Nginx之Https 證書加密

 

SSL證書是數字證書的一種，類似於駕駛證、護照和營業執照的電子副本。因為配置在服務器上，也稱為SSL服務器證書。

 

• 1、檢查SSL模塊狀態
• 2、准備私鑰和證書
• 3、開啟Nginx SSL
• 4、 HTTPS常見報錯

目錄

1、檢查SSL模塊狀態

[root@web-node1~]# /application/nginx/sbin/nginx -V

nginx version: nginx/1.6.3

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)

TLS SNI support enabled

configure arguments: --prefix=/application/nginx-1.6.3 --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module

2、准備私鑰和證書

2.1創建服務器私鑰

[root@web-node1~]# cd /application/nginx/conf/

[root@web-node1 conf]# mkdir key

[root@web-node1 conf]# cd key/

[root@web-node1 key]# openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus

..++++++

...++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

2.2簽發證書

[root@web-node1 key]# openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:BJ

Locality Name (eg, city) [Default City]:BJ

Organization Name (eg, company) [Default Company Ltd]:SDU

Organizational Unit Name (eg, section) []:SA         

Common Name (eg, your name or your server's hostname) []:Qiuyt

Email Address []:qiuyuetao@163.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:     

An optional company name []:

2.3刪除服務器私鑰口令

[root@web-node1 key]# cp server.key server.key.ori

[root@web-node1 key]# openssl rsa -in server.key.ori -out server.key

Enter pass phrase for server.key.ori:

writing RSA key

2.4生成使用簽名請求證書
和私鑰生成自簽證書

[root@web-node1 key]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=/C=CN/ST=BJ/L=BJ/O=SDU/OU=SA/CN=XuBuSi/emailAddress=qiuyt@yilonghc.com

Getting Private key

3、開啟Nginx SSL

[root@web-node1 ~]# cat /application/nginx/conf/vhosts/www.conf

server

    {

        listen 443 default_server;

        server_name 自己域名;

 

 

#Globalsign New-2

        ssl                  on;

        ssl_certificate      /usr/local/nginx/conf/new-2-ssl/server.cer;

        ssl_certificate_key  /usr/local/nginx/conf/new-2-ssl/server.key;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

        ssl_prefer_server_ciphers on;

 

        index index.html index.htm index.php;

        root  /yilongdata/webs/******/public; ##自己網站根目錄

 

    location / {

#           return 503;

        try_files $uri $uri/ /index.php$is_args$query_string;

        }

 

        location ~ [^/]\.php(/|$)

        {

#            limit_conn perip 60;

#            limit_req zone=perreq nodelay;

            try_files $uri =404;

            fastcgi_pass   myfastcgi;

            fastcgi_index index.php;

            include fastcgi.conf;

            fastcgi_param  HTTPS on;

        expires      -1;

        }

 

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

        {

            expires      30d;

        }

 

        location ~ .*\.(js|css)?$

        {

            expires      12h;

        }

 

        access_log  /yilongdata/logs/*******/access/www.yilonghc.cn.log  main;

 

        location ~ /\.ht {

          deny all;

        }

 

    }

##注意

#PHP 開啟方式 1:

php-fpm.conf: listen = 127.0.0.1:9000

nginx.conf: fastcgi_pass 127.0.0.1:9000;

#方式2:

php-fpm.conf: listen = /tmp/php-fpm.sock

nginx.conf: fastcgi_pass unix:/tmp/php-cgi.sock;

#php 配置文件注銷

使用; 不能用#

3.1重啟nginx生效

[root@web-node1 ~]# /application/nginx/sbin/nginx -s reload

[root@web-node1 ~]# netstat -lntup|grep 443

tcp        0    0 0.0.0.0:443                 0.0.0.0:*                   LISTEN    1711/nginx

3.2測試https

由於該證書非第三方權威機構頒發，而是我們自己簽發的，所以瀏覽器會警告，如果是對外的業務需要加密，必須使用商用第三方簽名證書。

1.4配置重定向80端口轉443端口

以上配置有個不好的地方，如果用戶使用時忘了使用https或者443端口，那么將會報錯，所以我們需要80端口的訪問轉到443端口並使用ssl加密訪問。

只需要增加一個server段，使用301永久重定向。

[root@web-node1 ~]# tail -5 /application/nginx/conf/vhosts/www.conf

server {

        listen 80;

        server_name jianguo.yi*****.cn;

        rewrite ^(.*) https://$server_name$1 permanent;

}

[root@web-node1 ~]# /application/nginx/sbin/nginx -t

nginx: the configuration file /application/nginx-1.6.3/conf/nginx.conf syntax is ok

nginx: configuration file /application/nginx-1.6.3/conf/nginx.conf test is successful

[root@web-node1 ~]# /application/nginx/sbin/nginx -s reload

4、 HTTPS常見報錯

生產中遇到個錯誤，原因是將業務遷到雲上后，原環境是apache，現在用的是nginx，ssl整數配置一致，但是出現如下錯誤

[root@Lhapp key]# /application/nginx/sbin/nginx -t

nginx: [emerg] PEM_read_bio_X509_AUX("/application/nginx-1.8.1//conf/key/lhapi.csr") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

nginx: configuration file /application/nginx-1.8.1//conf/nginx.conf test failed

#經過百度查閱，發現在apache中，公鑰配置如下

 

[root@files conf.d]# grep -nr "SSLCertificateFile" ./

./ssl.conf:123:SSLCertificateFile /etc/httpd/lhapissl/214026611150535.pem

#它這里沒有server.csr 而是用的*.pem做為工作，所以我把nginx也改為*.pem就OK了

ssl_certificate key/214026611150535.pem;

結果OK，證書生效