【学习笔记】使用OpenSSL生成CA证书-配置Nginx代理服务器使用HTTPS协议

使用OpenSSL创建CA证书

参考文献: https://www.cnblogs.com/qiyueqi/p/11551238.html

一些nginx常用的命令:

检查配置文件是否正确:./nginx -t
启动Nginx 命令:./nginx 
重启Nginx 命令:./nginx -s reload	
停止Nginx 命令:	./nginx -s stop

1、安装Nginx过程:

yum install gcc-c++	# 安装gcc
yum install -y pcre pcre-devel	# 安装语言兼容正则表达式
yum install -y zlib zlib-devel	# 安装zlib
yum install -y openssl openssl-devel	# 安装OpenSSL(一个密码库)

事先下载好nginx到/usr/local/目录下,可以到 http://nginx.org/en/download.html 官网下载

tar -zxvf nginx-1.19.1	# 解压 我的版本是nginx-1.19.1
cd nginx-1.19.1		# 切换到解压 nginx-1.19.1目录下
./configure 		# 解析程序
cd /usr/local/nginx/sbin	
make	# 检查
make install	# 安装nginx
./nginx --with-http_ssl_module			#运行nginx 加入一个ssl服务的模块

到这里如果顺利的话就安装好了,接下来就是配置了,配置文件在/usr/local/nginx/conf/nginx.conf


2、使用OpenSSL创建CA证书

命令如下(其中填一些信息什么的,可以参考网上的,这里不多累赘了,图我贴下面了):

mkdir CA	# 单独创建一个文件用来装证书,以免和其他文件混淆我放在/usr/local这个目录下
cd CA	# 切换到CA目录下
openssl genrsa -out local.key 2048	# 生成CA私钥
openssl req -new -key local.key -out local.csr	# 生成CA证书请求
openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt	# 生成CA根证书
openssl genrsa -out my_server.key 2048 # 生成server私匙
openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt	# 生成server证书请求
openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt	# 生成server证书

以上一些执行步骤的图解,可按照自己的实际情况进行填写

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  #国家
State or Province Name (full name) []:BJ   #省份
Locality Name (eg, city) [Default City]:BJ  #城市
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test   #部门
Common Name (eg, your name or your server's hostname) []:test   #主机名
Email Address []:[email protected]  #邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wuminyan  #密码
An optional company name []:wuminyan  #姓名

执行完以上命令文件夹内会有以下文件:
[root@huahua CA]# ll
total 28
-rw-r--r-- 1 root root 1371 Mar 21 16:47 local.crt
-rw-r--r-- 1 root root 1147 Mar 21 16:44 local.csr
-rw-r--r-- 1 root root 1679 Mar 21 16:41 local.key
-rw-r--r-- 1 root root   17 Mar 21 16:52 local.srl
-rw-r--r-- 1 root root 1314 Mar 21 16:52 my_server.crt
-rw-r--r-- 1 root root 1094 Mar 21 16:50 my_server.csr
-rw-r--r-- 1 root root 1679 Mar 21 16:46 my_server.key

证书位置:/usr/local/CA/local.crt

私钥位置:/usr/local/CA/local.key

解释一下:

.key通常指私钥

.csr 是Certificate Signing Request的缩写,即证书签名申请,这不是证书,这是要求CA给证书签名的一种正是申请,该申请包含申请证书的实体的公钥及该实体店某些信息。该数据将成为证书的一部分。CSR始终使用它携带的公钥所对应的私钥进行签名。

.crt 即 certificate的缩写,即证书

3、配置文件(/usr/local/nginx/conf/nginx.conf)如下,其中只需要改这一部分即可

#   HTTPS server
	server {
        listen       443 ssl;
        server_name  localhost;
        charset utf-8;

        ssl_certificate      /usr/local/CA/local.crt;	# 证书
        ssl_certificate_key  /usr/local/CA/local.key;	# 私钥

        ssl_session_cache    shared:SSL:10m;	# 会话缓存设置 10M
        ssl_session_timeout  10m;	# 长连接时间 10 min

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

	location / {
		#假设公网IP:192.168.133.132
		# 则所有请求192.168.133.132都会跳转到这个172.0.0.1:8080
           proxy_pass   http://127.0.0.1:8080;	
           proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
        }

}    

以下是nginx配置文件(/usr/local/nginx/conf/nginx.conf)全部内容

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
			# huahua更改配置
           # root   html;
           #index  index.html index.htm;x
           proxy_pass   http://127.0.0.1:8080;
           proxy_set_header  Host $host;
           proxy_set_header   X-real-ip $remote_addr;
           proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


 #   HTTPS server
	server {
        listen       443 ssl;
        server_name  localhost;
        charset utf-8;

        ssl_certificate      /usr/local/CA/local.crt;	
        ssl_certificate_key  /usr/local/CA/local.key;

        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

	location / {
           proxy_pass   http://127.0.0.1:8080;
           proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
        }

}    

}

还有最后一步,如果是云服务器,就要到安全组把443端口开启如下

【学习笔记】使用OpenSSL生成CA证书-配置Nginx代理服务器使用HTTPS协议_第1张图片

然后访问服务器https://公网IP,如下所示:
【学习笔记】使用OpenSSL生成CA证书-配置Nginx代理服务器使用HTTPS协议_第2张图片

我们可以看到这个连接不是安全的连接,因为这是我用自己颁发给自己的证书,那肯定得不到CA公证机构的认可,所以显示是不安全的连接,如果要显示安全的可以到CA机构去申请一个,有的是免费的,我这里就不进行展开了。

我们点继续前往,可以看到如下:

【学习笔记】使用OpenSSL生成CA证书-配置Nginx代理服务器使用HTTPS协议_第3张图片
成功连接到服务器,证明nginx可用,使用的也是HTTPS。


3、可能遇到的错误:

未知的错误1:

nginx: [emerg] unknown directive "HTTPS" in /usr/local/nginx/conf/nginx.conf:103
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

解决:把/usr/local/nginx/conf/nginx.conf配置文件种的HTTPS使用 “#” 号注释掉即可

未知的错误2(这是我安装nginx时没有配置好的原因,如果按照上面的步骤,应该不会出现这个问题):

nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:104
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed

然后看网上的人说是没有安装一个东西,我查看了版本如下

[root@huahua nginx]# ./sbin/nginx -V	# 查看版本信息
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
configure arguments:
[root@huahua nginx]# 


如果nginx是运行状态的话,要先停止(在/usr/local/nginx/sbin目录下执行):

./nginx -s stop

如果停止不了或者报错误:

nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:104

那是因为配置文件暂时错了,为什么这么说呢?

因为配置的SSL是对的,但是由于当前nginx缺少一个模块(with-http_ssl_module),读取不了SSL配置信息,所以是暂时错了,把配置过的SSL都删除或者注释掉,然后再配置回来就可以了
然后到/usr/local/nginx-1.18.0 目录(注意:是安装包的目录)下执行以下命令:

执行停止nginx命令:

./nginx -s stop

然后执行添加模板

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

最后运行 make & make install 即可,如果还不行就请试一下重新安装nginx,请参照上面的安装Nginx过程


个人笔记

可以将http请求自动转成https,不知道对不对, 我也没试过哈哈哈!

server {
    listen 80;
    server_name huiblog.top;
    #将http请求转成https
    rewrite ^(.*)$ https://$host$1 permanent;
}


(完)

你可能感兴趣的:(Linux,java,CA数字证书,linux)