随着技术的方法,http传输协议并不能保证数据传输的安全性,随后https技术应运而生,nginx服务器支持https协议,配置的代码也比较难记,记录下以防遗忘。
HTTPS数据传输过程
- 客户端向服务器发送https请求;
- 服务器上存储了一套数字证书,其实质为一对公私钥。数字证书可以自己制作,也可以向组织申请。前者在客户端访问时需要验证才能继续访问;后者不会弹出验证提示;
- 服务器将公钥传输给客户端;
- 客户端验证公钥是否合法:无效(自己制作的)会弹出警告,有效的则生成一串随机数,用此随机数加密公钥;
- 客户端将加密后的字符串传输给服务器
- 服务器收到字符串后,先使用私钥进行解密,获取加密使用的随机数,并以此随机数加密传输的数据(对称机密);
- 服务器将加密后的数据传输给客户端;
- 客户端收到数据后,使用自己的私钥(即随机字符串)进行解密。
对称加密:将数据和私钥(随机字符串)通过某种算法混合在一起,除非知道私钥,否则无法解密。
前期准备
nginx支持https所需的ngx-http_ssl_module在编译时默认是不安装的,需要二次编译安装(一开始就安装了的就不用再编译了)。
查看安装的nginx是否已安装ssl模块
[root@localhost conf]# /usr/local/nginx/sbin/nginx -Vnginx version: nginx/1.12.2built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips ?26 Jan 2017TLS SNI support enabledconfigure arguments: --prefix=/usr/local/nginx/ 安装前需要注意一点:重新编译后可能导致之前做的某些修改重置,例如虚拟主机文件被清除,因此最好对重要配置文件先进行备份。
# 切换到你之前安装所使用的nginx软件包内[root@localhost conf]# cd /usr/local/src/nginx-1.12.2/[root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module[root@localhost nginx-1.12.2]# make && make install[root@localhost conf]# /usr/local/nginx/sbin/nginx -Vnginx version: nginx/1.12.2built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips ?26 Jan 2017TLS SNI support enabledconfigure arguments: --prefix=/usr/local/nginx/ --with-http_ssl_module创建自定义证书文件
- 创建私钥key
[root@localhost ~]# cd /usr/local/nginx/conf# 创建私钥key文件,必须输入密码,否则无法生成key文件[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048Generating RSA private key, 2048 bit long modulus..............................+++...............................................................+++e is 65537 (0x10001)Enter pass phrase for tmp.key:Verifying - Enter pass phrase for tmp.key:- 转换key,取消密码
[root@localhost conf]# openssl rsa -in tmp.key -out test.keyEnter pass phrase for tmp.key:writing RSA key[root@localhost conf]# rm -f tmp.key - 生成证书
[root@localhost conf]# openssl req -new -key test.key -out test.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CN ???State or Province Name (full name) []:ZheJiangLocality Name (eg, city) [Default City]:QuZhouOrganization Name (eg, company) [Default Company Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server‘s hostname) []:Email Address []:Please enter the following ‘extra‘ attributesto be sent with your certificate requestA challenge password []:An optional company name []:# 需要使用csr文件与私钥一起生成.crt文件[root@localhost conf]# openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crtSignature oksubject=/C=CN/ST=ZheJiang/L=QuZhou/O=Default Company LtdGetting Private key这样一个自定义创建的数字证书文件就创建成功了
SSL配置代码
- 创建新虚拟主机配置文件
[root@localhost conf]#vim /usr/local/nginx/conf/vhost/ssl.confserver{ ???listen 443; ???server_name test.com; ???index index.html index.php; ???root /data/www/test.com; ???ssl on; ???# 指定自定义的数字证书 ???ssl_certificate test.crt; ???# 指定对应的key文件 ???ssl_certificate_key test.key; ???ssl_protocols TLSv1 TLS1.1 TLS1.2;}- 创建对应目录及文件
[root@localhost conf]# mkdir -p /data/www/test.com[root@localhost conf]# vim /data/www/test.com/index.phpssl test page.- 重启服务
[root@localhost conf]# /usr/local/nginx/sbin/nginx -t[root@localhost conf]# /usr/local/nginx/sbin/nginx -s reload# 查看443端口是否开放[root@localhost conf]# netstat -lntpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address ??????????Foreign Address ????????State ??????PID/Program name ???...tcp ???????0 ?????0 0.0.0.0:443 ????????????0.0.0.0:* ??????????????LISTEN ?????4953/nginx: master ?...神奇的nginx之https支持
原文地址:http://blog.51cto.com/castiel/2060000