https改造 - nginx ssl 配置

前言

  如果您觉得有用的话，记得给博主点个赞，评论，收藏一键三连啊，写作不易啊^ _ ^。
  而且听说点赞的人每天的运气都不会太差，实在白嫖的话，那欢迎常来啊!!!

---

https改造 - nginx ssl 配置

1. window nginx 相关命令

重新加载 Nginx 服务:

nginx.exe -s reload

注意的是导入证书时，需要的是重启，不是重载:
停止 Nginx：

nginx.exe -s stop

优雅地停止 Nginx：

nginx.exe -s quit

测试配置文件是否正确：

nginx.exe -t

启动：

nginx.exe -c F:\nginx\nginx-1.24.0\conf\nginx.conf

命令行窗口中启动 nginx 并且保持窗口可用:

start nginx.exe -c F:\nginx\nginx-1.24.0\conf\nginx.conf

如果碰到杀不死的时候:

tasklist /FI "IMAGENAME eq nginx.exe"
taskkill /PID 1234 /F

2. SSL/TLS配置

ssl_certificate: 指定 SSL 证书的路径。
ssl_certificate_key: 指定 SSL 证书的私钥路径。
ssl_client_certificate: 指定 SSL 客户端证书的路径。
ssl_verify_client on;: 开启客户端证书验证。
ssl_session_cache shared:SSL:1m;: 设置 SSL 会话缓存，共享，大小为 1MB。
ssl_session_timeout 5m;: 设置 SSL 会话超时时间为 5 分钟。
ssl_ciphers HIGH:!aNULL:!MD5;: 设置 SSL 使用的加密算法。
ssl_prefer_server_ciphers on;: 优先使用服务器端定义的加密算法。

3. 代理配置

proxy_ssl_certificate: 设置代理连接后端服务器所需的 SSL 证书。
proxy_ssl_certificate_key: 设置代理连接后端服务器所需的 SSL 证书的私钥。
proxy_ssl_trusted_certificate: 设置代理连接后端服务器所需的 SSL 证书的完整链。
proxy_ssl_verify on;: 开启对代理连接后端服务器 SSL 证书的验证。

4. SSL nginx配置

4.1. https配置

upstream mymanagerHttps {
    ip_hash;
    server 192.168.33.125:8088 weight=20 max_fails=2 fail_timeout=30s;
}


server {
    listen       8001 ssl;
    server_name  localhost;
    ssl_certificate      D:/yzy/docker-demo-v2/src/main/resources/yzy_service_cer.pem;
    ssl_certificate_key  D:/yzy/docker-demo-v2/src/main/resources/yzy_service_key_unencrypted.pem;

    ssl_client_certificate D:/yzy/docker-demo-v2/src/main/resources/yzy_service_full_chain.pem;
    ssl_verify_client on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
	location / {
		root html;
		index index.html index.htm;
	}

	location = /favicon.ico {
		log_not_found off;
		access_log off;
	}
		
	location /api/ {
        proxy_pass https://mymanagerHttps;
		proxy_set_header Host $host:$proxy_port;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_ssl_certificate      D:\\yzy\\docker-demo-v2\\src\\main\\resources\\yzy_service_cer.pem;
        proxy_ssl_certificate_key  D:\\yzy\\docker-demo-v2\\src\\main\\resources\\yzy_service_key_unencrypted.pem;
        proxy_ssl_trusted_certificate D:\\yzy\\docker-demo-v2\\src\\main\\resources\\yzy_service_full_chain.pem;
        proxy_ssl_verify off;
        proxy_ssl_server_name off;  # 禁用对上游主机名的验证

    }
}

测试:

4.1. http–>https配置

upstream mymanagerHttpHttps {
    ip_hash;
    server 192.168.33.125:8088 weight=20 max_fails=2 fail_timeout=30s;
}


server {
    listen       8002 ;
    server_name  localhost;
    
	location / {
		root html;
		index index.html index.htm;
	}

	location = /favicon.ico {
		log_not_found off;
		access_log off;
	}
		
	location /api/ {
        proxy_pass https://mymanagerHttpHttps;
		proxy_set_header Host $host:$proxy_port;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_ssl_certificate      D:\\yzy\\docker-demo-v2\\src\\main\\resources\\yzy_service_cer.pem;
        proxy_ssl_certificate_key  D:\\yzy\\docker-demo-v2\\src\\main\\resources\\yzy_service_key_unencrypted.pem;
        proxy_ssl_trusted_certificate D:\\yzy\\docker-demo-v2\\src\\main\\resources\\yzy_service_full_chain.pem;
        proxy_ssl_verify off;
        proxy_ssl_server_name off;  # 禁用对上游主机名的验证

    }
}

测试:

4.1. https–>http配置

upstream mymanagerHttpsHttp {
    ip_hash;
    server 192.168.33.125:8445 weight=20 max_fails=2 fail_timeout=30s;
}


server {
    listen       8003 ssl;
    server_name  localhost;
    ssl_certificate      D:/yzy/docker-demo-v2/src/main/resources/yzy_service_cer.pem;
    ssl_certificate_key  D:/yzy/docker-demo-v2/src/main/resources/yzy_service_key_unencrypted.pem;

    ssl_client_certificate D:/yzy/docker-demo-v2/src/main/resources/yzy_service_full_chain.pem;
    ssl_verify_client on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
	location / {
		root html;
		index index.html index.htm;
	}

	location = /favicon.ico {
		log_not_found off;
		access_log off;
	}
		
	location /api/ {
        proxy_pass http://mymanagerHttpsHttp;
		proxy_set_header Host $host:$proxy_port;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }
}

测试:

4.4. 验证 Nginx 的 SSL 配置

openssl s_client -connect 127.0.0.1:8799 -cert yzy_service_cer.pem -key yzy_service_key_unencrypted.pem -CAfile  yzy_service_full_chain.pem

验证通过
主要看:

verify return:1 ...
 Verification: OK ... 
Verify return code: 0 (ok)

客户端证书:

Acceptable client certificate CA names
C = CN, ST = Beijing, L = Beijing, O = yzy, OU = yzy, CN = www.yzy.com
C = CN, ST = Beijing, L = Beijing, O = yzy, OU = yzy, CN = rootYzy

这是服务器接受的客户端证书颁发机构名称。