HTTPS需要的證書,必須是認證機構頒發的,這裡的配置實踐,也是從技術路線上的一次操作,證書是基于openssl生成的。沒有誰頒發,自建得之!開始實踐!!!!
1. openssl的版本資訊
[root@localhost conf]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
2. openresty的版本資訊
[root@localhost sbin]# ./nginx -V
nginx version: openresty/1.11.2.2
built by gcc 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC)
built with OpenSSL 1.0.1u 22 Sep 2016
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt=-O2 --add-module=../ngx_devel_kit-0.3.0 --add-module=../echo-nginx-module-0.60 --add-module=../xss-nginx-module-0.05 --add-module=../ngx_coolkit-0.2rc3 --add-module=../set-misc-nginx-module-0.31 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.06 --add-module=../srcache-nginx-module-0.31 --add-module=../ngx_lua-0.10.7 --add-module=../ngx_lua_upstream-0.06 --add-module=../headers-more-nginx-module-0.32 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.17 --add-module=../redis2-nginx-module-0.13 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.14 --add-module=../rds-csv-nginx-module-0.07 --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --with-pcre=/opt/pcre-8.40 --with-openssl=/opt/openssl-1.0.1u --with-http_ssl_module
[root@localhost sbin]#
3. 建立伺服器私鑰,指令會提醒輸入一個密碼,必須輸入(在nginx的conf所在的路徑下進行操作,當然也可以在其他路徑,需要配合後續的nginx的配置一起改變)
[root@localhost conf]# openssl genrsa -des3 -out server.key 4096
Generating RSA private key, 4096 bit long modulus
..............................................................++
........................++
e is 65537 (0x10001)
Enter pass phrase for server.key:
140180344625056:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for server.key:
140180344625056:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@localhost conf]# ll
總用量 64
-rw-r--r--. 1 root root 1077 3月 8 12:08 fastcgi.conf
-rw-r--r--. 1 root root 1077 3月 8 13:20 fastcgi.conf.default
-rw-r--r--. 1 root root 1007 3月 8 12:08 fastcgi_params
-rw-r--r--. 1 root root 1007 3月 8 13:20 fastcgi_params.default
-rw-r--r--. 1 root root 2837 3月 8 13:20 koi-utf
-rw-r--r--. 1 root root 2223 3月 8 13:20 koi-win
-rw-r--r--. 1 root root 3957 3月 8 12:08 mime.types
-rw-r--r--. 1 root root 3957 3月 8 13:20 mime.types.default
-rw-r--r--. 1 root root 3012 3月 14 16:41 nginx.conf
-rw-r--r--. 1 root root 2656 3月 8 13:20 nginx.conf.default
-rw-r--r--. 1 root root 636 3月 8 12:08 scgi_params
-rw-r--r--. 1 root root 636 3月 8 13:20 scgi_params.default
-rw-r--r-- 1 root root 3311 7月 11 14:15 server.key
-rw-r--r--. 1 root root 664 3月 8 12:08 uwsgi_params
-rw-r--r--. 1 root root 664 3月 8 13:20 uwsgi_params.default
-rw-r--r--. 1 root root 3610 3月 8 13:20 win-utf
4. 建立簽名請求的證書(CSR)
[root@localhost conf]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:wuhan
Organization Name (eg, company) [Default Company Ltd]:tk
Organizational Unit Name (eg, section) []:iflab
Common Name (eg, your name or your server's hostname) []:root
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:shihuc
An optional company name []:tk
[root@localhost conf]#
5. 在加載SSL支援的Nginx伺服器上,使用上述私鑰時除去必須的密碼(注意,所謂除去,其實就是将必須的私鑰密碼寫入到了私鑰檔案裡面了,更新了原來的私鑰檔案)
[root@localhost conf]# cp server.key server.key.org
[root@localhost conf]#
[root@localhost conf]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
[root@localhost conf]#
6. 通過openssl的x509指令生産證書檔案
[root@localhost conf]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=cn/ST=hubei/L=wuhan/O=tk/OU=iflab/CN=root/[email protected]
Getting Private key
7. nginx的配置
# HTTPS server
#
server {
listen 443 ssl;
server_name localhost;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html/SSLROOT;
index index.html index.htm;
}
}
在nginx的html目錄下,建立SSLROOT目錄,并在下面建立一個index.html的頁面,用于測試。
<!DOCTYPE html>
<html>
<head>
<title>SHIHUC</title>
<style>
body {
width: 50em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>歡迎來到SHIHUC的部落格</h1>
<p>你好,你看到的這個頁面是用來測試HTTPS的配置過程效果的。</p>
<a href=>shihuc</a>.<br/>
<p><em>感謝關注SHIHUC的部落格,歡迎交流.</em></p>
</body>
</html>
重新開機nginx。
在浏覽器位址欄輸入nginx的伺服器位址
https://10.90.7.10
得到下面的效果:
![](https://img.laitimes.com/img/_0nNw4CM6IyYiwiM6ICdiwiI0gTMx81dsQWZ4lmZf1GLlpXazVmcvwFciV2dsQXYtJ3bm9CX9s2RkBnVHFmb1clWvB3MaVnRtp1XlBXe0xCMy81dvRWYoNHLwEzX5xCMx8FesU2cfdGLwMzX0xiRGZkRGZ0Xy9GbvNGLpZTY1EmMZVDUSFTU4VFRR9Fd4VGdsYTMfVmepNHLrJXYtJXZ0F2dvwVZnFWbp1zczV2YvJHctM3cv1Ce-cGcq5SOzEDN4MmNmNmM4gTZ2QjNzYzXwQDN0kDM0AzLcFTMyIDMy8CXn9Gbi9CXzV2Zh1WavwVbvNmLvR3YxUjLyM3Lc9CX6MHc0RHaiojIsJye.jpg)
注意,上面圖中,位址欄出現紅色的不安全提醒。
需要注意的是,注意:
A. 若沒有第5步,直接進入第6步,則會在咨詢x509指令時提醒使用者輸入私鑰密碼:
[root@localhost conf]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=cn/ST=hubei/L=wuhan/O=tk/OU=iflab/CN=root/[email protected]
Getting Private key
Enter pass phrase for server.key:
[root@localhost conf]#
B. 另外,在nginx啟動的時候,也會提醒使用者輸入ssl的私鑰密碼
[root@localhost conf]# ./../sbin/nginx -s reload
Enter PEM pass phrase: