Nginx配置之https

文章目录

    • https配置
      • openssl实现私有CA签发证书
      • 免费SSL证书申请教程(推荐)
      • 部署ssl证书实现https

https配置

生成私钥,生成证书签署请求并获得证书,然后在nginx.conf中配置

示例

server {
  listen       443 ssl;
  server_name  www.idfsoft.com;
  ssl_certificate      /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key  /etc/nginx/ssl/nginx.key;
  ssl_session_cache    shared:SSL:1m;
  ssl_session_timeout  5m;
  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers  on;
  location / {
    root   html;
    index  index.html index.htm;
  }
}

获取证书有方式有两种,其一是openssl实现私有CA签发证书,其二是免费SSL证书申请。在个人实验环境中二者选其一即可,但在企业的生产环境中必须要购买证书进行部署。

openssl实现私有CA签发证书

#创建私有CA存放位置
[root@localhost ~]# mkdir -p /etc/pki/CA
[root@localhost ~]# cd /etc/pki/CA
[root@localhost CA]# mkdir private
#服务端生成密钥
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
.........................+++++
e is 65537 (0x010001)
#提取公钥
[root@localhost CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1R3BrFLzEFub1t8k2CPd
EZcUoXvmSJVGNf99LgISs+zzY7Jl0s97bcNLaB91h/riPNHq9Z/hyeqfTbSVNKeO
s4Z6RuM7m/Bpm1cSt53FOgrz41GBs/DT9V0CzJABCiWjJziQOIn93JElTNOttDKD
AOMwo88u+b1kG/GcSfkLpNn871X/5YKp1YRXMmE8TLfvpp6hXmvojai2MpxIGCcJ
DC/oDtKOKtsPGUAW6xB7ZpIcQsw+n3JMhiCgKsYeGZ1ZKHM9LFTB7s02Xe0pQwhZ
fzQ3N1nR9fpC6eiU3DkV1h4V+2mUD36Omgqz9H3+DrPn+xAfGSVBtxrmBFvxJMAV
+wIDAQAB
-----END PUBLIC KEY-----
#生成自签署证书,请记住这里填写的信息,后面生成的证书签署请求文件填写的信息要与这里完全一致
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.yf.com
Organizational Unit Name (eg, section) []:www.yf.com
Common Name (eg, your name or your server's hostname) []:www.yf.com
Email Address []:[email protected]
[root@localhost CA]# ls
cacert.pem  private
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
[root@localhost CA]# cd /usr/local/nginx/conf/
[root@localhost conf]# mkdir ssl
[root@localhost conf]# cd ssl/
#客户端生成密钥
[root@localhost ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
..............................+++++
e is 65537 (0x010001)
#客户端生成证书签署请求文件,这里填写的信息要与前面的完全一致,不然无法签署成功
[root@localhost ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.yf.com
Organizational Unit Name (eg, section) []:www.yf.com
Common Name (eg, your name or your server's hostname) []:www.yf.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls
nginx.csr  nginx.key
#CA签署客户端的证书
[root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 13 12:38:41 2022 GMT
            Not After : Oct 13 12:38:41 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = www.yf.com
            organizationalUnitName    = www.yf.com
            commonName                = www.yf.com
            emailAddress              = 1@2.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                04:7E:A7:7C:55:34:E8:B8:52:D0:C5:CE:FA:C4:14:E2:A5:96:08:A2
            X509v3 Authority Key Identifier:
                keyid:76:81:2D:69:5B:17:F6:52:4C:C4:91:7C:BC:FD:90:21:01:C0:49:F7

Certificate is to be certified until Oct 13 12:38:41 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]# ls
nginx.crt  nginx.csr  nginx.key
#csr是证书签署请求文件,已完成了它的使命,后续不再用到
[root@localhost ssl]# rm -f nginx.csr
[root@localhost ssl]# ls
nginx.crt  nginx.key
#后续如何部署ssl证书请往后看,点击文章目录跳转到【部署ssl证书实现https】

免费SSL证书申请教程(推荐)

阿里云免费SSL证书介绍:

​ 免费证书只能保护一个域名(带www和不带www可以通用),阿里云个人账号和企业账号均可申请,多个域名可以申请多个免费证书,免费为每个通过实名验证的阿里云账号提供20张DigiCert DV单域名证书。申请教程如下:

一、证书选购

  1. 打开阿里云SSL证书申请页面,点击“选购证书”
  2. 证书选择
    选择证书类型:免费版(个人)DV

选择品牌:DigiCert
域名类型:单域名(1个域名)
选择域名个数:只能选择1
购买数量:可以购买多个
购买时长:最多购买一年

总配置费用为0元,点击“立即购买”,结算即可。

二、证书申请

购买完的SSL证书是未签发状态,还要提交证书申请,阿里云系统会将请求发送给CA机构审核。

  1. 登录到阿里云SSL控制台
  2. 在刚购买未签发的免费版SSL,选择“证书申请”
    如下图:

Nginx配置之https_第1张图片

  1. 填写SSL证书申请表单

证书绑定域名:免费证书只能填写一个域名,带www和不带www域名可以通用
申请人姓名:按照实际填写
申请人手机号:按照实际填写
申请人邮箱:按照实际填写
所在地:按照实际填写
域名验证方式:参考(阿里云SSL证书申请域名验证选择及操作流程)
CSR生成方式:系统生成

Nginx配置之https_第2张图片

  1. 完成DNS验证

如果你的域名在阿里云,直接点图片里的链接跳转。如不是则自行打开自己的域名控制台

Nginx配置之https_第3张图片

Nginx配置之https_第4张图片

把证书申请的DNS验证信息复制过来

Nginx配置之https_第5张图片

添加后看到此项的状态是【正常】的即可

Nginx配置之https_第6张图片

完成上述操作后,回到证书申请界面,点击【验证】,验证成功后点击【提交申请】

Nginx配置之https_第7张图片

  1. 下载证书

看到证书的状态是【已签发】,则证明该证书可以实际使用了,点击【下载】

Nginx配置之https_第8张图片

证书下载界面可以看到有这么多类型,这里我选择nginx,因为我要部署到nginx服务器上,根据服务类型选择相对应的

Nginx配置之https_第9张图片

下载到本地后上传至nginx服务器

Nginx配置之https_第10张图片

部署ssl证书实现https

[root@localhost conf]# pwd
/usr/local/nginx/conf
[root@localhost conf]# mkdir ssl

将本地的证书文件上传至nginx服务器

Nginx配置之https_第11张图片

[root@localhost conf]# cd ssl/
[root@localhost ssl]# ls
8617472_www.helloyf.fun.key  8617472_www.helloyf.fun.pem
#我这里改名是为了方便记忆。pem证书可以更名为crt证书
[root@localhost ssl]# mv 8617472_www.helloyf.fun.key nginx.key
[root@localhost ssl]# mv 8617472_www.helloyf.fun.pem nginx.crt
[root@localhost ssl]# ls
nginx.crt  nginx.key

#进行配置https,直接在原有配置中取消这大一段的注释
[root@localhost conf]# vim nginx.conf
    #HTTPS server

    server {
        listen       443 ssl;
        server_name  www.helloyf.fun;		#将此修改为自己的域名

        ssl_certificate      ssl/nginx.crt;		#【pem|crt】证书存放的位置
        ssl_certificate_key  ssl/nginx.key;		#key证书存放的位置

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
[root@localhost conf]# systemctl restart nginx.service

去浏览器访问

Nginx配置之https_第12张图片

Nginx配置之https_第13张图片

此时也可以用域名进行访问,不过我的域名已经用公网IP部署了网站。所以先要在本机的hosts文件写本地域名映射,这样就不会访问我公网的站点了。这里涉及到DNS解析的工作流程,感兴趣可以去查查。

Windows系统中该文件的默认路径:C:\Windows\System32\drivers\etc\hosts

在该文件的最后一行添加IP和域名,保存即可。我这个域名要用于访问博客,所以做完实验后会恢复,恢复的话直接把这一行映射删掉。

Nginx配置之https_第14张图片

这次用域名访问。可以看到访问成功了,并且显示连接是安全的!

Nginx配置之https_第15张图片

你可能感兴趣的:(服务管理,nginx,https,ssl)