基於openresty配置https訪問

 

 

安裝方法： http://openresty.org/cn/linux-packages.html

 

 

1. openssl的版本信息

[root@localhost conf]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

 

2. openresty的版本信息

[root@localhost sbin]# ./nginx -V

3. 創建服務器私鑰，命令會提醒輸入一個密碼，必須輸入（在nginx的conf所在的路徑下進行操作，當然也可以在其他路徑，需要配合后續的nginx的配置一起改變）

[root@localhost conf]# openssl genrsa -des3 -out server.key 4096
Generating RSA private key, 4096 bit long modulus
..............................................................++
........................++
e is 65537 (0x10001)
Enter pass phrase for server.key:
140180344625056:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for server.key:
140180344625056:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@localhost conf]# ll
總用量 64
-rw-r--r--. 1 root root 1077 3月   8 12:08 fastcgi.conf
-rw-r--r--. 1 root root 1077 3月   8 13:20 fastcgi.conf.default
-rw-r--r--. 1 root root 1007 3月   8 12:08 fastcgi_params
-rw-r--r--. 1 root root 1007 3月   8 13:20 fastcgi_params.default
-rw-r--r--. 1 root root 2837 3月   8 13:20 koi-utf
-rw-r--r--. 1 root root 2223 3月   8 13:20 koi-win
-rw-r--r--. 1 root root 3957 3月   8 12:08 mime.types
-rw-r--r--. 1 root root 3957 3月   8 13:20 mime.types.default
-rw-r--r--. 1 root root 3012 3月  14 16:41 nginx.conf
-rw-r--r--. 1 root root 2656 3月   8 13:20 nginx.conf.default
-rw-r--r--. 1 root root  636 3月   8 12:08 scgi_params
-rw-r--r--. 1 root root  636 3月   8 13:20 scgi_params.default
-rw-r--r--  1 root root 3311 7月  11 14:15 server.key
-rw-r--r--. 1 root root  664 3月   8 12:08 uwsgi_params
-rw-r--r--. 1 root root  664 3月   8 13:20 uwsgi_params.default
-rw-r--r--. 1 root root 3610 3月   8 13:20 win-utf

 

 

4. 創建簽名請求的證書（CSR）

[root@localhost conf]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:tk
Organizational Unit Name (eg, section) []:iflab
Common Name (eg, your name or your server's hostname) []:root
Email Address []:shihuc@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:shihuc
An optional company name []:tk
[root@localhost conf]#

 

 

5. 在加載SSL支持的Nginx服務器上，使用上述私鑰時除去必須的口令（注意，所謂除去，其實就是將必須的私鑰密碼寫入到了私鑰文件里面了，更新了原來的私鑰文件）

[root@localhost conf]# cp server.key server.key.org
[root@localhost conf]# 
[root@localhost conf]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
[root@localhost conf]# 

 

 

6. 通過openssl的x509指令生產證書文件

[root@localhost conf]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=cn/ST=hubei/L=wuhan/O=tk/OU=iflab/CN=root/emailAddress=shihuc@163.com
Getting Private key

 

 

7. nginx的簡單配置

# HTTPS server
#
server {
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate      server.crt;
    ssl_certificate_key  server.key;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
        root   html/SSLROOT;
        index  index.html index.htm;
    }
}

 

在nginx的html目錄下，創建SSLROOT目錄，並在下面創建一個index.html的頁面，用於測試。

 

 

 

8. 一個用於轉發的nginx.conf文件

worker_processes        1;
error_log       logs/error.log;
events {
        worker_connections 1024;
}

http {
        keepalive_timeout       65;
        sendfile        on;

        log_format      main    '$remote_addr - $remote_user [$time_local] "$request" '
                                '$status $body_bytes_sent "$http_referer" '
                                '"$http_user_agent" "$http_x_forwarded_for"';


        server {
        listen       443 ssl;
#       listen  8081    ssl;
        server_name  localhost;

        ssl_certificate      kaili.axinfu.com.crt;
        ssl_certificate_key  kaili.axinfu.com.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
                root   html/SSLROOT;
                index  index.html index.htm;
                 # 開啟白名單，根據需求替換
                allow 127.0.0.1;
                allow 192.168.11.10;
                deny all;



                 #反向代理,根據需求替換
                proxy_pass      http://192.168.11.10:9581;
                proxy_set_header        Host    $host;
                proxy_set_header        X-Forwarded-For $remote_addr;
        }
        }
}

 

 

參考：https://www.cnblogs.com/shihuc/p/7150900.html