Linux—— 配置ssl安全证书

一、实验设计

二、实验配置过程

[student@bogon ~]$ su - root
Password:
[root@bogon ~]# dnf -y install nginx
[root@bogon ~]# vim /etc/selinux/config
[root@bogon ~]# setenforce 0
[root@bogon ~]# systemctl stop firewalld
清空防火墙规则
[root@bogon ~]# iptables -F ^C // 9之前
[root@bogon ~]# nft flush ruleset //9之后
[root@bogon ~]# systemctl disable firewalld
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@bogon ~]# systemctl ea
[root@bogon ~]# systemctl enable --now nginx.service
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service →
/usr/lib/systemd/system/nginx.service.
[root@bogon ~]# ps -elf | grep nginx
1 S root 7870 1 0 80 0 - 2810 sigsus 16:37 ?
00:00:00 nginx: master process /usr/sbin/nginx
5 S nginx 7871 7870 0 80 0 - 3891 ep_pol 16:37 ?
00:00:00 nginx: worker process
5 S nginx 7872 7870 0 80 0 - 3891 ep_pol 16:37 ?
00:00:00 nginx: worker process
0 R root 7874 6985 0 80 0 - 55450 - 16:38 pts/0
00:00:00 grep --color=auto nginx
[root@bogon ~]# cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_$(date +%s)
[root@bogon ~]# vim /etc/nginx/nginx.conf
[root@bogon ~]# nginx -T

、

添加服务名称

生成日志文件和错误日志文件

[root@bogon ~]# ps -elf | grep nginx
1 S root 7870 1 0 80 0 - 2810 sigsus 16:37 ?
00:00:00 nginx: master process /usr/sbin/nginx
5 S nginx 7871 7870 0 80 0 - 3891 ep_pol 16:37 ?
00:00:00 nginx: worker process
5 S nginx 7872 7870 0 80 0 - 3891 ep_pol 16:37 ?
00:00:00 nginx: worker process
0 S root 8063 6985 0 80 0 - 55417 pipe_r 17:00 pts/0
00:00:00 grep --color=auto nginx
[root@bogon ~]# ps -elf | grep sshd
4 S root 1048 1 0 80 0 - 4181 do_sel 14:48 ?
00:00:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
0 S root 8091 6985 0 80 0 - 55450 pipe_r 17:04 pts/0
00:00:00 grep --color=auto sshd
[root@bogon ~]# systemctl restart sshd
[root@bogon ~]# ps -elf | grep sshd
4 S root 8095 1 0 80 0 - 4181 do_sel 17:04 ?
00:00:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
0 S root 8097 6985 0 80 0 - 55417 pipe_r 17:04 pts/0
00:00:00 grep --color=auto sshd
[root@bogon ~]# systemctl reload nginx
[root@bogon ~]# ps -elf | grep nginx
1 S root 7870 1 0 80 0 - 2842 sigsus 16:37 ?
00:00:00 nginx: master process /usr/sbin/nginx
5 S nginx 8103 7870 0 80 0 - 3927 ep_pol 17:05 ?
00:00:00 nginx: worker process
5 S nginx 8104 7870 0 80 0 - 3927 ep_pol 17:05 ?
00:00:00 nginx: worker process
0 S root 8106 6985 0 80 0 - 55417 pipe_r 17:05 pts/0
00:00:00 grep --color=auto nginx
[root@bogon ~]# echo "stuff for everyone" >> /usr/share/nginx/html/a.txt
[root@bogon ~]# echo "stuff not for everyone" >> /usr/share/nginx/html/b.txt
[root@bogon ~]# ll /usr/share/nginx/html/
total 20
-rw-r--r--. 1 root root 3971 Oct 17 2023 404.html
-rw-r--r--. 1 root root 4020 Oct 17 2023 50x.html
-rw-r--r--. 1 root root 19 Aug 26 17:08 a.txt
-rw-r--r--. 1 root root 23 Aug 26 17:08 b.txt
drwxr-xr-x. 2 root root 27 Aug 26 16:12 icons
lrwxrwxrwx. 1 root root 25 Oct 17 2023 index.html ->
../../testpage/index.html
-rw-r--r--. 1 root root 368 Oct 17 2023 nginx-logo.png
lrwxrwxrwx. 1 root root 14 Oct 17 2023 poweredby.png -> nginx-logo.png
lrwxrwxrwx. 1 root root 37 Oct 17 2023 system_noindex_logo.png ->
../../pixmaps/system-noindex-logo.png
[root@bogon ~]# curl -I http://127.0.0.1/a.txt
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Mon, 26 Aug 2024 09:09:40 GMT
Content-Type: text/plain
Content-Length: 19
Last-Modified: Mon, 26 Aug 2024 09:08:45 GMT
Connection: keep-alive
ETag: "66cc461d-13"
Accept-Ranges: bytes
[root@bogon ~]# curl http://127.0.0.1/a.txt
stuff for everyone
[root@bogon ~]# curl -I http://127.0.0.1/b.txt
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Mon, 26 Aug 2024 09:09:59 GMT
Content-Type: text/plain
Content-Length: 23
Last-Modified: Mon, 26 Aug 2024 09:08:54 GMT
Connection: keep-alive
ETag: "66cc4626-17"
Accept-Ranges: bytes
[root@bogon ~]# curl http://127.0.0.1/b.txt
stuff not for everyone
[root@bogon ~]# chmod a-r /usr/share/nginx/html/b.txt
[root@bogon ~]# ll /usr/share/nginx/html/*.txt
-rw-r--r--. 1 root root 19 Aug 26 17:08 /usr/share/nginx/html/a.txt
--w-------. 1 root root 23 Aug 26 17:08 /usr/share/nginx/html/b.txt
[root@bogon ~]# curl http://127.0.0.1/a.txt
stuff for everyone
[root@bogon ~]# curl http://127.0.0.1/b.txt
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html>
[root@bogon ~]# chmod o+r /usr/share/nginx/html/b.txt
[root@bogon ~]# curl http://127.0.0.1/b.txt
stuff not for everyone

1. 配置自签证书，加固安全访问

生成CA根秘钥

openssl genrsa -des3 -out ca.key.pem 4096

 生成CA证书

openssl req -key ca.key.pem -new -x509 -days 3650 -sha256 -out ca.crt

生成服务器秘钥文件

openssl genpkey -out server.key -outpubkey server.pub -algorithm RSA -pkeyopt rsa_keygen_bits:2048 

生成服务器证书签名申请文件

openssl req -sha256 -new -key server.key -out server.csr

生成服务器证书

openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key.pem -CAcreateserial -in server.csr -out server.crt

查看服务器证书文件

openssl x509 -noout -text -in server.crt

自签证书的核心指令：

man openssl-req

三、实验过程整理

修改配置文件

[root@bogon ~]# mkdir -p /etc/pki/nginx
[root@bogon ~]# cd /etc/pki/nginx/
[root@bogon nginx]# mkdir private
[root@bogon nginx]# mkdir ca
[root@bogon nginx]# openssl genrsa -des3 -out ca/ca.key.pem 4096
省略输出
[root@bogon nginx]# openssl req -key ca/ca.key.pem -new -x509 -days 3650 -sha256 -out ca/ca.crt
省略输出
[root@bogon nginx]# openssl genpkey -out private/server.key -outpubkey private/server.pub -algorithm RSA -pkeyopt rsa_keygen_bits:2048
省略输出
[root@bogon nginx]# openssl req -sha256 -new -key private/server.key -out server.csr
省略输出
[root@bogon nginx]# openssl x509 -req -days 3650 -CA ca/ca.crt -CAkey ca/ca.key.pem -CAcreateserial -in server.csr -out server.crt
省略输出
[root@bogon nginx]# ls server.crt private/server.key
private/server.key server.crt
[root@bogon nginx]# chmod 400 private/server.key
[root@bogon nginx]# chown nginx private/server.key
[root@bogon nginx]# ll private/server.key
-r--------. 1 nginx root 1704 Aug 27 09:04 private/server.key
[root@bogon nginx]# systemctl reload nginx
[root@bogon nginx]# ss -anput | grep 443
tcp LISTEN 0 511 0.0.0.0:443 0.0.0.0:*
users:(("nginx",pid=2979,fd=17),("nginx",pid=2978,fd=17),
("nginx",pid=1022,fd=17))
[root@bogon nginx]# tail -f /var/log/nginx/error.log
2024/08/26 17:05:32 [notice] 8101#8101: signal process started
2024/08/27 09:10:18 [notice] 2977#2977: signal process started

nginx关于ssl 安全加固相关配置说明：

Configuring HTTPS servershttps://nginx.org/en/docs/http/configuring_https_servers.html

Nginx 配置文件中如何启用ssl 加固http服务

1. 启用ssl listen 配置的端口号后面增加ssl 参数即可
2. 启用ssl 后一定要配置证书和秘钥路径，否则在重启或者加载配置文件时会报错

     3.ssl_protocols ssl_cipher  协议版本和秘钥强度要求      示例配置文件展示的是默认值，一般不做配置

server {

    listen              443 ssl;

    server_name         www.example.com;

    ssl_certificate     www.example.com.crt;

    ssl_certificate_key www.example.com.key;

    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    ssl_ciphers         HIGH:!aNULL:!MD5;

    ...

}

nginx https 优化

1. 增加工作进程数，工作进程数不能超过逻辑核心数量
2. 增加ssl 连接的有效时间或者复用ssl 会话

worker_processes auto;

http {

    ssl_session_cache   shared:SSL:10m;

    ssl_session_timeout 10m;

    server {

        listen              443 ssl;

        server_name         www.example.com;

        keepalive_timeout   70;

        ssl_certificate     www.example.com.crt;

        ssl_certificate_key www.example.com.key;

        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

        ssl_ciphers         HIGH:!aNULL:!MD5;

        ...

 

在配置基于同一IP地址端口号但是不同主机名的https时，nginx容易因为不同的虚拟主机使用相同的端口号和ip地址，而导致证书应用错误的情况出现吗，解决方案如下：

1. 使用不同的IP地址运营不用的虚拟主机
2. 可以配置不同的主机名的虚拟主机使用相同的证书
   1. 在申请证书时，提交一个域名和多个别名
   2. 再申请正式时，在主机名中使用通配符
3. 启用SNI 功能也可以避免，需要注意的是，sni的使用取决于ssl的动态库中，是否有关的支持，因此出现如下提示代表nginx不支持SNI

nginx was built with SNI support, however, now it is linked

dynamically to an OpenSSL library which has no tlsext support,

therefore SNI is not available

阿里云服务器如何申请ssl证书说明：

产品概述_数字证书管理服务（原SSL证书）(SSL Certificate)-阿里云帮助中心https://help.aliyun.com/zh/ssl-certificate/product-overview/?spm=a2c4g.11186623.0.0.4c993799RnLJat