Nginx的CA認證搭建與應用
Nginx的CA認證
TCP/IP協議
HTTP協議 【明文傳輸協議】
HTTPS協議 【443】
https 頻寬 加密------------------------>>解密
演算法
對稱密碼 aes, des
非對稱加密 rsa, dsa
資訊摘要 md5,sha256
公鑰
私鑰
域名:相似的域名
騙子【釣魚】
CA認證
加密認證的步驟
1、openssl生成私鑰和證書
openssl genrsa -out my.key
openssl req -new -x509 -key my.key -out my.crt
2、設定配置檔案,呼叫私鑰和證書
3、客戶驗證,https:// 新增例外,匯入
#cd /usr/local/nginx/conf
#openssl genrsa -out my.key //私鑰
#openssl req -new -x509 -key my.key -out my.crt //自簽名證書
[root@service nginx]#cd /usr/local/nginx/conf
[root@service conf]# openssl genrsa -out my.key
[root@service conf]# openssl req -new -x509 -key my.key -out my.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:tedu
Organizational Unit Name (eg, section) []:tech
Common Name (eg, your name or your server's hostname) []:lyd
Email Address []:[email protected]
[root@service conf]# ls
fastcgi.conf koi-win nginx.conf uwsgi_params
fastcgi.conf.default mime.types nginx.conf.default uwsgi_params.default
fastcgi_params mime.types.default pass win-utf
fastcgi_params.default my.crt scgi_params
koi-utf my.key scgi_params.default
service nginx]# vim /usr/local/nginx/conf/nginx.conf
server { //定義虛擬主機
listen 443 ssl;
server_name www.c.com;
ssl on; //開啟SSL
ssl_certificate my.crt; //指定證書檔案
ssl_certificate_key my.key; //指定私鑰檔案
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root web2;
index index.html index.htm;
}
}
[root@service nginx]# mkdir /usr/local/nginx/web2
[root@service nginx]# echo "jiami" > /usr/local/nginx/web2/index.html
[root@service nginx]# nginx -s reload
客戶端瀏覽器進去訪問