在未使用SSL證書對服務器數據進行加密認證的情況下,用戶的數據將會以明文的形式進行傳輸,這樣一來使用抓包工具是可以獲取到用戶密碼信息的,非常危險。而且也無法驗證數據一致性和完整性,不能確保數據在傳輸過程中沒被改變。所以網站如果有涉及用戶賬戶等重要信息的情況下通常要配置使用SSL證書,實現https協議。
在生產環境中的SSL證書都需要通過第三方認證機構購買,分為專業版OV證書(瀏覽器地址欄上不顯示企業名稱)和高級版EV(可以顯示企業名稱)證書,證書所保護的域名數不同也會影響價格(比如只對www認證和通配*認證,價格是不一樣的),且不支持三級域名。測試中可以自己作為證書頒發機構來制作證書,瀏覽器會顯示為紅色,代表證書過期或者無效,如果是黃色的話代表網站有部分連接使用的仍然是http協議。
不管使用哪種方法,在拿到證書后對Nginx的配置都是一樣的,所以這里以搭建OpenSSL並制作證書來進行完整說明
一、准備環境
1)nginx服務
2)ssl模塊
1 [root@ns3 ~]# systemctl stop firewalld 2 [root@ns3 ~]# iptables -F 3 [root@ns3 ~]# setenforce 0
4 [root@ns3 ~]# yum -y install pcre zlib pcre-devel zlib-devel 5 [root@ns3 ~]# tar xf nginx-1.16.0.tar.gz -C /usr/src/
6 [root@ns3 ~]#cd /usr/src/nginx-1.16.0
7 [root@ns3 ~]#./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module&&make && make install #后續需要的模塊一次性安裝
3)檢測openssl是否安裝
1 [root@ns3 ~]# rpm -qa openssl 2 openssl-1.0.1e-42.el7.x86_64
若沒有安裝
1 [root@ns3 ~]# yum -y install openssl openssl-devel
二、創建根證書CA
1、生成CA私鑰
1 [root@ns3 ~]# cd zhengshu/
2 [root@ns3 zhengshu]# openssl genrsa -out local.key 2048
3 Generating RSA private key, 2048 bit long modulus 4 ...........................................................................................................................................................................................................................+++
5 ............................................................................................................................................................................................+++
6 e is 65537 (0x10001) 7 [root@ns3 zhengshu]# ls 8 local.key
2、生成CA證書請求
1 [root@ns3 zhengshu]# openssl req -new -key local.key -out local.csr 2 You are about to be asked to enter information that will be incorporated 3 into your certificate request. 4 What you are about to enter is what is called a Distinguished Name or a DN. 5 There are quite a few fields but you can leave some blank 6 For some fields there will be a default value, 7 If you enter '.', the field will be left blank. 8 -----
9 Country Name (2 letter code) [XX]:CN #國家 10 State or Province Name (full name) []:BJ #省份 11 Locality Name (eg, city) [Default City]:BJ #城市 12 Organization Name (eg, company) [Default Company Ltd]: 13 Organizational Unit Name (eg, section) []:test #部門 14 Common Name (eg, your name or your server's hostname) []:test #主機名
15 Email Address []:test@test.com #郵箱 16
17 Please enter the following 'extra' attributes 18 to be sent with your certificate request 19 A challenge password []:wuminyan #密碼 20 An optional company name []:wuminyan #姓名 21 [root@ns3 zhengshu]# ls 22 local.csr local.key
1 req: 這是一個大命令,提供生成證書請求文件,驗證證書,和創建根CA 2 -new: 表示新生成一個證書請求 3 -x509: 直接輸出證書 4 -key: 生成證書請求時用到的私鑰文件 5 -out:輸出文件
3、生成CA根證書
1 這個生成CA證書的命令會讓人迷惑 2 1.通過秘鑰 生成證書請求文件 3 2.通過證書請求文件 生成最終的證書 4 -in 使用證書請求文件生成證書,-signkey 指定私鑰,這是一個還沒搞懂的參數 5 [root@ns3 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt 6 Signature ok 7 subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com 8 Getting Private key
三、根據CA證書創建server端證書
1、生成server私匙
1 [root@ns3 zhengshu]# openssl genrsa -out my_server.key 2048
2 Generating RSA private key, 2048 bit long modulus 3 .................................+++
4 .........................................+++
5 e is 65537 (0x10001) 6 [root@ns3 zhengshu]# ls 7 local.crt local.csr local.key my_server.key
2、生成server證書請求
1 [root@ns3 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt 2 Signature ok 3 subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com 4 Getting Private key 5 [root@ns3 zhengshu]# openssl genrsa -out my_server.key 2048
6 Generating RSA private key, 2048 bit long modulus 7 .................................+++
8 .........................................+++
9 e is 65537 (0x10001) 10 [root@ns3 zhengshu]# openssl req -new -key my_server.key -out my_server.csr 11 You are about to be asked to enter information that will be incorporated 12 into your certificate request. 13 What you are about to enter is what is called a Distinguished Name or a DN. 14 There are quite a few fields but you can leave some blank 15 For some fields there will be a default value, 16 If you enter '.', the field will be left blank. 17 -----
18 Country Name (2 letter code) [XX]:CN 19 State or Province Name (full name) []:BJ 20 Locality Name (eg, city) [Default City]:BJ 21 Organization Name (eg, company) [Default Company Ltd]: 22 Organizational Unit Name (eg, section) []:test 23 Common Name (eg, your name or your server's hostname) []:test
24 Email Address []:test@test.com 25
26 Please enter the following 'extra' attributes 27 to be sent with your certificate request 28 A challenge password []:wuminyan 29 An optional company name []:wuminyan 30 [root@ns3 zhengshu]# ls 31 local.crt local.csr local.key my_server.csr my_server.key
3、生成server證書
1 [root@ns3 zhengshu]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt 2 Signature ok 3 subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com 4 Getting CA Private Key
四、配置nginx支持SSL
1 [root@ns3 ~]# vim /etc/nginx.cof #這里設置了一個軟連接:lln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
2 server { 3 listen 80; 4 listen 443 default ssl; #監聽433端口 5 keepalive_timeout 100; #開啟keepalive 激活keepalive長連接,減少客戶端請求次數 6
7 ssl_certificate /root/zhengshu/local.crt; #server端證書位置 8 ssl_certificate_key /root/zhengshu/local.key; #server端私鑰位置 9
10 ssl_session_cache shared:SSL:10m; #緩存session會話 11 ssl_session_timeout 10m; # session會話 10分鍾過期 12
13 ssl_ciphers HIGH:!aNULL:!MD5; 14 ssl_prefer_server_ciphers on; 15
16 server_name test.com; 17 charset utf-8; 18
19 location / { 20 root html; 21 index index.html index.htm; 22 } 23
24 } 25 }
五、測試
輸入https://192.168.200.115
