nginx結(jié)合openssl實(shí)現(xiàn)https的方法

更新時(shí)間：2021年07月23日 10:19:06 作者：七月七日清

這篇文章主要介紹了基于nginx結(jié)合openssl實(shí)現(xiàn)https的方法，準(zhǔn)備工作大家需要安裝nginx服務(wù)，具體操作過(guò)程跟隨小編一起看看吧

在未使用SSL證書(shū)對(duì)服務(wù)器數(shù)據(jù)進(jìn)行加密認(rèn)證的情況下，用戶(hù)的數(shù)據(jù)將會(huì)以明文的形式進(jìn)行傳輸，這樣一來(lái)使用抓包工具是可以獲取到用戶(hù)密碼信息的，非常危險(xiǎn)。而且也無(wú)法驗(yàn)證數(shù)據(jù)一致性和完整性，不能確保數(shù)據(jù)在傳輸過(guò)程中沒(méi)被改變。所以網(wǎng)站如果有涉及用戶(hù)賬戶(hù)等重要信息的情況下通常要配置使用SSL證書(shū)，實(shí)現(xiàn)https協(xié)議。

在生產(chǎn)環(huán)境中的SSL證書(shū)都需要通過(guò)第三方認(rèn)證機(jī)構(gòu)購(gòu)買(mǎi)，分為專(zhuān)業(yè)版OV證書(shū)（瀏覽器地址欄上不顯示企業(yè)名稱(chēng)）和高級(jí)版EV（可以顯示企業(yè)名稱(chēng)）證書(shū)，證書(shū)所保護(hù)的域名數(shù)不同也會(huì)影響價(jià)格（比如只對(duì)www認(rèn)證和通配*認(rèn)證，價(jià)格是不一樣的），且不支持三級(jí)域名。測(cè)試中可以自己作為證書(shū)頒發(fā)機(jī)構(gòu)來(lái)制作證書(shū)，瀏覽器會(huì)顯示為紅色，代表證書(shū)過(guò)期或者無(wú)效，如果是黃色的話(huà)代表網(wǎng)站有部分連接使用的仍然是http協(xié)議。

不管使用哪種方法，在拿到證書(shū)后對(duì)Nginx的配置都是一樣的，所以這里以搭建OpenSSL并制作證書(shū)來(lái)進(jìn)行完整說(shuō)明

一、準(zhǔn)備環(huán)境

1）nginx服務(wù)

2）ssl模塊

[root@ns3 ~]# systemctl stop firewalld
[root@ns3 ~]# iptables -F
[root@ns3 ~]# setenforce 0
[root@ns3 ~]# yum -y install pcre zlib pcre-devel zlib-devel
[root@ns3 ~]# tar xf nginx-1.16.0.tar.gz -C /usr/src/
[root@ns3 ~]#cd /usr/src/nginx-1.16.0
[root@ns3 ~]#./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module&&make && make install #后續(xù)需要的模塊一次性安裝

3）檢測(cè)openssl是否安裝

[root@ns3 ~]# rpm -qa openssl 2 openssl-1.0.1e-42.el7.x86_64

若沒(méi)有安裝

[root@ns3 ~]# yum -y install openssl openssl-devel

二、創(chuàng)建根證書(shū)CA

1、生成CA私鑰

[root@ns3 ~]# cd zhengshu/
[root@ns3 zhengshu]# openssl genrsa -out local.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................................................................................................................................................................................................+++
............................................................................................................................................................................................+++
e is 65537 (0x10001)
[root@ns3 zhengshu]# ls
local.key

　2、生成CA證書(shū)請(qǐng)求

[root@ns3 zhengshu]# openssl req -new -key local.key -out local.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  #國(guó)家
State or Province Name (full name) []:BJ   #省份
Locality Name (eg, city) [Default City]:BJ  #城市
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test   #部門(mén)
Common Name (eg, your name or your server's hostname) []:test   #主機(jī)名
Email Address []:test@test.com  #郵箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wuminyan  #密碼
An optional company name []:wuminyan  #姓名
[root@ns3 zhengshu]# ls
local.csr  local.key

req: 這是一個(gè)大命令，提供生成證書(shū)請(qǐng)求文件，驗(yàn)證證書(shū)，和創(chuàng)建根CA
 -new: 表示新生成一個(gè)證書(shū)請(qǐng)求
 -x509: 直接輸出證書(shū)
 -key: 生成證書(shū)請(qǐng)求時(shí)用到的私鑰文件
 -out：輸出文件

3、生成CA根證書(shū)

這個(gè)生成CA證書(shū)的命令會(huì)讓人迷惑
1.通過(guò)秘鑰 生成證書(shū)請(qǐng)求文件
2.通過(guò)證書(shū)請(qǐng)求文件 生成最終的證書(shū)
 -in 使用證書(shū)請(qǐng)求文件生成證書(shū)，-signkey 指定私鑰，這是一個(gè)還沒(méi)搞懂的參數(shù)
[root@ns3 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting Private key

三、根據(jù)CA證書(shū)創(chuàng)建server端證書(shū)

1、生成server私匙

[root@ns3 zhengshu]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.........................................+++
e is 65537 (0x10001)
[root@ns3 zhengshu]# ls
local.crt  local.csr  local.key  my_server.key

2、生成server證書(shū)請(qǐng)求

[root@ns3 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting Private key
[root@ns3 zhengshu]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.........................................+++
e is 65537 (0x10001)
[root@ns3 zhengshu]# openssl req -new -key my_server.key -out my_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:test@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wuminyan
An optional company name []:wuminyan
[root@ns3 zhengshu]# ls
local.crt  local.csr  local.key  my_server.csr  my_server.key

3、生成server證書(shū)

[root@ns3 zhengshu]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt
 Signature ok
 subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
 Getting CA Private Key

四、配置nginx支持SSL

[root@ns3 ~]# vim /etc/nginx.cof      #這里設(shè)置了一個(gè)軟連接:lln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
server {
        listen 80;
        listen       443 default  ssl;  #監(jiān)聽(tīng)433端口
                keepalive_timeout 100;  #開(kāi)啟keepalive 激活keepalive長(zhǎng)連接，減少客戶(hù)端請(qǐng)求次數(shù)

                   ssl_certificate      /root/zhengshu/local.crt;   #server端證書(shū)位置
                   ssl_certificate_key  /root/zhengshu/local.key;   #server端私鑰位置

                        ssl_session_cache    shared:SSL:10m;         #緩存session會(huì)話(huà)
                        ssl_session_timeout  10m;                    # session會(huì)話(huà)    10分鐘過(guò)期

                   ssl_ciphers  HIGH:!aNULL:!MD5;
                   ssl_prefer_server_ciphers  on;

        server_name   test.com;
        charset utf-8;

        location / {
            root   html;
            index  index.html index.htm;
        }

    }
}

五、測(cè)試

輸入https：//192.168.200.115

到此這篇關(guān)于nginx結(jié)合openssl實(shí)現(xiàn)https的文章就介紹到這了,更多相關(guān)nginx實(shí)現(xiàn)https內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: