前言 实现内网通过IP地址访问某系统,需要使用 https,而且不能有不安全的提示,如下图:
不允许这样的情况存在,这就需要使用 openssl 进行自签解决。
![image.png](https://img-
blog.csdnimg.cn/img_convert/655eff9aadb05b58a9d5fdc0f4ca9c34.png#averageHue=#fefdfd&clientId=u4bd52b58-baa1-4&from=paste&height=590&id=u5adf1bb5&name=image.png&originHeight=738&originWidth=1611&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=50821&status=done&style=none&taskId=u27be95b4-f400-4551-a998-1bfd708ff36&title=&width=1288.8)
1.OpenSSL 自签证书
1.1 安装openssl
[root@master1 ~]# yum install openssl openssl-devel -y
1.2 创建证书存放位置
[root@master1 ~]# mkdir -p /etc/ssl/private
1.3 生成SSL key和CSR
192.168.199.120为安装好的网站服务机器
写入脚本
vim sh.sh
#!/bin/bash
openssl req -new -newkey rsa:2048 -sha256 -nodes -out 192.168.199.120.csr -keyout 192.168.199.120.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.120"
openssl x509 -req -days 365 -in 192.168.199.120.csr -signkey 192.168.199.120.key -out 192.168.199.120.crt -extfile http.ext
~
[root@master1 private]#
[root@master1 private]# sh sh.sh
192.168.199.120.crt 192.168.199.120.csr 192.168.199.120.key sh.sh
[root@master1 private]#
1.4 在nginx修改配置文件
前提
nginx必须支持ssl 如果没有ssl模块需要先添加nginx模块
[root@master1 private]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.22.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/ --user=www --group=www --with-http_ssl_module --with-http_stub_status_module --with-pcre
[root@master1 private]#
修改nginx配置文件
修改端口号 并且添加ssl
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/ssl/private/192.168.199.120.crt;
ssl_certificate_key /etc/ssl/private/192.168.199.120.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
[root@master1 private]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx//conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx//conf/nginx.conf test is successful
[root@master1 private]# /usr/local/nginx/sbin/nginx -s reload
[root@master1 private]#
2.将生成的crt证书导入到chrome浏览器
将192.168.199.120.crt下载到桌面 并导入到chrome
步骤:
浏览器—设置—隐私设置和安全性—安全—管理设备证书—导入证书(在收信人的根证书办法机构)
![image.png](https://img-
blog.csdnimg.cn/img_convert/309f68c6c4552784314dd692ab54ba63.png#averageHue=#f1f0ef&clientId=u4bd52b58-baa1-4&from=paste&height=551&id=uc16a6a3b&name=image.png&originHeight=689&originWidth=744&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=45195&status=done&style=none&taskId=u8e464efe-3937-47e5-a136-871884fa69e&title=&width=595.2)
在chrome浏览器导入证书访问
![](https://img-
blog.csdnimg.cn/img_convert/655eff9aadb05b58a9d5fdc0f4ca9c34.png#averageHue=#fefdfd&from=url&id=kqEqZ&originHeight=738&originWidth=1611&originalType=binary&ratio=1.25&rotation=0&showTitle=false&status=done&style=none&title=)
还是不能够安全的访问
3.解决谷歌导入证书不能安全访问的问题
3.1 删除所有生成的ssl文件
[root@master1 private]# rm -rf 192*
3.2 删除添加到本地的crt认证证书
![image.png](https://img-
blog.csdnimg.cn/img_convert/299f7884aaf88e760d7c291561a93479.png#averageHue=#f2f0ee&clientId=u4bd52b58-baa1-4&from=paste&height=401&id=u8f2b6365&name=image.png&originHeight=501&originWidth=691&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=37697&status=done&style=none&taskId=u299fa881-5d8a-44c6-9197-af32ae967ce&title=&width=552.8)
3.3 创建一个http.ext文件
[root@master1 private]# vim http.ext
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
IP.1=127.0.0.1
IP.2=192.168.199.120 指定需要访问的ip
3.4 在生成key的ssl后面添加-extfile http.ext
#!/bin/bash
openssl req -new -newkey rsa:2048 -sha256 -nodes -out 192.168.199.120.csr -keyout 192.168.199.120.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.120"
openssl x509 -req -days 365 -in 192.168.199.120.csr -signkey 192.168.199.120.key -out 192.168.199.120.crt -extfile http.ext
3.5 重新运行脚本
[root@master1 private]# sh sh.sh
Generating a 2048 bit RSA private key
......................................................................+++
........................+++
writing new private key to '192.168.199.120.key'
-----
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.120
Getting Private key
[root@master1 private]# ls
192.168.199.120.crt 192.168.199.120.csr 192.168.199.120.key http.ext sh.sh
[root@master1 private]#
3.6 重新在本地端导入证书
![image.png](https://img-
blog.csdnimg.cn/img_convert/3fa4fcfa4dd3c5bcec62577bee34c218.png#averageHue=#f2f0ef&clientId=u4bd52b58-baa1-4&from=paste&height=390&id=u653d0213&name=image.png&originHeight=488&originWidth=730&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=41781&status=done&style=none&taskId=u6a6b39d0-4699-406d-ba12-48eb78ed223&title=&width=584)
重点
清空浏览器缓存
重新加载nginx配置文件
![image.png](https://img-
blog.csdnimg.cn/img_convert/1a752bdfc341e28e728832de9e74f524.png#averageHue=#e3e3e3&clientId=u4bd52b58-baa1-4&from=paste&height=513&id=u3f50572f&name=image.png&originHeight=641&originWidth=714&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=48352&status=done&style=none&taskId=u8497410c-261a-4e96-af40-7837638a1be&title=&width=571.2)
[root@master1 private]# /usr/local/nginx/sbin/nginx -s reload
4.访问
![image.png](https://img-
blog.csdnimg.cn/img_convert/6ba66c55b5017e0f1667183c84124fcb.png#averageHue=#fbfafa&clientId=u4bd52b58-baa1-4&from=paste&height=418&id=u443a7e2f&name=image.png&originHeight=522&originWidth=1328&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=60783&status=done&style=none&taskId=u7497f4bf-d174-4389-aa1c-44fabce13b1&title=&width=1062.4)![image.png](https://img-
blog.csdnimg.cn/img_convert/1a5552b36cab5e72c2642cbc83fbbb3a.png#averageHue=#e3bd8b&clientId=u4bd52b58-baa1-4&from=paste&height=827&id=u8ef8ce0d&name=image.png&originHeight=1034&originWidth=1379&originalType=binary&ratio=1.25&rotation=0&showTitle=false&size=111032&status=done&style=none&taskId=u6df9f61b-498e-416f-b186-300d723bdaa&title=&width=1103.2)
学习计划安排
我一共划分了六个阶段,但并不是说你得学完全部才能上手工作,对于一些初级岗位,学到第三四个阶段就足矣~
这里我整合并且整理成了一份【282G】的网络安全从零基础入门到进阶资料包,需要的小伙伴可以扫描下方CSDN官方合作二维码免费领取哦,无偿分享!!!
如果你对网络安全入门感兴趣,那么你需要的话可以
点击这里👉网络安全重磅福利:入门&进阶全套282G学习资源包免费分享!
①网络安全学习路线
②上百份渗透测试电子书
③安全攻防357页笔记
④50份安全攻防面试指南
⑤安全红队渗透工具包
⑥HW护网行动经验总结
⑦100个漏洞实战案例
⑧安全大厂内部视频资源
⑨历年CTF夺旗赛题解析