文章目录
前言
如果您觉得有用的话,记得给博主点个赞,评论,收藏一键三连啊,写作不易啊^ _ ^。
而且听说点赞的人每天的运气都不会太差,实在白嫖的话,那欢迎常来啊!!!
https改造 - nginx ssl 配置
1. window nginx 相关命令
重新加载 Nginx 服务:
nginx.exe -s reload
注意的是导入证书时,需要的是重启,不是重载:
停止 Nginx:
nginx.exe -s stop
优雅地停止 Nginx:
nginx.exe -s quit
测试配置文件是否正确:
nginx.exe -t
启动:
nginx.exe -c F:\nginx\nginx-1.24.0\conf\nginx.conf
命令行窗口中启动 nginx 并且保持窗口可用:
start nginx.exe -c F:\nginx\nginx-1.24.0\conf\nginx.conf
如果碰到杀不死的时候:
tasklist /FI "IMAGENAME eq nginx.exe"
taskkill /PID 1234 /F
2. SSL/TLS配置
ssl_certificate: 指定 SSL 证书的路径。
ssl_certificate_key: 指定 SSL 证书的私钥路径。
ssl_client_certificate: 指定 SSL 客户端证书的路径。
ssl_verify_client on;: 开启客户端证书验证。
ssl_session_cache shared:SSL:1m;: 设置 SSL 会话缓存,共享,大小为 1MB。
ssl_session_timeout 5m;: 设置 SSL 会话超时时间为 5 分钟。
ssl_ciphers HIGH:!aNULL:!MD5;: 设置 SSL 使用的加密算法。
ssl_prefer_server_ciphers on;: 优先使用服务器端定义的加密算法。
3. 代理配置
proxy_ssl_certificate: 设置代理连接后端服务器所需的 SSL 证书。
proxy_ssl_certificate_key: 设置代理连接后端服务器所需的 SSL 证书的私钥。
proxy_ssl_trusted_certificate: 设置代理连接后端服务器所需的 SSL 证书的完整链。
proxy_ssl_verify on;: 开启对代理连接后端服务器 SSL 证书的验证。
4. SSL nginx配置
4.1. https配置
upstream mymanagerHttps {
ip_hash;
server 192.168.33.125:8088 weight=20 max_fails=2 fail_timeout=30s;
}
server {
listen 8001 ssl;
server_name localhost;
ssl_certificate D:/yzy/docker-demo-v2/src/main/resources/yzy_service_cer.pem;
ssl_certificate_key D:/yzy/docker-demo-v2/src/main/resources/yzy_service_key_unencrypted.pem;
ssl_client_certificate D:/yzy/docker-demo-v2/src/main/resources/yzy_service_full_chain.pem;
ssl_verify_client on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location /api/ {
proxy_pass https://mymanagerHttps;
proxy_set_header Host $host:$proxy_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_certificate D:\\yzy\\docker-demo-v2\\src\\main\\resources\\yzy_service_cer.pem;
proxy_ssl_certificate_key D:\\yzy\\docker-demo-v2\\src\\main\\resources\\yzy_service_key_unencrypted.pem;
proxy_ssl_trusted_certificate D:\\yzy\\docker-demo-v2\\src\\main\\resources\\yzy_service_full_chain.pem;
proxy_ssl_verify off;
proxy_ssl_server_name off; # 禁用对上游主机名的验证
}
}
测试:
4.1. http–>https配置
upstream mymanagerHttpHttps {
ip_hash;
server 192.168.33.125:8088 weight=20 max_fails=2 fail_timeout=30s;
}
server {
listen 8002 ;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location /api/ {
proxy_pass https://mymanagerHttpHttps;
proxy_set_header Host $host:$proxy_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_certificate D:\\yzy\\docker-demo-v2\\src\\main\\resources\\yzy_service_cer.pem;
proxy_ssl_certificate_key D:\\yzy\\docker-demo-v2\\src\\main\\resources\\yzy_service_key_unencrypted.pem;
proxy_ssl_trusted_certificate D:\\yzy\\docker-demo-v2\\src\\main\\resources\\yzy_service_full_chain.pem;
proxy_ssl_verify off;
proxy_ssl_server_name off; # 禁用对上游主机名的验证
}
}
测试:
4.1. https–>http配置
upstream mymanagerHttpsHttp {
ip_hash;
server 192.168.33.125:8445 weight=20 max_fails=2 fail_timeout=30s;
}
server {
listen 8003 ssl;
server_name localhost;
ssl_certificate D:/yzy/docker-demo-v2/src/main/resources/yzy_service_cer.pem;
ssl_certificate_key D:/yzy/docker-demo-v2/src/main/resources/yzy_service_key_unencrypted.pem;
ssl_client_certificate D:/yzy/docker-demo-v2/src/main/resources/yzy_service_full_chain.pem;
ssl_verify_client on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location /api/ {
proxy_pass http://mymanagerHttpsHttp;
proxy_set_header Host $host:$proxy_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
测试:
4.4. 验证 Nginx 的 SSL 配置
openssl s_client -connect 127.0.0.1:8799 -cert yzy_service_cer.pem -key yzy_service_key_unencrypted.pem -CAfile yzy_service_full_chain.pem
验证通过
主要看:
verify return:1 ...
Verification: OK ...
Verify return code: 0 (ok)
客户端证书:
Acceptable client certificate CA names
C = CN, ST = Beijing, L = Beijing, O = yzy, OU = yzy, CN = www.yzy.com
C = CN, ST = Beijing, L = Beijing, O = yzy, OU = yzy, CN = rootYzy
这是服务器接受的客户端证书颁发机构名称。