SSL证书是数字证书的一种,因为配置在服务器上,也称为SSL服务器证书。它遵守SSL协议,由受信任的数字证书颁发机构CA,在验证服务器身份后颁发,具有服务器身份验证和数据传输加密功能。
![[LNMP]Nginx配置SSL](https://s1.51cto.com/wyfs02/M02/9E/8A/wKioL1mTAKzC0PLwAAAp1VDqkH0036.jpg "[LNMP]Nginx配置SSL")
SSL证书通过在客户端浏览器和Web服务器之间建立一条SSL安全通道,通过它可以激活SSL协议,实现数据信息在客户端和服务器之间的加密传输,可以防止数据信息的泄露。保证了双方传递信息的安全性,而且用户可以通过服务器证书验证他所访问的网站是否是真实可靠。
![[LNMP]Nginx配置SSL](https://s1.51cto.com/wyfs02/M01/9E/8A/wKioL1mTAMWQwZuNAAAjXjb6F4c701.gif "[LNMP]Nginx配置SSL")
下面将演示在nginx环境下ssl的配置方式。
一、产生SSL密钥对
1、安装openssl
|
1
2
3
4
|
[root@plinuxos ~]# cd /usr/local/nginx/conf/
[root@plinuxos conf]# rpm -qf `which openssl`
openssl-1.0.1e-60.el7_3.1.x86_64[root@plinuxos conf]# yum install -y openssl
|
2、设置私钥
|
1
2
3
4
5
6
7
8
9
10
11
|
[root@plinuxos conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus..........................+++...........................................................................................................................................................+++e is 65537 (0x10001)Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
[root@plinuxos conf]# openssl rsa -in tmp.key -out sykey.key ##取消密码,生成新的私钥文件
Enter pass phrase for tmp.key:
writing RSA key[root@plinuxos conf]# rm -rf tmp.key
|
3、生成证书请求文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
[root@plinuxos conf]# openssl req -new -key sykey.key -out key.csr
You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.
-----Country Name (2 letter code) [XX]:cnState or Province Name (full name) []:shanghaiLocality Name (eg, city) [Default City]:shanghaiOrganization Name (eg, company) [Default Company Ltd]:51ctoOrganizational Unit Name (eg, section) []:itCommon Name (eg, your name or your server's hostname) []:grodd
Email Address []:51cto.51cto.comPlease enter the following 'extra' attributes
to be sent with your certificate requestA challenge password []:pwd
An optional company name []:51cto |
4、生成公钥
|
1
2
3
4
|
[root@plinuxos conf]# openssl x509 -req -days 365 -in key.csr -signkey sykey.key -out gykey.crt
Signature oksubject=/C=cn/ST=shanghai/L=shanghai/O=51cto/OU=it/CN=grodd/emailAddress=51cto.51cto.com
Getting Private key |
二、Nginx配置SSL
1、编辑配置文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@plinuxos conf]# mkdir /data/wwwroot/test.com
[root@plinuxos conf]# vi /usr/local/nginx/conf/vhost/ssl.conf
server{ listen 443;
server_name test.com;
index index.html index.php;
root /data/wwwroot/test.com;
ssl on;
ssl_certificate gykey.crt;
ssl_certificate_key sykey.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
} |
2、重新编译安装
|
1
2
3
4
5
6
7
|
[root@plinuxos conf]# cd /usr/local/src/nginx-1.12.1
[root@plinuxos nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@plinuxos nginx-1.12.1]# echo $?
0[root@plinuxos nginx-1.12.1]# make && make install
[root@plinuxos nginx-1.12.1]# echo $?
0 |
3、检查与重载
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[root@plinuxos nginx-1.12.1]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013TLS SNI support enabledconfigure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
[root@plinuxos nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@plinuxos nginx-1.12.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ OK ][root@plinuxos nginx-1.12.1]# netstat -lntp |grep -i nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2233/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2233/nginx: master
|
4、测试效果
|
1
2
|
[root@plinuxos nginx-1.12.1]# cd /data/wwwroot/test.com/
[root@plinuxos test.com]# echo "ssl test" > index.html
|
本地测试
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
[root@plinuxos test.com]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 test.com
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6[root@plinuxos test.com]# curl https://test.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
|
远端测试
注意:由于模拟使用的是云主机,要确保安全组策略放过443端口。此外,系统的防火墙没有做任何限制。
![[LNMP]Nginx配置SSL](https://s5.51cto.com/wyfs02/M00/9E/9C/wKiom1mTCeCjfSU6AADzi0K5McY506.png-wh_500x0-wm_3-wmp_4-s_1026110867.png "[LNMP]Nginx配置SSL")
![[LNMP]Nginx配置SSL](https://s5.51cto.com/wyfs02/M00/9E/8A/wKioL1mTCeDw4Z_TAAAek9ojMl8176.png-wh_500x0-wm_3-wmp_4-s_196245760.png "[LNMP]Nginx配置SSL")
本文转自Grodd51CTO博客,原文链接:http://blog.51cto.com/juispan/1956587,如需转载请自行联系原作者