環境
首先確保機器上安裝了openssl和openssl-devel
rpm -qa | grep openssl
#yum install openssl
#yum install openssl-devel
確認nginx是否安裝了SSL模塊,如下的命令:
/opt/nginx/sbin/nginx -V
看是否輸出--with-http_ssl_module,如果沒有需要重新配置並安裝下。
創建證書 【自己頒發證書給自己】
#cd /usr/local/nginx/conf
#openssl genrsa -des3 -out server.key 1024
#openssl req -new -key server.key -out server.csr
#openssl rsa -in server.key -out server_nopwd.key
#openssl x509 -req -days 365 -in server.csr -signkey server_nopwd.key -out server.crt
#cd /opt/nginx/conf
#openssl genrsa -des3 -out cert.key 2048 //創建服務器私鑰
#openssl req -new -key cert.key -out cert.csr //簽名請求的證書
會給出如下的提示:
Enter pass phraseforcert.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter'.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) [Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:demo
Organizational Unit Name (eg, section) []:localhost
Common Name (eg, your name or your server'shostname) []:localhost
Email Address []:demo@abc.com
Please enter the following'extra'attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
冒號后面是需要我們填寫的,最后兩個我都沒有填。帶空的中括號似乎可以選填。
制作解密后的私鑰
先將cert.key文件復制一份為cert.key.org
cp cert.key cert.key.org
#openssl rsa -in cert.key.org -out cert.key
接下來,最后一步,用cert.csr和cert.key生成cert.crt文件
#openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out server.crt
配置nginx
必須在server配置塊中打開SSL協議,還需要指定服務器端證書和密鑰文件的位置,打開conf/vhosts下面的配置文件:
PHP示例:
server {
listen 443;
server_name _;
access_log off;
ssl on;
ssl_certificate /opt/nginx/conf/vhosts/cert.crt;
ssl_certificate_key /opt/nginx/conf/vhosts/cert.key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /mnt/html/test;
index index.php index.html;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /opt/nginx/html;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /mnt/html/test$fastcgi_script_name;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
SSL操作需要消耗CPU資源,所以在多處理器的系統,需要啟動多個工作進程,而且數量需要不少於可用CPU的個數。最消耗CPU資源的SSL操作 是SSL握手,有兩種方法可以將每個客戶端的握手操作數量降到最低:第一種是保持客戶端長連接,在一個SSL連接發送多個請求,第二種是在並發的連接或者 后續的連接中重用SSL會話參數,這樣可以避免SSL握手的操作。會話緩存用於保存SSL會話,這些緩存在工作進程間共享,可以使用 ssl_session_cache指令進行配置。1M緩存可以存放大約4000個會話。默認的緩存超時是5分鍾,可以使用 ssl_session_timeout加大它。
如果HTTP和HTTPS虛擬主機的功能是一致的,可以配置一個虛擬主機,既處理HTTP請求,又處理HTTPS請求。 配置的方法是刪除ssl on的指令,並在*:443端口添加參數ssl:
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
...
}
示例:【自己去理解各參數!】
server {
listen 80;
listen 443 ssl;
server_name lvtao.net;
client_max_body_size 10M;
ssl_certificate /etc/nginx/ssl/www.crt;
ssl_certificate_key /etc/nginx/ssl/private.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security max-age=15768000;
}
Nginx 配置 SSL 重啟免密碼
Nginx 里面的配置還是老樣子,不過有個問題就是重啟 Nginx 的時候會要求輸入密碼,可以有個辦法免輸密碼。敲入如下指令:
openssl rsa -in pupboss.key -out pupboss_unsecure.key
強制 HTTPS
加上如下代碼
server {
listen 80;
server_name lvtao.net;
return 301 https://$server_name$request_uri;
}