SSL证书是数字证书的一种,因为配置在服务器上,也称为SSL服务器证书。它遵守SSL协议,由受信任的数字证书颁发机构CA,在验证服务器身份后颁发,具有服务器身份验证和数据传输加密功能。
<a href="https://s1.51cto.com/wyfs02/M02/9E/8A/wKioL1mTAKzC0PLwAAAp1VDqkH0036.jpg" target="_blank"></a>
SSL证书通过在客户端浏览器和Web服务器之间建立一条SSL安全通道,通过它可以激活SSL协议,实现数据信息在客户端和服务器之间的加密传输,可以防止数据信息的泄露。保证了双方传递信息的安全性,而且用户可以通过服务器证书验证他所访问的网站是否是真实可靠。
<a href="https://s1.51cto.com/wyfs02/M01/9E/8A/wKioL1mTAMWQwZuNAAAjXjb6F4c701.gif" target="_blank"></a>
下面将演示在nginx环境下ssl的配置方式。
一、产生SSL密钥对
1、安装openssl
1
2
3
4
<code>[root@plinuxos ~]</code><code># cd /usr/local/nginx/conf/</code>
<code>[root@plinuxos conf]</code><code># rpm -qf `which openssl`</code>
<code>openssl-1.0.1e-60.el7_3.1.x86_64</code>
<code>[root@plinuxos conf]</code><code># yum install -y openssl</code>
2、设置私钥
5
6
7
8
9
10
11
<code>[root@plinuxos conf]</code><code># openssl genrsa -des3 -out tmp.key 2048</code>
<code>Generating RSA private key, 2048 bit long modulus</code>
<code>..........................+++</code>
<code>...........................................................................................................................................................+++</code>
<code>e is 65537 (0x10001)</code>
<code>Enter pass phrase </code><code>for</code> <code>tmp.key:</code>
<code>Verifying - Enter pass phrase </code><code>for</code> <code>tmp.key:</code>
<code>[root@plinuxos conf]</code><code># openssl rsa -in tmp.key -out sykey.key ##取消密码,生成新的私钥文件</code>
<code>writing RSA key</code>
<code>[root@plinuxos conf]</code><code># rm -rf tmp.key</code>
3、生成证书请求文件
12
13
14
15
16
17
18
19
20
<code>[root@plinuxos conf]</code><code># openssl req -new -key sykey.key -out key.csr</code>
<code>You are about to be asked to enter information that will be incorporated</code>
<code>into your certificate request.</code>
<code>What you are about to enter is what is called a Distinguished Name or a DN.</code>
<code>There are quite a few fields but you can leave some blank</code>
<code>For some fields there will be a default value,</code>
<code>If you enter </code><code>'.'</code><code>, the field will be left blank.</code>
<code>-----</code>
<code>Country Name (2 letter code) [XX]:cn</code>
<code>State or Province Name (full name) []:shanghai</code>
<code>Locality Name (eg, city) [Default City]:shanghai</code>
<code>Organization Name (eg, company) [Default Company Ltd]:51cto</code>
<code>Organizational Unit Name (eg, section) []:it</code>
<code>Common Name (eg, your name or your server's </code><code>hostname</code><code>) []:grodd</code>
<code>Email Address []:51cto.51cto.com</code>
<code>Please enter the following </code><code>'extra'</code> <code>attributes</code>
<code>to be sent with your certificate request</code>
<code>A challenge password []:</code><code>pwd</code>
<code>An optional company name []:51cto</code>
4、生成公钥
<code>[root@plinuxos conf]</code><code># openssl x509 -req -days 365 -in key.csr -signkey sykey.key -out gykey.crt</code>
<code>Signature ok</code>
<code>subject=</code><code>/C</code><code>=cn</code><code>/ST</code><code>=shanghai</code><code>/L</code><code>=shanghai</code><code>/O</code><code>=51cto</code><code>/OU</code><code>=it</code><code>/CN</code><code>=grodd</code><code>/emailAddress</code><code>=51cto.51cto.com</code>
<code>Getting Private key</code>
二、Nginx配置SSL
1、编辑配置文件
<code>[root@plinuxos conf]</code><code># mkdir /data/wwwroot/test.com</code>
<code>[root@plinuxos conf]</code><code># vi /usr/local/nginx/conf/vhost/ssl.conf</code>
<code>server</code>
<code>{</code>
<code> </code><code>listen 443;</code>
<code> </code><code>server_name </code><code>test</code><code>.com;</code>
<code> </code><code>index index.html index.php;</code>
<code> </code><code>root </code><code>/data/wwwroot/test</code><code>.com;</code>
<code> </code><code>ssl on;</code>
<code> </code><code>ssl_certificate gykey.crt;</code>
<code> </code><code>ssl_certificate_key sykey.key;</code>
<code> </code><code>ssl_protocols TLSv1 TLSv1.1 TLSv1.2;</code>
<code>}</code>
2、重新编译安装
<code>[root@plinuxos conf]</code><code># cd /usr/local/src/nginx-1.12.1</code>
<code>[root@plinuxos nginx-1.12.1]</code><code># ./configure --prefix=/usr/local/nginx --with-http_ssl_module</code>
<code>[root@plinuxos nginx-1.12.1]</code><code># echo $?</code>
<code>0</code>
<code>[root@plinuxos nginx-1.12.1]</code><code># make && make install</code>
3、检查与重载
<code>[root@plinuxos nginx-1.12.1]</code><code># /usr/local/nginx/sbin/nginx -V</code>
<code>nginx version: nginx</code><code>/1</code><code>.12.1</code>
<code>built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) </code>
<code>built with OpenSSL 1.0.1e-fips 11 Feb 2013</code>
<code>TLS SNI support enabled</code>
<code>configure arguments: --prefix=</code><code>/usr/local/nginx</code> <code>--with-http_ssl_module</code>
<code>[root@plinuxos nginx-1.12.1]</code><code># /usr/local/nginx/sbin/nginx -t</code>
<code>nginx: the configuration </code><code>file</code> <code>/usr/local/nginx/conf/nginx</code><code>.conf syntax is ok</code>
<code>nginx: configuration </code><code>file</code> <code>/usr/local/nginx/conf/nginx</code><code>.conf </code><code>test</code> <code>is successful</code>
<code>[root@plinuxos nginx-1.12.1]</code><code># /etc/init.d/nginx restart</code>
<code>Restarting nginx (via systemctl): [ OK ]</code>
<code>[root@plinuxos nginx-1.12.1]</code><code># netstat -lntp |grep -i nginx</code>
<code>tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2233</code><code>/nginx</code><code>: master </code>
<code>tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2233</code><code>/nginx</code><code>: master</code>
4、测试效果
<code>[root@plinuxos nginx-1.12.1]</code><code># cd /data/wwwroot/test.com/</code>
<code>[root@plinuxos </code><code>test</code><code>.com]</code><code># echo "ssl test" > index.html</code>
本地测试
<code>[root@plinuxos </code><code>test</code><code>.com]</code><code># vi /etc/hosts</code>
<code>127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 </code><code>test</code><code>.com</code>
<code>::1 localhost localhost.localdomain localhost6 localhost6.localdomain6</code>
<code>[root@plinuxos </code><code>test</code><code>.com]</code><code># curl https://test.com</code>
<code>curl: (60) Peer's certificate issuer has been marked as not trusted by the user.</code>
<code>More details here: http:</code><code>//curl</code><code>.haxx.se</code><code>/docs/sslcerts</code><code>.html</code>
<code>curl performs SSL certificate verification by default, using a </code><code>"bundle"</code>
<code> </code><code>of Certificate Authority (CA) public keys (CA certs). If the default</code>
<code> </code><code>bundle </code><code>file</code> <code>isn't adequate, you can specify an alternate </code><code>file</code>
<code> </code><code>using the --cacert option.</code>
<code>If this HTTPS server uses a certificate signed by a CA represented </code><code>in</code>
<code> </code><code>the bundle, the certificate verification probably failed due to a</code>
<code> </code><code>problem with the certificate (it might be expired, or the name might</code>
<code> </code><code>not match the domain name </code><code>in</code> <code>the URL).</code>
<code>If you</code><code>'d like to turn off curl'</code><code>s verification of the certificate, use</code>
<code> </code><code>the -k (or --insecure) option.</code>
远端测试
注意:由于模拟使用的是云主机,要确保安全组策略放过443端口。此外,系统的防火墙没有做任何限制。
<a href="https://s5.51cto.com/wyfs02/M00/9E/9C/wKiom1mTCeCjfSU6AADzi0K5McY506.png-wh_500x0-wm_3-wmp_4-s_1026110867.png" target="_blank"></a>
<a href="https://s5.51cto.com/wyfs02/M00/9E/8A/wKioL1mTCeDw4Z_TAAAek9ojMl8176.png-wh_500x0-wm_3-wmp_4-s_196245760.png" target="_blank"></a>
本文转自Grodd51CTO博客,原文链接:http://blog.51cto.com/juispan/1956587,如需转载请自行联系原作者
![(Nginx)03_Nginx原理与优化一、Nginx原理二、master-workers机制三、面试题:[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)