Nginx之Https 证书加密

2017年6月21日16:47:42 发表评论 1,323 views
摘要

SSL证书是数字证书的一种,类似于驾驶证、护照和营业执照的电子副本。因为配置在服务器上,也称为SSL服务器证书。

广告也精彩

1、检查SSL模块状态

[root@web-node1~]# /application/nginx/sbin/nginx -V
nginx version: nginx/1.6.3
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/application/nginx-1.6.3 --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module

2、准备私钥和证书

2.1创建服务器私钥

[root@web-node1~]# cd /application/nginx/conf/
[root@web-node1 conf]# mkdir key
[root@web-node1 conf]# cd key/
[root@web-node1 key]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

2.2签发证书

[root@web-node1 key]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:SDU
Organizational Unit Name (eg, section) []:SA         
Common Name (eg, your name or your server's hostname) []:Qiuyt
Email Address []:qiuyuetao@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:     
An optional company name []:

2.3删除服务器私钥口令

[root@web-node1 key]# cp server.key server.key.ori
[root@web-node1 key]# openssl rsa -in server.key.ori -out server.key
Enter pass phrase for server.key.ori:
writing RSA key

2.4生成使用签名请求证书
和私钥生成自签证书

[root@web-node1 key]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=SDU/OU=SA/CN=XuBuSi/emailAddress=qiuyt@yilonghc.com
Getting Private key

3、开启Nginx SSL

[root@web-node1 ~]# cat /application/nginx/conf/vhosts/www.conf
server
    {
        listen 443 default_server;
        server_name 自己域名;


#Globalsign New-2
        ssl                  on;
        ssl_certificate      /usr/local/nginx/conf/new-2-ssl/server.cer;
        ssl_certificate_key  /usr/local/nginx/conf/new-2-ssl/server.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers on;

        index index.html index.htm index.php;
        root  /yilongdata/webs/******/public; ##自己网站根目录

    location / {
#           return 503;
        try_files $uri $uri/ /index.php$is_args$query_string;
        }

        location ~ [^/]\.php(/|$)
        {
#            limit_conn perip 60;
#            limit_req zone=perreq nodelay;
            try_files $uri =404;
            fastcgi_pass   myfastcgi;
            fastcgi_index index.php;
            include fastcgi.conf;
            fastcgi_param  HTTPS on;
        expires      -1;
        }

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        access_log  /yilongdata/logs/*******/access/www.yilonghc.cn.log  main;

        location ~ /\.ht {
          deny all;
        }

    }
##注意
#PHP 开启方式 1:
php-fpm.conf: listen = 127.0.0.1:9000
nginx.conf: fastcgi_pass 127.0.0.1:9000;
#方式2:
php-fpm.conf: listen = /tmp/php-fpm.sock
nginx.conf: fastcgi_pass unix:/tmp/php-cgi.sock;
#php 配置文件注销
使用; 不能用#

3.1重启nginx生效

[root@web-node1 ~]# /application/nginx/sbin/nginx -s reload
[root@web-node1 ~]# netstat -lntup|grep 443
tcp        0    0 0.0.0.0:443                 0.0.0.0:*                   LISTEN    1711/nginx

3.2测试https

由于该证书非第三方权威机构颁发,而是我们自己签发的,所以浏览器会警告,如果是对外的业务需要加密,必须使用商用第三方签名证书。

1.4配置重定向80端口转443端口

以上配置有个不好的地方,如果用户使用时忘了使用https或者443端口,那么将会报错,所以我们需要80端口的访问转到443端口并使用ssl加密访问。

只需要增加一个server段,使用301永久重定向。

[root@web-node1 ~]# tail -5 /application/nginx/conf/vhosts/www.conf
server {
        listen 80;
        server_name jianguo.yi*****.cn;
        rewrite ^(.*) https://$server_name$1 permanent;
}
[root@web-node1 ~]# /application/nginx/sbin/nginx -t
nginx: the configuration file /application/nginx-1.6.3/conf/nginx.conf syntax is ok
nginx: configuration file /application/nginx-1.6.3/conf/nginx.conf test is successful
[root@web-node1 ~]# /application/nginx/sbin/nginx -s reload

4、 HTTPS常见报错

生产中遇到个错误,原因是将业务迁到云上后,原环境是apache,现在用的是nginx,ssl整数配置一致,但是出现如下错误

[root@Lhapp key]# /application/nginx/sbin/nginx -t
nginx: [emerg] PEM_read_bio_X509_AUX("/application/nginx-1.8.1//conf/key/lhapi.csr") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /application/nginx-1.8.1//conf/nginx.conf test failed
#经过百度查阅,发现在apache中,公钥配置如下

[root@files conf.d]# grep -nr "SSLCertificateFile" ./
./ssl.conf:123:SSLCertificateFile /etc/httpd/lhapissl/214026611150535.pem
#它这里没有server.csr 而是用的*.pem做为工作,所以我把nginx也改为*.pem就OK了
ssl_certificate key/214026611150535.pem;
结果OK,证书生效

Nginx之Https 证书加密

  • QQ精品交流群
  • weinxin
  • 微信公众号
  • weinxin
广告也精彩
admin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: