Nginx+HTTPS(SSL/TLS)
2016-07-12 13:21
489 查看
环境
首先确保机器上安装了openssl和openssl-develrpm -qa | grep openssl #yum install openssl #yum install openssl-devel
确认nginx是否安装了SSL模块,如下的命令:
/opt/nginx/sbin/nginx -V
看是否输出--with-http_ssl_module,如果没有需要重新配置并安装下。
创建证书 【自己颁发证书给自己】
#cd /usr/local/nginx/conf #openssl genrsa -des3 -out server.key 1024 #openssl req -new -key server.key -out server.csr #openssl rsa -in server.key -out server_nopwd.key #openssl x509 -req -days 365 -in server.csr -signkey server_nopwd.key -out server.crt
#cd /opt/nginx/conf #openssl genrsa -des3 -out cert.key 2048 //创建服务器私钥 #openssl req -new -key cert.key -out cert.csr //签名请求的证书
会给出如下的提示:
Enter pass phraseforcert.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter'.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) [Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:demo Organizational Unit Name (eg, section) []:localhost Common Name (eg, your name or your server'shostname) []:localhost Email Address []:demo@abc.com Please enter the following'extra'attributes to be sent with your certificate request A challenge password []: An optional company name []:
冒号后面是需要我们填写的,最后两个我都没有填。带空的中括号似乎可以选填。
制作解密后的私钥
先将cert.key文件复制一份为cert.key.org cp cert.key cert.key.org #openssl rsa -in cert.key.org -out cert.key 接下来,最后一步,用cert.csr和cert.key生成cert.crt文件 #openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out server.crt
配置nginx
必须在server配置块中打开SSL协议,还需要指定服务器端证书和密钥文件的位置,打开conf/vhosts下面的配置文件:PHP示例:
server { listen 443; server_name _; access_log off; ssl on; ssl_certificate /opt/nginx/conf/vhosts/cert.crt; ssl_certificate_key /opt/nginx/conf/vhosts/cert.key; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root /mnt/html/test; index index.php index.html; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /opt/nginx/html; } location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /mnt/html/test$fastcgi_script_name; include fastcgi_params; } location ~ /\.ht { deny all; } }
SSL操作需要消耗CPU资源,所以在多处理器的系统,需要启动多个工作进程,而且数量需要不少于可用CPU的个数。最消耗CPU资源的SSL操作 是SSL握手,有两种方法可以将每个客户端的握手操作数量降到最低:第一种是保持客户端长连接,在一个SSL连接发送多个请求,第二种是在并发的连接或者 后续的连接中重用SSL会话参数,这样可以避免SSL握手的操作。会话缓存用于保存SSL会话,这些缓存在工作进程间共享,可以使用 ssl_session_cache指令进行配置。1M缓存可以存放大约4000个会话。默认的缓存超时是5分钟,可以使用 ssl_session_timeout加大它。
如果HTTP和HTTPS虚拟主机的功能是一致的,可以配置一个虚拟主机,既处理HTTP请求,又处理HTTPS请求。 配置的方法是删除ssl on的指令,并在*:443端口添加参数ssl:
server { listen 80; listen 443 ssl; server_name www.example.com; ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; ... }
示例:【自己去理解各参数!】
server { listen 80; listen 443 ssl; server_name lvtao.net; client_max_body_size 10M; ssl_certificate /etc/nginx/ssl/www.crt; ssl_certificate_key /etc/nginx/ssl/private.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security max-age=15768000; }
Nginx 配置 SSL 重启免密码
Nginx 里面的配置还是老样子,不过有个问题就是重启 Nginx 的时候会要求输入密码,可以有个办法免输密码。敲入如下指令:openssl rsa -in pupboss.key -out pupboss_unsecure.key
强制 HTTPS
加上如下代码server { listen 80; server_name lvtao.net; return 301 https://$server_name$request_uri; }
相关文章推荐
- HP加易语言数据库,全源码制作的网络验证,可运营,可自行扩展
- Nginx环境下http和https可同时访问方法
- HTTP请求
- httpd安装与启动1
- git
- mitmproxy
- Linux网络编程实现客户端服务端收发数据功能
- MongoDB联合查询 -摘自网络
- zwave智能家居技术的网络结构与路由技术
- 网络安装ubuntu
- 网络游戏服务器注意事项,优化措施
- httpClient
- kibana Unable to connect to elasticsearch at http://localhost:9200
- OkHttp使用(四)拦截器
- 【循环网络】Torch中的rnn
- Android判断是Wifi还是4G网络代码
- 有上下界的网络流
- 网络流-最大流问题 ISAP 算法解释(转自Renfei Song's Blog)
- 网络流-最大流问题 ISAP 算法解释(转自Renfei Song's Blog)
- [ Selenium2 从零开始 by Bruce from http://seleniumcn.cn ] 1-8 视频集锦