在未使用SSL證書對服務(wù)器數(shù)據(jù)進行加密認證的情況下��,用戶的數(shù)據(jù)將會以明文的形式進行傳輸����,這樣一來使用抓包工具是可以獲取到用戶密碼信息的�����,非常危險���。而且也無法驗證數(shù)據(jù)一致性和完整性���,不能確保數(shù)據(jù)在傳輸過程中沒被改變��。所以網(wǎng)站如果有涉及用戶賬戶等重要信息的情況下通常要配置使用SSL證書,實現(xiàn)https協(xié)議����。
在生產(chǎn)環(huán)境中的SSL證書都需要通過第三方認證機構(gòu)購買,分為專業(yè)版OV證書(瀏覽器地址欄上不顯示企業(yè)名稱)和高級版EV(可以顯示企業(yè)名稱)證書����,證書所保護的域名數(shù)不同也會影響價格(比如只對www認證和通配*認證��,價格是不一樣的)����,且不支持三級域名。測試中可以自己作為證書頒發(fā)機構(gòu)來制作證書���,瀏覽器會顯示為紅色,代表證書過期或者無效�,如果是黃色的話代表網(wǎng)站有部分連接使用的仍然是http協(xié)議。
不管使用哪種方法�,在拿到證書后對Nginx的配置都是一樣的,所以這里以搭建OpenSSL并制作證書來進行完整說明
一、準(zhǔn)備環(huán)境
1)nginx服務(wù)
2)ssl模塊
[root@ns3 ~]# systemctl stop firewalld
[root@ns3 ~]# iptables -F
[root@ns3 ~]# setenforce 0
[root@ns3 ~]# yum -y install pcre zlib pcre-devel zlib-devel
[root@ns3 ~]# tar xf nginx-1.16.0.tar.gz -C /usr/src/
[root@ns3 ~]#cd /usr/src/nginx-1.16.0
[root@ns3 ~]#./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module&&make && make install #后續(xù)需要的模塊一次性安裝
3)檢測openssl是否安裝
[root@ns3 ~]# rpm -qa openssl 2 openssl-1.0.1e-42.el7.x86_64
若沒有安裝
[root@ns3 ~]# yum -y install openssl openssl-devel
二�、創(chuàng)建根證書CA
1���、生成CA私鑰
[root@ns3 ~]# cd zhengshu/
[root@ns3 zhengshu]# openssl genrsa -out local.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................................................................................................................................................................................................+++
............................................................................................................................................................................................+++
e is 65537 (0x10001)
[root@ns3 zhengshu]# ls
local.key
2�、生成CA證書請求
[root@ns3 zhengshu]# openssl req -new -key local.key -out local.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #國家
State or Province Name (full name) []:BJ #省份
Locality Name (eg, city) [Default City]:BJ #城市
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test #部門
Common Name (eg, your name or your server's hostname) []:test #主機名
Email Address []:test@test.com #郵箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wuminyan #密碼
An optional company name []:wuminyan #姓名
[root@ns3 zhengshu]# ls
local.csr local.key
req: 這是一個大命令�����,提供生成證書請求文件�,驗證證書�����,和創(chuàng)建根CA
-new: 表示新生成一個證書請求
-x509: 直接輸出證書
-key: 生成證書請求時用到的私鑰文件
-out:輸出文件
3�、生成CA根證書
這個生成CA證書的命令會讓人迷惑
1.通過秘鑰 生成證書請求文件
2.通過證書請求文件 生成最終的證書
-in 使用證書請求文件生成證書,-signkey 指定私鑰����,這是一個還沒搞懂的參數(shù)
[root@ns3 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting Private key
三、根據(jù)CA證書創(chuàng)建server端證書
1����、生成server私匙
[root@ns3 zhengshu]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.........................................+++
e is 65537 (0x10001)
[root@ns3 zhengshu]# ls
local.crt local.csr local.key my_server.key
2、生成server證書請求
[root@ns3 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting Private key
[root@ns3 zhengshu]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.........................................+++
e is 65537 (0x10001)
[root@ns3 zhengshu]# openssl req -new -key my_server.key -out my_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:test@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wuminyan
An optional company name []:wuminyan
[root@ns3 zhengshu]# ls
local.crt local.csr local.key my_server.csr my_server.key
3�、生成server證書
[root@ns3 zhengshu]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting CA Private Key
四、配置nginx支持SSL
[root@ns3 ~]# vim /etc/nginx.cof #這里設(shè)置了一個軟連接:lln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
server {
listen 80;
listen 443 default ssl; #監(jiān)聽433端口
keepalive_timeout 100; #開啟keepalive 激活keepalive長連接���,減少客戶端請求次數(shù)
ssl_certificate /root/zhengshu/local.crt; #server端證書位置
ssl_certificate_key /root/zhengshu/local.key; #server端私鑰位置
ssl_session_cache shared:SSL:10m; #緩存session會話
ssl_session_timeout 10m; # session會話 10分鐘過期
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
server_name test.com;
charset utf-8;
location / {
root html;
index index.html index.htm;
}
}
}
五、測試
輸入https://192.168.200.115
到此這篇關(guān)于nginx結(jié)合openssl實現(xiàn)https的文章就介紹到這了,更多相關(guān)nginx實現(xiàn)https內(nèi)容請搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家����!
