https协议原理:
首先,客户端与服务器建立连接,各自生成私钥和公钥,是不同的。
服务器返给客户端一个公钥,
然后客户端拿着这个公钥把要搜索的东西加密,称之为密文,并连并自己的公钥一起返回给服务器,
服务器拿着自己的私钥解密密文,然后把响应到的数据用客户端的公钥加密,返回给客户端,
客户端拿着自己的私钥解密密文,把数据呈现出来
# 创建服务器的密钥文件server.key
[root@bogon ssl]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
................................+++
....................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@bogon ssl]# ls
server.key
# 创建服务器证书的申请文件server.csr
[root@bogon ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:FangShan
Organization Name (eg, company) [Default Company Ltd]:FUTURE.Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 去除server.key中的口令密码,避免手动输入密码
[root@bogon ssl]# cp server.key server.key.org
[root@bogon ssl]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
[root@bogon ssl]# ls
server.csr server.key server.key.org
# 生成证书文件
[root@bogon ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=FangShan/O=FUTURE.Ltd
Getting Private key
[root@bogon ssl]# ls
server.crt server.csr server.key server.key.org
[root@bogon conf]# vim /usr/local/nginx/conf/nginx.conf
[root@bogon conf]# nginx -s reload
#nginx.conf配置
server {
listen 80;
server_name 172.16.209.93;
location / {
rewrite (.*) https://172.16.209.93$1 permanent;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
server {
listen 443 ssl;
server_name 172.16.209.93;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
ssl相关参数
server {
listen 443 ssl;#
server_name xxx.xxx.cn;
root html;
index index.html index.htm;
ssl_certificate cert/cert-file-name.pem; #需要将cert-file-name.pem替换成已上传的证书文件的名称。
cert/cert-file-name.key; #需要将cert-file-name.key替换成已上传的证书密钥文件的名称。
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
#表示使用的加密套件的类型。
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #表示使用的TLS协议的类型。
ssl_prefer_server_ciphers on;
location / {
root html; #站点目录。
index index.html index.htm;
}
}