SSL證書是數字證書的一種,因為配置在伺服器上,也稱為SSL伺服器證書。它遵守SSL協定,由受信任的數字證書頒發機構CA,在驗證伺服器身份後頒發,具有伺服器身份驗證和資料傳輸加密功能。
<a href="https://s1.51cto.com/wyfs02/M02/9E/8A/wKioL1mTAKzC0PLwAAAp1VDqkH0036.jpg" target="_blank"></a>
SSL證書通過在用戶端浏覽器和Web伺服器之間建立一條SSL安全通道,通過它可以激活SSL協定,實作資料資訊在用戶端和伺服器之間的加密傳輸,可以防止資料資訊的洩露。保證了雙方傳遞資訊的安全性,而且使用者可以通過伺服器證書驗證他所通路的網站是否是真實可靠。
<a href="https://s1.51cto.com/wyfs02/M01/9E/8A/wKioL1mTAMWQwZuNAAAjXjb6F4c701.gif" target="_blank"></a>
下面将示範在nginx環境下ssl的配置方式。
一、産生SSL密鑰對
1、安裝openssl
1
2
3
4
<code>[root@plinuxos ~]</code><code># cd /usr/local/nginx/conf/</code>
<code>[root@plinuxos conf]</code><code># rpm -qf `which openssl`</code>
<code>openssl-1.0.1e-60.el7_3.1.x86_64</code>
<code>[root@plinuxos conf]</code><code># yum install -y openssl</code>
2、設定私鑰
5
6
7
8
9
10
11
<code>[root@plinuxos conf]</code><code># openssl genrsa -des3 -out tmp.key 2048</code>
<code>Generating RSA private key, 2048 bit long modulus</code>
<code>..........................+++</code>
<code>...........................................................................................................................................................+++</code>
<code>e is 65537 (0x10001)</code>
<code>Enter pass phrase </code><code>for</code> <code>tmp.key:</code>
<code>Verifying - Enter pass phrase </code><code>for</code> <code>tmp.key:</code>
<code>[root@plinuxos conf]</code><code># openssl rsa -in tmp.key -out sykey.key ##取消密碼,生成新的私鑰檔案</code>
<code>writing RSA key</code>
<code>[root@plinuxos conf]</code><code># rm -rf tmp.key</code>
3、生成證書請求檔案
12
13
14
15
16
17
18
19
20
<code>[root@plinuxos conf]</code><code># openssl req -new -key sykey.key -out key.csr</code>
<code>You are about to be asked to enter information that will be incorporated</code>
<code>into your certificate request.</code>
<code>What you are about to enter is what is called a Distinguished Name or a DN.</code>
<code>There are quite a few fields but you can leave some blank</code>
<code>For some fields there will be a default value,</code>
<code>If you enter </code><code>'.'</code><code>, the field will be left blank.</code>
<code>-----</code>
<code>Country Name (2 letter code) [XX]:cn</code>
<code>State or Province Name (full name) []:shanghai</code>
<code>Locality Name (eg, city) [Default City]:shanghai</code>
<code>Organization Name (eg, company) [Default Company Ltd]:51cto</code>
<code>Organizational Unit Name (eg, section) []:it</code>
<code>Common Name (eg, your name or your server's </code><code>hostname</code><code>) []:grodd</code>
<code>Email Address []:51cto.51cto.com</code>
<code>Please enter the following </code><code>'extra'</code> <code>attributes</code>
<code>to be sent with your certificate request</code>
<code>A challenge password []:</code><code>pwd</code>
<code>An optional company name []:51cto</code>
4、生成公鑰
<code>[root@plinuxos conf]</code><code># openssl x509 -req -days 365 -in key.csr -signkey sykey.key -out gykey.crt</code>
<code>Signature ok</code>
<code>subject=</code><code>/C</code><code>=cn</code><code>/ST</code><code>=shanghai</code><code>/L</code><code>=shanghai</code><code>/O</code><code>=51cto</code><code>/OU</code><code>=it</code><code>/CN</code><code>=grodd</code><code>/emailAddress</code><code>=51cto.51cto.com</code>
<code>Getting Private key</code>
二、Nginx配置SSL
1、編輯配置檔案
<code>[root@plinuxos conf]</code><code># mkdir /data/wwwroot/test.com</code>
<code>[root@plinuxos conf]</code><code># vi /usr/local/nginx/conf/vhost/ssl.conf</code>
<code>server</code>
<code>{</code>
<code> </code><code>listen 443;</code>
<code> </code><code>server_name </code><code>test</code><code>.com;</code>
<code> </code><code>index index.html index.php;</code>
<code> </code><code>root </code><code>/data/wwwroot/test</code><code>.com;</code>
<code> </code><code>ssl on;</code>
<code> </code><code>ssl_certificate gykey.crt;</code>
<code> </code><code>ssl_certificate_key sykey.key;</code>
<code> </code><code>ssl_protocols TLSv1 TLSv1.1 TLSv1.2;</code>
<code>}</code>
2、重新編譯安裝
<code>[root@plinuxos conf]</code><code># cd /usr/local/src/nginx-1.12.1</code>
<code>[root@plinuxos nginx-1.12.1]</code><code># ./configure --prefix=/usr/local/nginx --with-http_ssl_module</code>
<code>[root@plinuxos nginx-1.12.1]</code><code># echo $?</code>
<code>0</code>
<code>[root@plinuxos nginx-1.12.1]</code><code># make && make install</code>
3、檢查與重載
<code>[root@plinuxos nginx-1.12.1]</code><code># /usr/local/nginx/sbin/nginx -V</code>
<code>nginx version: nginx</code><code>/1</code><code>.12.1</code>
<code>built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) </code>
<code>built with OpenSSL 1.0.1e-fips 11 Feb 2013</code>
<code>TLS SNI support enabled</code>
<code>configure arguments: --prefix=</code><code>/usr/local/nginx</code> <code>--with-http_ssl_module</code>
<code>[root@plinuxos nginx-1.12.1]</code><code># /usr/local/nginx/sbin/nginx -t</code>
<code>nginx: the configuration </code><code>file</code> <code>/usr/local/nginx/conf/nginx</code><code>.conf syntax is ok</code>
<code>nginx: configuration </code><code>file</code> <code>/usr/local/nginx/conf/nginx</code><code>.conf </code><code>test</code> <code>is successful</code>
<code>[root@plinuxos nginx-1.12.1]</code><code># /etc/init.d/nginx restart</code>
<code>Restarting nginx (via systemctl): [ OK ]</code>
<code>[root@plinuxos nginx-1.12.1]</code><code># netstat -lntp |grep -i nginx</code>
<code>tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2233</code><code>/nginx</code><code>: master </code>
<code>tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2233</code><code>/nginx</code><code>: master</code>
4、測試效果
<code>[root@plinuxos nginx-1.12.1]</code><code># cd /data/wwwroot/test.com/</code>
<code>[root@plinuxos </code><code>test</code><code>.com]</code><code># echo "ssl test" > index.html</code>
本地測試
<code>[root@plinuxos </code><code>test</code><code>.com]</code><code># vi /etc/hosts</code>
<code>127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 </code><code>test</code><code>.com</code>
<code>::1 localhost localhost.localdomain localhost6 localhost6.localdomain6</code>
<code>[root@plinuxos </code><code>test</code><code>.com]</code><code># curl https://test.com</code>
<code>curl: (60) Peer's certificate issuer has been marked as not trusted by the user.</code>
<code>More details here: http:</code><code>//curl</code><code>.haxx.se</code><code>/docs/sslcerts</code><code>.html</code>
<code>curl performs SSL certificate verification by default, using a </code><code>"bundle"</code>
<code> </code><code>of Certificate Authority (CA) public keys (CA certs). If the default</code>
<code> </code><code>bundle </code><code>file</code> <code>isn't adequate, you can specify an alternate </code><code>file</code>
<code> </code><code>using the --cacert option.</code>
<code>If this HTTPS server uses a certificate signed by a CA represented </code><code>in</code>
<code> </code><code>the bundle, the certificate verification probably failed due to a</code>
<code> </code><code>problem with the certificate (it might be expired, or the name might</code>
<code> </code><code>not match the domain name </code><code>in</code> <code>the URL).</code>
<code>If you</code><code>'d like to turn off curl'</code><code>s verification of the certificate, use</code>
<code> </code><code>the -k (or --insecure) option.</code>
遠端測試
注意:由于模拟使用的是雲主機,要確定安全組政策放過443端口。此外,系統的防火牆沒有做任何限制。
<a href="https://s5.51cto.com/wyfs02/M00/9E/9C/wKiom1mTCeCjfSU6AADzi0K5McY506.png-wh_500x0-wm_3-wmp_4-s_1026110867.png" target="_blank"></a>
<a href="https://s5.51cto.com/wyfs02/M00/9E/8A/wKioL1mTCeDw4Z_TAAAek9ojMl8176.png-wh_500x0-wm_3-wmp_4-s_196245760.png" target="_blank"></a>
本文轉自Grodd51CTO部落格,原文連結:http://blog.51cto.com/juispan/1956587,如需轉載請自行聯系原作者
![(Nginx)03_Nginx原理與優化一、Nginx原理二、master-workers機制三、面試題:[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)