Ngnix 配置Https
数据加密
数据安全的重要性
钓鱼网站 木马攻击等
保证数据安全的手段
加密方式
对称加密
非对称加密
总结
数字证书
证书类型
Http 和 Https
SSL 证书
各种类型SSL数字证书区别
Http和Https的区别
Nginx集群环境SSL证书部署
Tomcat配置Https单向
生成JKS密钥库,并查看证书
keytool -genkey -alias "tomcat_store" -keyalg "RSA" -keysize 2048 -validity 3650 -keypass "password" -keystore "C:\tomcat_store.keystore" -storetype JKS -storepass "password" -dname "CN=localhost, OU=cn, O=cn, L=changsha, ST=hunan, C=China"
keytool -list -v -keystore "C:\tomcat_store.keystore" -storepass "password"
keytool -list -rfc -keystore "C:\tomcat_store.keystore" -storepass "password"
或者
keytool -genkey -alias "tomcat_store" -keyalg "RSA" -keysize 2048 -validity 3650 -keypass "password" -keystore "C:\tomcat_store.keystore" -storetype PKCS12 -storepass "password" -dname "CN=localhost, OU=cn, O=cn, L=changsha, ST=hunan, C=China"
keytool -list -v -keystore "C:\tomcat_store.keystore" -storepass "password"
导入证书
keytool -importkeystore -srcalias "tomcat_store" -srckeystore C:\tomcat_store.keystore -srcstorepass "password" -srckeypass "password" -destkeystore C:\tomcat_store.keystore -deststoretype pkcs12 -destkeypass "password"
导出证书CA
keytool -export -alias "tomcat_store" -keystore "C:\tomcat_store.keystore" -storetype PKCS12 -storepass "password" -rfc -file "C:\tomcat_store.cer"
keytool -printcert -file "C:\tomcat_store.cer"
删除导入的证书
keytool -delete -alias “tomcat_store” -keystore "C:\Program Files (x86)\Java\jre6\lib\security\cacerts" -storepass changeit
Nginx配置Https单向
1. 在CentOS服务器上安装OpenSSL软件
# 安装命令
yum install openssl openssl-devel# 更新命令
yum update openssl openssl-devel
2. 配置CA服务器
生成自签署证书的密钥
# 进入证书目录(安装了OpenSSL软件就会存在该目录)
cd /etc/pki/CA/
# 使用rsa加密算法生成自签署证书的密钥(此处指定密钥长度为2048)
openssl genrsa -out private/cakey.pem 2048
# 修改权限,增加安全性
chmod 600 private/cakey.pem
利用密钥生成CA服务器的证书文件, 为了方便,首先在OpenSSL配置文件中设置一些默认值
# 编辑配置文件
vim /etc/pki/tls/openssl.cnf
修改内容如下(部分内容):
# 找到如下部分,在签署证书时证书中会写入如下内容(大概128行)
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
# 配置默认国家
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
# 默认省份名称
stateOrProvinceName_default = SiChuan
localityName = Locality Name (eg, city)
# 默认城市名称
localityName_default = ChengDu
0. organizationName = Organization Name (eg, company)
# 默认公司名称
0.organizationName_default = SkyGuard
# we can do this but it is not needed normally :-)#1.organizationName = Second Organization Name (eg, company)#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
# 默认组织单位名称
organizationalUnitName_default = BigData
生成自签署证书:
#用刚刚生成的密钥文件生成一个有效期为10年的证书
openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem -days 3650
-----#以下几项使用刚刚配置的默认值,所有直接回车
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [SkyGuard]:
Organizational Unit Name (eg, section) [BigData]:
# 此处配置CA服务器名字,建议使用DNS上能查找到的域名(测试可随便指定)
Common Name (eg, your name or your server's hostname) []:nginx.xiaochunping.com
# 此处设置管理员邮箱(测试可随便指定)
Email Address []:xiaochunping9987@163.com
创建如下两个文件
# 创建存放颁发证书的数据库文件
touch index.txt
# 当前颁发证书的序列号文件,颁发下一个证书时会自动加1
echo "00" > serial
3. 配置Nginx服务器Https单向认证
编译安装Nginx服务器
wget http://nginx.org/download/nginx-1.11.12.tar.gz
tar -zvxf nginx-1.11.12.tar.gz
cd nginx-1.11.12
#一定要将ssl模块编译进去
./configure --with-http_ssl_module
make
make install
# 进入到Nginx目录
cd /usr/local/nginx
配置Nginx服务器支持ssl
# 创建存放ssl先关的目录,并进入目录
mkdir ssl && cd ssl
# 生成本地密钥
openssl genrsa 2048 > httpd.key
# 修改权限,增加安全性
chmod 600 httpd.key
# 生成证书申请文件,以便传入CA服务器申请证书
openssl req -new -key httpd.key -out httpd.crq
-----#以下几项与CA服务器信息保持一致
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SiChuan
Locality Name (eg, city) [Default City]:ChengDu
Organization Name (eg, company) [Default Company Ltd]:SkyGuard
Organizational Unit Name (eg, section) []:BigData# Nginx中虚拟主机名,只对该虚拟主机的请求加密
Common Name (eg, your name or your server's hostname) []:nginx.xiaochunping.com
# 管理员邮箱
Email Address []:xiaochunping9987@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
# 设置单独密码,忽略即可
A challenge password []:
An optional company name []
登录到CA服务器对证书进行签署,切换到CA目录
openssl ca -in /tmp/httpd.crq -out /tmp/httpd.crt -days 3650
Certificate is to be certified until Mar 23 05:25:03 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
配置Nginx
vim conf/nginx.conf# 增加如下虚拟主机
server {
listen 443 ssl;
server_name nginx.skyguard.com.cn;
ssl on;
ssl_certificate ../ssl/httpd.crt;
ssl_certificate_key ../ssl/httpd.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
# 启动Nginx服务器
./sbin/nginx
然后用浏览器打开https://ip
tcp.port == 80
tcp.port == 443 and ip.addr == 47.106.202.10
10万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
