nginx配置ssl远程连接的方法

发布时间:2020-10-21编辑:脚本学堂
在nginx中配置允许ssl安全连接,centos6.5与nginx:1.6.2下ssl配置过程,以及认证证书的安装过程,需要的朋友参考下。

nginx中启用ssl安全认证连接,即访问可以以https开头的形式进行访问,如何来实现呢?

配置环境:
centos 6.5
nginx 1.6.2(安装通过yum安装,添加源,stable`稳定版本`,http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm

二,nginx配置文件

nginx配置文件位置:
> /etc/nginx/conf.d/example_ssl.conf
修改/etc/nginx/conf.d/example_ssl.conf

注:
/etc/nginx/conf.d/example_ssl.conf是被/etc/nginx/nginx.conf包含到自身的一个文件。

修改为:
 

复制代码 代码示例:
#HTTP-SERVER
server { 
 listen       443; 
 server_name  localhost; 
 ssi on; 
 ssi_silent_errors on; 
 ssi_types text/shtml; 
  
 ssl    on; 
 ssl_certificate      /etc/nginx/ca/server/server.crt; 
 ssl_certificate_key  /etc/nginx/ca/server/server.key; 
 ssl_client_certificate /etc/nginx/ca/private/ca.crt; 
  
 ssl_session_timeout  5m; 
 ssl_verify_client on; 
  
 ssl_protocols  SSLv2 SSLv3 TLSv1; 
 ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; 
 ssl_prefer_server_ciphers   on; 
      
 location / {
    root   /usr/share/nginx/html;
    index  index.html index.htm;
      }
 }

二,签发证书

创建配置文件/etc/nginx/ca/conf/openssl.conf
 

复制代码 代码示例:
[ ca ]
default_ca      = foo     # The default ca section
 
[ foo ]
dir     = /etc/nginx/ca  # top dir
database       = /etc/nginx/ca/index.txt   # index file.
new_certs_dir  = /etc/nginx/ca/newcerts    # new certs dir
 
certificate    = /etc/nginx/ca/private/ca.crt  # The CA cert
serial  = /etc/nginx/ca/serial      # serial no file
private_key    = /etc/nginx/ca/private/ca.key  # CA private key
RANDFILE       = /etc/nginx/ca/private/.rand      # random number file
 
default_days   = 365       # how long to certify for
default_crl_days= 30       # how long before next CRL
default_md     = md5       # message digest method to use
unique_subject = no        # Set to 'no' to allow creation of
      # several ctificates with same subject.
policy  = policy_any       # default policy
 
[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
localityName     = match
commonName       = match
emailAddress     = match

在/etc/niginx/ca 下 创建文件new_ca.sh ,执行生成根证书
 

复制代码 代码示例:
#!/bin/sh
# Generate the key.
openssl genrsa -out private/ca.key
# Generate a certificate request.
openssl req -new -key private/ca.key -out private/ca.csr
# Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.
# I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this
# service will never see the light of an unencrypted Internet see the cheap and lazy remark.
# So self sign our root key.
openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
# Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.
echo FACE > serial
# Create the CA's key database.
touch index.txt
# Create a Certificate Revocation list for removing 'user certificates.'
openssl ca -gencrl -out /etc/nginx/ca/private/ca.crl -crldays 7 -config "/etc/nginx/ca/conf/openssl.conf"

在/etc/niginx/ca 下 创建文件new_server.sh,执行生成服务器证书:
 

复制代码 代码示例:
# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.
openssl genrsa -out server/server.key
# Take our key and create a Certificate Signing Request for it.
openssl req -new -key server/server.key -out server/server.csr
# Sign this bastard key with our bastard CA key.
openssl ca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "/etc/nginx/ca/conf/openssl.conf"

在/etc/niginx/ca 下 创建文件new_user.sh,执行生成客户端证书:
 

复制代码 代码示例:
#!/bin/sh
# The base of where our SSL stuff lives.
base="/etc/nginx/ca"
# Were we would like to store keys... in this case we take the username given to us and store everything there.
mkdir -p $base/users/
 
# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.
openssl genrsa -des3 -out $base/users/client.key 1024
# Create a Certificate Signing Request for said key.
openssl req -new -key $base/users/client.key -out $base/users/client.csr
# Sign the key with our CA's key and cert and create the user's certificate out of it.
openssl ca -in $base/users/client.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key -out $base/users/client.crt -config "/etc/nginx/ca/conf/openssl.conf"
 
# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.
# The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.
# Take the same precaution with the export password that would take with any other password based authentication scheme.
openssl pkcs12 -export -clcerts -in $base/users/client.crt -inkey $base/users/client.key -out $base/users/client.p12

然后,只需把/etc.nginx/ca/user/client.p12文件导入到浏览器中就可以了。