  = /etc/nginx/ca/newcerts           # new certs dir

certificate    = /etc/nginx/ca/private/ca.crt         # The CA cert
serial         = /etc/nginx/ca/serial             # serial no file
private_key    = /etc/nginx/ca/private/ca.key  # CA private key
RANDFILE       = /etc/nginx/ca/private/.rand      # random number file

default_days   = 365                     # how long to certify for
default_crl_days= 30                     # how long before next CRL
default_md     = md5                     # message digest method to use
unique_subject = no                      # Set to 'no' to allow creation of
                                         # several ctificates with same subject.
policy         = policy_any              # default policy

[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
localityName            = match
commonName              = match
emailAddress            = match

在/etc/niginx/ca 下 创建文件new_ca.sh       ,执行生成根证书

#!/bin/sh
# Generate the key.
openssl genrsa -out private/ca.key
# Generate a certificate request.
openssl req -new -key private/ca.key -out private/ca.csr
# Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.
# I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this
# service will never see the light of an unencrypted Internet see the cheap and lazy remark.
# So self sign our root key.
openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
# Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.
echo FACE > serial
# Create the CA's key database.
touch index.txt
# Create a Certificate Revocation list for removing 'user certificates.'
openssl ca -gencrl -out /etc/nginx/ca/private/ca.crl -crldays 7 -config "/etc/nginx/ca/conf/openssl.conf"

在/etc/niginx/ca 下 创建文件new_server.sh       ,执行生成服务器证书

# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.
openssl genrsa -out server/server.key
# Take our key and create a Certificate Signing Request for it.
openssl req -new -key server/server.key -out server/server.csr
# Sign this bastard key with our bastard CA key.
openssl ca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "/etc/nginx/ca/conf/openssl.conf"

在/etc/niginx/ca 下 创建文件new_user.sh       ,执行生成客户端证书

#!/bin/sh
# The base of where our SSL stuff lives.
base="/etc/nginx/ca"
# Were we would like to store keys... in this case we take the username given to us and store everything there.
mkdir -p $base/users/

# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.
openssl genrsa -des3 -out $base/users/client.key 1024
# Create a Certificate Signing Request for said key.
openssl req -new -key $base/users/client.key -out $base/users/client.csr
# Sign the key with our CA's key and cert and create the user's certificate out of it.
openssl ca -in $base/users/client.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key -out $base/users/client.crt -config "/etc/nginx/ca/conf/openssl.conf"

# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.
# The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.
# Take the same precaution with the export password that would take with any other password based authentication scheme.
openssl pkcs12 -export -clcerts -in $base/users/client.crt -inkey $base/users/client.key -out $base/users/client.p12

以上工作做完之后把/etc.nginx/ca/user/client.p12文件导入到自己的浏览器就可以了。

时间: 2024-11-03 02:44:30

nginx配置ssh的相关文章

Nginx配置SSL证书部署HTTPS网站(转)

原文:http://www.lovelucy.info/nginx-ssl-certificate-https-website.html 一.什么是 SSL 证书,什么是 HTTPS SSL 证书是一种数字证书,它使用 Secure Socket Layer 协议在浏览器和 Web 服务器之间建立一条安全通道,从而实现: 1.数据信息在客户端和服务器之间的加密传输,保证双方传递信息的安全性,不可被第三方窃听: 2.用户可以通过服务器证书验证他所访问的网站是否真实可靠. (via百度百科) HTT

nginx配置详解和原理

nginx配置详解和原理 1.nginx的配置文件 nginx 配置文件的整体结构 <pre>user nobody nobody; # 指定Nginx Worker进程运行用户以及用户组,默认由nobody账号运行,nobody 是系统用户,是一个不能登陆的帐号,一个特殊用途的用户 ID #启动进程,通常设置成和cpu的数量相等worker_processes 1; #指定了Nginx要开启的进程数.每个Nginx进程平均耗费10M~12M内存.建议指定和CPU的数量一致即可. #全局错误日

linux学习笔记——搭建基于nginx的web服务器、多核配置、nginx配置参数

############ 认识nginx #############Nginx:(发音同 engine x)是一款轻量级的Web服务器/反向代理服务器及电子邮件(IMAP/POP3)代理服务器,并在一个BSD-like 协议下发行.由俄罗斯的程序设计师Igor Sysoev所开发,最初供俄国大型的入口网站及搜寻引擎Rambler(俄文:Рамблер)使用.  其优点是轻量级(占有内存少),高并发(并发能力强),事实上nginx的并发能力确实在同类型的网页伺服器中表现较好.目前中国大陆使用ngi

ubuntu配置SSH免密码登陆

ubuntu配置SSH免密码登陆 1.安装SSH:  2.是否生成 .ssh 目录: 3.如果没有生成,自己手动创建一个  .ssh 目录: 生成的 .ssh 目录: 4.生成公钥与私钥: 效果如下: 5.将公钥加入到用于认证的公钥文件中: 6.免密码登陆: 效果: Ubuntu 免密码登陆,SSH配置完.

12.17 Nginx负载均衡;12.18 ssl原理;12.19 生产ssl密钥对;12.20 Nginx配置ssl

扩展: 针对请求的uri来代理 http://ask.apelearn.com/question/1049 根据访问的目录来区分后端web http://ask.apelearn.com/question/920 12.17 Nginx负载均衡 1. 安装dig命令: [[email protected] ~]# yum install -y bind-utils 2. 用dig获取qq.com的ip地址: [[email protected] ~]# dig qq.com 3. 创建ld.co

Nginx配置详解

Nginx配置文件主要分成四部分: main(全局设置)指令将影响其它所有部分的设置: server(主机设置)指令主要用于指定虚拟主机域名.IP和端口: upstream(上游服务器设置,主要为反向代理.负载均衡相关配置)指令用于设置一系列的后端服务器,设置反向代理及后端服务器的负载均衡: location(URL匹配特定位置后的设置),每部分包含若干个指令.location部分用于匹配网页位置(比如,根目录"/","/images",等等). 他们之间的关系式:

LNMP架构应用实战——Nginx配置虚拟主机

LNMP架构应用实战--Nginx配置虚拟主机        前面介绍了nginx服务的安装与配置文件,今天介绍下它的另一种实用配置--"虚拟主机",每个虚拟主机可以是一个独立的网站,可以具有独立的域名,同一台服务器上的不同的虚拟主机之间是独立的,用户访问不同虚拟主机如同访问不同的服务器一样,因此它不需要为一个单独的WEB站点提供单独一个nginx服务器和一个单独的nginx进程 1.nginx虚拟主机简单介绍 同apache服务一样,它也有三种不同的虚拟主机,基于域名的虚拟主机.基于

Nginx 配置

Nginx 配置 不论是本地开发,还是远程到 Server 开发,还是给提供 demo 给人看效果,我们时常需要对 Nginx 做配置,Nginx 的配置项相当多,如果考虑性能配置起来会比较麻烦.不过,我们往往只是需要一个静态 Server,或者一个反向代理 Server,这对 Nginx 来说小菜一碟. 本文将给大家介绍 Nginx 配置的基本知识,不想细看的同学可以直接跳到最后一个例子. 简介 Nginx 的安装就不解释了,方便起见,建议在各平台可以直接执行对应安装命令: # CentOS

nginx 配置详解

Nginx是一款轻量级的Web 服务器/反向代理服务器及电子邮件(IMAP/POP3)代理服务器,并在一个BSD-like 协议下发行.由俄罗斯的程序设计师Igor Sysoev所开发,供俄国大型的入口网站及搜索引擎Rambler(俄文:Рамблер)使用.其特点是占有内存少,并发能力强,事实上nginx的并发能力确实在同类型的网页服务器中表现较好,中国大陆使用nginx网站用户有:京东.新浪.网易.腾讯.淘宝等. 一.event模型 传统的基于进程和线程的模型在处理并发连接的时候针对每个连接