神奇的nginx之https支持
阿新 • • 發佈:2018-01-11
神奇 安裝 com info protocol ins -o 生成 分享圖片 引言
隨著技術的方法,http傳輸協議並不能保證數據傳輸的安全性,隨後https技術應運而生,nginx服務器支持https協議,配置的代碼也比較難記,記錄下以防遺忘。
HTTPS數據傳輸過程
- 客戶端向服務器發送https請求;
- 服務器上存儲了一套數字證書,其實質為一對公私鑰。數字證書可以自己制作,也可以向組織申請。前者在客戶端訪問時需要驗證才能繼續訪問;後者不會彈出驗證提示;
- 服務器將公鑰傳輸給客戶端;
- 客戶端驗證公鑰是否合法:無效(自己制作的)會彈出警告,有效的則生成一串隨機數,用此隨機數加密公鑰;
- 客戶端將加密後的字符串傳輸給服務器
- 服務器收到字符串後,先使用私鑰進行解密,獲取加密使用的隨機數,並以此隨機數加密傳輸的數據(對稱機密);
- 服務器將加密後的數據傳輸給客戶端;
- 客戶端收到數據後,使用自己的私鑰(即隨機字符串)進行解密。
對稱加密:將數據和私鑰(隨機字符串)通過某種算法混合在一起,除非知道私鑰,否則無法解密。
前期準備
nginx支持https所需的ngx-http_ssl_module在編譯時默認是不安裝的,需要二次編譯安裝(一開始就安裝了的就不用再編譯了)。
查看安裝的nginx是否已安裝ssl模塊
[root@localhost conf]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx/
安裝前需要註意一點:重新編譯後可能導致之前做的某些修改重置,例如虛擬主機文件被清除,因此最好對重要配置文件先進行備份。
# 切換到你之前安裝所使用的nginx軟件包內 [root@localhost conf]# cd /usr/local/src/nginx-1.12.2/ [root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module [root@localhost nginx-1.12.2]# make && make install [root@localhost conf]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx/ --with-http_ssl_module
創建自定義證書文件
- 創建私鑰key
[root@localhost ~]# cd /usr/local/nginx/conf
# 創建私鑰key文件,必須輸入密碼,否則無法生成key文件
[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
..............................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
- 轉換key,取消密碼
[root@localhost conf]# openssl rsa -in tmp.key -out test.key
Enter pass phrase for tmp.key:
writing RSA key
[root@localhost conf]# rm -f tmp.key
- 生成證書
[root@localhost conf]# openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZheJiang
Locality Name (eg, city) [Default City]:QuZhou
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) []:
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 需要使用csr文件與私鑰一起生成.crt文件
[root@localhost conf]# openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt
Signature ok
subject=/C=CN/ST=ZheJiang/L=QuZhou/O=Default Company Ltd
Getting Private key
這樣一個自定義創建的數字證書文件就創建成功了
SSL配置代碼
- 創建新虛擬主機配置文件
[root@localhost conf]#vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
listen 443;
server_name test.com;
index index.html index.php;
root /data/www/test.com;
ssl on;
# 指定自定義的數字證書
ssl_certificate test.crt;
# 指定對應的key文件
ssl_certificate_key test.key;
ssl_protocols TLSv1 TLS1.1 TLS1.2;
}
- 創建對應目錄及文件
[root@localhost conf]# mkdir -p /data/www/test.com
[root@localhost conf]# vim /data/www/test.com/index.php
ssl test page.
- 重啟服務
[root@localhost conf]# /usr/local/nginx/sbin/nginx -t
[root@localhost conf]# /usr/local/nginx/sbin/nginx -s reload
# 查看443端口是否開放
[root@localhost conf]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
...
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4953/nginx: master
...
神奇的nginx之https支持