Nginx-配置HTTPS证书(单向认证)

14 篇文章 0 订阅

目录

一、生成 CA 私钥

1、生成一个 CA 私钥: ca.key

二、生成CA 的数字证书

1、生成一个 CA 的数字证书: ca.crt

三、生成 server 端数字证书请求

1、生成 nginx 端的私钥: nginx.key

2、生成 nginx 端数字证书请求: nginx.csr

四、用 CA 私钥签发 server 的数字证书 

1、用 CA 私钥签发 nginx 的数字证书: nginx.crt

2、创建不需要输入密码的RSA证书,否则Nginx每次reload、restart都需要输入密码

生成的相关文件:

五、配置nginx

六、linux测试

1、curl测试

2、把证书加到客户端 linux 证书信任列表


HTTPS相关介绍:HTTPS相关介绍_孟孟的博客-CSDN博客

一、生成 CA 私钥

1、生成一个 CA 私钥: ca.key

mkdir /home/nginx/ssl
cd /home/nginx/ssl
openssl genrsa -out ca.key 4096

二、生成CA 的数字证书

1、生成一个 CA 的数字证书: ca.crt

openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Team
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Certificate Authority
Email Address []:

三、生成 server 端数字证书请求

1、生成 nginx 端的私钥: nginx.key

openssl genrsa -des3 -out nginx.key 4096

2、生成 nginx 端数字证书请求: nginx.csr

openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Meng
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:IP 或 域名 (必填)
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

注意:由于使用ip地址访问的,所以Common Name,输入ip即可;如果使用域名访问,那么这一步,必须是域名才行!

四、用 CA 私钥签发 server 的数字证书 

1、用 CA 私钥签发 nginx 的数字证书: nginx.crt

openssl x509 -req -in nginx.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out nginx.crt -days 365

2、创建不需要输入密码的RSA证书,否则Nginx每次reload、restart都需要输入密码

openssl rsa -in nginx.key -out nginx_nopass.key

生成的相关文件:

不使用ca生成:

1.生成一个RSA密钥
openssl genrsa -des3 -out nginx.key 4096
2.生成一个证书请求
openssl req -new -key nginx.key -out nginx.csr
CN  BJ  BJ  G  G  221.0.111.131
3.创建不需要输入密码的RSA证书,否则每次reload、restart都需要输入密码
openssl rsa -in nginx.key -out nginx_nopass.key
4.签发证书(由于是测试自己签发,实际应该将自己生成的csr文件提交给SSL认证机构认证)
openssl x509 -req -days 365 -in nginx.csr  -signkey nginx.key -out nginx.crt

五、配置nginx

server {
        listen       8600 ssl;
        server_name  localhost;

        ssl_certificate      /home/nginx/ssl/nginx.crt;
        ssl_certificate_key  /home/nginx/ssl/nginx_nopass.key;
		#ssl_client_certificate /home/nginx/ssl/ca.crt; #双向认证
		#ssl_verify_client on; #双向认证
		

        ssl_session_timeout 10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
        ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!3DES:!aNULL:!MD5:!ADH:!RC4;  # 选择加密套件
        ssl_prefer_server_ciphers  on;  # 设置协商加密算法时,优先使用我们服务端的加密套件,而不是客户端浏览器的加密套件。

        location / {
	        proxy_set_header  Host  $http_host;
            proxy_set_header  X-Real-IP  $remote_addr;
            proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass	http://localhost:8601;
        }
    }

六、linux测试

1、curl测试

curl --cacert ca.crt --cert nginx.crt --key nginx.key --tlsv1.2 https://IP:端口号

2、把证书加到客户端 linux 证书信任列表

cat ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
linux 访问 https 证书问题:
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

nginx-1.13.7 是一款开源的高性能的HTTP和反向代理服务器,也可以用来作为邮件代理服务器。证书配置对于Nginx服务器的安全性和可靠性而言至关重要。 首先,我们需要获得SSL证书,可以通过购买商业证书或者使用免费的证书颁发机构(CA)如Let's Encrypt来获取SSL证书。一旦有了证书,我们就可以进行配置了。 在nginx.conf配置文件中,需要添加SSL配置项。在server块中添加以下内容: ``` server { listen 443 ssl; server_name your_domain.com; ssl_certificate /path/to/your_certificate.crt; ssl_certificate_key /path/to/your_certificate_key.key; # 可选的SSL配置 ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_stapling on; ssl_stapling_verify on; # 其他server配置 ... } ``` 在以上配置中,我们指定监听端口为443,并启用了ssl。然后配置SSL证书证书密钥的路径。此外,还配置了一些可选的SSL配置项,如SSL协议版本、密码套件和会话缓存等。 配置完毕后,需要重新加载Nginx配置文件,可以使用命令`nginx -s reload`。 通过以上步骤,我们可以成功配置Nginx-1.13.7服务器的SSL证书,保障网站数据的安全传输。同时,我们也可以根据需求进行一些定制化的SSL配置,以提升服务器的安全性和性能。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值