建立用户:
groupadd nginx
useradd -g nginx -r nginx
设置防火墙:
iptables -I INPUT -p tcp --dport 8080 -j ACCEPT
服务器验证建立证书:
私钥: openssl genrsa -out server.key
CSR文件: openssl req -new -key server.key -out server.csr
证书文件: openssl x509 -req -days 36500 -in server.csr -signkey server.key -out server.crt
客户端验证建立证书:
CA : openssl genrsa -out ca.key
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt
服务器: openssl genrsa -out server.key
openssl req -new -key server.key -out server.csr
openssl ca -policy policy_anything -days 36500 -cert ca.crt -keyfile ca.key -in server.csr -out server.crt
客户端:openssl genrsa -out client.key
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -cert ca.crt -keyfile ca.key -out client.crt
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Nginx 下载地址:
http://nginx.org/download/nginx-1.4.2.tar.gz
解压: tar xzvf nginx-1.4.2.tar.gz
安装: ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --without-http_rewrite_modulemake & make install
服务器验证:
listen 8080 default ssl;
ssl_certificate /root/server.crt;
ssl_certificate_key /root/server.key;
双向验证 :
listen 8080 default ssl;
ssl_certificate /root/server.crt;
ssl_certificate_key /root/server.key;
ssl_verify_client on;
ssl_client_certificate /root/CA/ca.crt;
rm -rf CA/
mkdir -p CA/newcerts
mkdir -p CA/private
cp ca.crt CA/
cp ca.key CA/private
touch CA/index.txt
touch CA/serial
echo "01" > CA/serial