Linux通过Nginx配置SSL实现服务器/客户端双向认证(详细)

1.下载tar.gz格式jdk并配置环境变量(已配置jdk环境的可以忽略第一步)

   解压jdk压缩包到opt目录下:

tar zxvf /opt/jdk-8u144-linux-x64.tar.gz -C /opt/

   配置环境变量:

   通过vi命令编辑profile文件

vi /etc/profile

   按键i开启编辑模式,在文件最后添加:

export JAVA_HOME="/opt/jdk1.8.0_144"
export PATH="$JAVA_HOME/bin:$PATH"

   其中jdk1.8.0_144为jdk加压后的文件夹,修改完成后,esc键返回命令模式,输入:x保存并退出。

java -version

   显示jdk版本,则配置成功。   

   备注:tomcat下载后解压即可,无需配置环境变量。

2.安装openssl

yum install openssl

3.配置yun源并安装nginx(centos不支持yum 安装 nginx,所以需要配置一下)

vi /etc/yum.repos.d/nginx.repo

   增加如下配置:

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/x86_64/
gpgcheck=0
enabled=1

   其中"7"代表CentOS7,"x86_64"代表系统架构。

   安装nginx:

yum install nginx

4.生成nginx证书

   创建证书文件夹,依次输入如下命令:

cd /etc/nginx
sudo mkdir ca
cd ca
sudo mkdir newcerts private conf server users

   conf目录新建openssl.conf文件:

vi /etc/nginx/ca/conf/openssl.conf

   增加如下配置:

[ ca ]
default_ca = myserver

[ myserver ]
dir = /etc/nginx/ca
database = /etc/nginx/ca/index.txt
new_certs_dir = /etc/nginx/ca/newcerts

certificate = /etc/nginx/ca/private/ca.crt
serial = /etc/nginx/ca/serial
private_key = /etc/nginx/ca/private/ca.key
RANDFILE = /etc/nginx/ca/private/.rand

default_days = 3650
default_crl_days = 3650
default_md = sha256
unique_subject = no

policy = policy_any

[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
localityName = optional
commonName = supplied
emailAddress = optional

   private目录创建根证书

   生成私钥key文件:

sudo openssl genrsa -out /etc/nginx/ca/private/ca.key 2048

   生成根证书请求csr文件:

sudo openssl req -new -key /etc/nginx/ca/private/ca.key -out private/ca.csr

   生成凭证crt文件:

sudo openssl x509 -req -days 3650 -in /etc/nginx/ca/private/ca.csr -signkey /etc/nginx/ca/private/ca.key -out /etc/nginx/ca/private/ca.crt

   设置key起始序列号:

sudo echo FACE > /etc/nginx/ca/serial

   创建CA键库:

sudo touch /etc/nginx/ca/index.txt

   为 “用户证书” 的移除创建一个证书吊销列表:

sudo openssl ca -gencrl -out /etc/nginx/ca/private/ca.crl -crldays 7 -config "/etc/nginx/ca/conf/openssl.conf"

   server目录创建服务器证书

   生成私钥key文件:

sudo openssl genrsa -out /etc/nginx/ca/server/server.key 2048

   生成证书请求csr文件:

sudo openssl req -new -key /etc/nginx/ca/server/server.key -out /etc/nginx/ca/server/server.csr

   生成凭证crt文件:

sudo openssl ca -in /etc/nginx/ca/server/server.csr -cert /etc/nginx/ca/private/ca.crt -keyfile /etc/nginx/ca/private/ca.key -out /etc/nginx/ca/server/server.crt -config "/etc/nginx/ca/conf/openssl.conf"

   users目录创建客户端证书

   生成私钥key文件:

sudo openssl genrsa -des3 -out /etc/nginx/ca/users/client.key 2048

   生成证书请求csr文件:

sudo openssl req -new -key /etc/nginx/ca/users/client.key -out /etc/nginx/ca/users/client.csr

   生成凭证crt文件:

sudo openssl ca -in /etc/nginx/ca/users/client.csr -cert /etc/nginx/ca/private/ca.crt -keyfile /etc/nginx/ca/private/ca.key -out /etc/nginx/ca/users/client.crt -config "/etc/nginx/ca/conf/openssl.conf"

5.修改Nginx配置文件nginx.conf


user  root;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
#pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  120;

    #gzip  on;

    client_max_body_size 120m;
    client_body_buffer_size 128k;
    server_names_hash_bucket_size 128;
    large_client_header_buffers 4 4k;
    open_file_cache max=8192 inactive=20s;
    open_file_cache_min_uses 1;
    open_file_cache_valid 30s;
   
    upstream tomcat_server {
       server 192.168.1.220:8080 fail_timeout=0; 
    }

    server {
       listen 443;
       server_name 192.168.1.220;
       ssi on;
       ssi_silent_errors on;
       ssi_types text/shtml;
     
       ssl on;
       ssl_certificate           /etc/nginx/ca/server/server.crt;
       ssl_certificate_key       /etc/nginx/ca/server/server.key;
       ssl_client_certificate    /etc/nginx/ca/private/ca.crt;
      
       ssl_session_timeout 5m;
       ssl_verify_client on;
       
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
       ssl_prefer_server_ciphers on;

       charset utf-8;
       access_log logs/host.access.log main;
       error_page 500 502 503 504 /50x.html;
       location = /50x.html {
           root html;
       }

       location = /favicon.ico {
           log_not_found off;
           access_log off;
           expires 90d;
       }

       location / {
           proxy_pass http://tomcat_server;
           include proxy.conf;
       }
    }    


    #include /etc/nginx/conf.d/*.conf;
}

   备注:upstream tomcat_server中的server修改为nginx转发服务器的ip地址及端口号,server中server_name为nginx所在服务器ip,此处配置ssl安全认证,故采用https默认端口号443,另外安装nginx后,若根目录没有logs文件夹,可手动创建,否则启动nginx会提示找不到logs文件夹错误。

6.Nginx代理文件配置

   编辑nginx的proxy.conf文件:

vi /etc/nginx/proxy.conf

   添加如下配置:

proxy_redirect 			off;
proxy_connect_timeout 	60;
proxy_read_timeout 		600;
proxy_set_header 		Host 				$host;
proxy_set_header 		X-Real-IP 			$remote_addr;
proxy_set_header 		X-Forwarded-For 	$proxy_add_x_forwarded_for;
proxy_set_header 		X-Forwarded-Proto 	$scheme;
proxy_set_header 		X-SSL-Client-Cert 	$ssl_client_cert;
proxy_set_header 		X-SSL-DN 			$ssl_client_s_dn;

7.修改Tomcat配置文件server.xml

    
	
	
	

   至此已配置结束,接下来我们测试一下:

8.启动Tomcat和Nginx服务

   启动tomcat服务:

opt/apache-tomcat-8.5.20/bin/startup.sh

   打印启动日志:

tail -f opt/apache-tomcat-8.5.20/logs/catalina.out

   启动nginx服务:

nginx -c /etc/nginx/nginx.conf

9.测试https请求

   把客户端证书.crt转化为Windows可安装的.p12格式

sudo openssl pkcs12 -export -clcerts -in /etc/nginx/ca/users/client.crt -inkey /etc/nginx/ca/users/client.key -out /etc/nginx/ca/users/client.p12

  生成后把.p12格式的证书拷贝到windows系统上安装,重启浏览器访问https请求,例如:https://192.168.1.220:443,选择刚安装的证书,能显示tomcat或者应用首页则安装成功。

你可能感兴趣的:(Nginx,Linux)