论坛 › apache › nginx（二）ssl相关配置

cheng029 发表于 2016-3-7 08:31:55

nginx（二）ssl相关配置

前言：
在安全至上的今天，全站https的口号日趋高涨；

**ngx_http_ssl_module模块相关的配置**
ssl_certificate file;指明证书路径

ssl_certificate_key file;证书对应的私钥文件；
ssl_ciphers ciphers;指明由nginx使用的加密算法，可以是OpenSSL库中所支持的各种加密套件；
ssl_protocols ;指明使用的SSL协议版本；默认为后三个；
ssl_session_cahce off|none|];指明ssl会话缓存机制；

[*]builtin：使用openssl内置的ssl会话缓存。各worker私有；

[*]shared：在各worker之间使用一个共享的缓存；

       name：独有名称；   
      size：缓存空间大小      
ssl_session_timeout time;ssl会话超时时长；即ssl session cache中的缓存有效时长；

**创建私有CA**

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................+++
..................................+++
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) :beijing
Organization Name (eg, company) :tz.company
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:tzca.com   
Email Address []:

# touch {serial,index.txt}
# echo 01 > serial





**nginx服务器生成证书请求**

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# mkdir ssl
# cd ssl/
# (umask 077; openssl genrsa -out nginx.key 1024)
Generating RSA private key, 1024 bit long modulus
.................................++++++
........................++++++
e is 65537 (0x10001)
# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) :beijing
Organization Name (eg, company) :tz.company
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.tz.com
Email Address []:tz66@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# scp nginx.csr root@172.16.61.5:/tmp
root@172.16.61.5's password:
nginx.csr                                             100%696   0.7KB/s   00:00




**证书请求签署**

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# openssl ca -in /tmp/nginx.csr -out certs/nginx.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
      Serial Number: 1 (0x1)
      Validity
            Not Before: Feb 29 13:11:28 2016 GMT
            Not After : Feb 28 13:11:28 2017 GMT
      Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = tz.company
            organizationalUnitName    = ops
            commonName                = www.tz.com
            emailAddress            = tz66@gmail.com
      X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                E5:01:2E:03:DE:39:5E:71:3B:9C:E3:D9:60:00:97:16:95:42:16:EB
            X509v3 Authority Key Identifier:
                keyid:12:C5:01:DB:D3:6C:F6:67:3D:3B:60:99:D8:AD:7E:21:90:46:22:62

Certificate is to be certified until Feb 28 13:11:28 2017 GMT (365 days)
Sign the certificate? :y


1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated

# scp nginx.crt root@172.16.61.4:/etc/nginx/ssl
The authenticity of host '172.16.61.4 (172.16.61.4)' can't be established.
ECDSA key fingerprint is 88:93:ff:8b:6e:ac:a0:c1:10:1f:4b:7d:ac:44:85:f0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.61.4' (ECDSA) to the list of known hosts.
root@172.16.61.4's password:
nginx.crt                                                    100% 3774   3.7KB/s   00:0





**配置nginx为https**

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
server {
                listen 443 ssl;
                listen 172.16.61.4:80;
                server_name www.tz.com;
                root /data/www/vhost1;
                ssl_certificate /etc/nginx/ssl/nginx.crt;
                ssl_certificate_key /etc/nginx/ssl/nginx.key;
                ssl_session_cache shared:SSL:1m;
                ssl_session_timeout 5m;
                ssl_ciphers HIGH:!aNULL:!MD5;
                ssl_prefer_server_ciphers on;

                if ($scheme = http) {             #强制将http请求重定向至https
                        return 301 https://$server_name$request_uri;
                }
      }






注：生产环境中，需要将自己生成的私钥文件和证书请求文件copy到CA机构，并由CA机构向你进行证书的签发，之后就可以使用这些证书；

查看完整版本: nginx（二）ssl相关配置