一.模块简介:
本模块用于HTTPS的支持
它支持使用以下两个限制检查客户端证书:
1.不允许指定过期证书列表。
2.如果有一个证书链文件,无须向apache那样指定每个证书文件。
二.模块指令
SSL指令
语法: Syntax:ssl on | off; 默认值: Default:ssl off; 应用配置段:: Context:http, server
为一个server{...}虚拟主机开启HTTPS
2.ssl_certificate指令
语法: Syntax:ssl_certificate file; 默认值: Default:― 配置段: Context:http, server
为当前的虚拟主机指定PEM格式的证书文件。
3.ssl_certificate_key指令
语法: Syntax:ssl_certificate_key file; 默认值: Default:― 配置段: Context:http, server
为当前的虚拟主机指定PEM格式的私钥文件。
4.ssl_client_certificate指令
语法: Syntax:ssl_client_certificate file; 默认值: Default:― 配置段: Context:http, server
5.ssl_dhparam指令
语法: Syntax:ssl_dhparam file; 默认值: Default:― 配置段: Context:http, server
This directive appeared in version 0.7.2.
此指令出现于nginx 0.7.2版
指定PEM格式含有Diffie-Hellman参数的文件,用于TLS会话键。
6.ssl_ciphers指令
语法: Syntax:ssl_ciphers ciphers; 默认值: Default:ssl_ciphers HIGH:!aNULL:!MD5; 配置段: Context:http, server
指定许可密码的描述。密码以openssl支持的格式指定;使用以下命令可以查看openssl支持的完整格式列表:
openssl ciphers
7.ssl_crl指令
语法: Syntax:ssl_crl file; 默认值: Default:― 配置段: Context:http, server
This directive appeared in version 0.8.7.
此指令在nginx 0.8.7版本开始出现
指定一个PEM格式的证书吊销文件,用于检查客户端证书。
8.ssl_prefer_server_ciphers指令
语法: Syntax:ssl_prefer_server_ciphers on | off; 默认值: Default:ssl_prefer_server_ciphers off; 配置段: Context:http, server
对SSLv3和TLSv1协议的服务器端密码需求优先级高于客户端密码。
9.ssl_protocols指令
语法: Syntax:ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; 默认值: Default:ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; 配置段: Context:http, server
指定使用的SSL协议
10.ssl_verify_client
语法: Syntax:ssl_verify_client on | off | optional | optional_no_ca; 默认值: Default:ssl_verify_client off; 配置段: Context:http, server
是否开启客户端证书验证。参数“ask”在客户端主动提出检查证书时,对客户端证书进行检查。
11.ssl_verify_depth
语法: Syntax:ssl_verify_depth number; 默认值: Default:ssl_verify_depth 1; 配置段: Context:http, server
设置客户端证书链的深度。
12.ssl_session_cache指令
语法: Syntax:ssl_session_cache off | none | [builtin[:size]] [shared:name:size]; 默认值: Default:ssl_session_cache none; 配置段: Context:http, server
设置用来存储SSL会话缓存类型和大小。
缓存类型分类:
off #硬关闭:明确告诉客户端这个会话不可用; none #软关闭:告诉客户端会话能被重用,但Nginx实际上不会重用它们。 builtin #OpenSSL内置缓存,仅可用于一个工作进程;缓存大小用户会话数来指定。注意:使用该指令会导致内存碎片,慎用。 shared #位于所有工作进程的共享缓存。缓存大小用字节数指定,1MB缓存能容纳4000会话。每个共享缓存必须拥有字节的名称,同名的缓存可以用于多个虚拟主机。
你可以同时使用builtin和shared,实例如下
ssl_session_cache builtin:1000 shared:SSL:10m;
然而,只使用共享内存而不使用builtin缓存,将更有效。
13.ssl_session_timeout指令
语法: Syntax:ssl_session_timeout time; 默认值: Default:ssl_session_timeout 5m; 配置段: Context:http, server
设置客户端能够重复使用存储在缓存中的会话参数时间。
三.虚拟主机的SSL配置
默认情况下ssl模块并未被安装,如果要使用该模块则需要在编译时指定�Cwith-http_ssl_module参数。
1.CA证书服务器创建
a.私钥生成
[root@www ~]# cd /etc/pki/CA/ [root@www CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ......+++ ......................+++ e is 65537 (0x10001)
b.生成自签署证书:
[root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:sut31 Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:www.stu31.com Email Address []:[email protected]
c.生成索引数据库文件及序列号文件:
[root@www CA]# touch index.txt [root@www CA]# echo 01 >serial [root@www CA]# ls cacert.pem certs crl index.txt newcerts private serial
2.为bbs.stu31.com网站生成证书
a.web服务器生成私钥
[root@www CA]# mkdir /etc/nginx/certs [root@www CA]# cd /etc/nginx/certs [root@www certs]# (umask 077; openssl genrsa -out nginx.key 2048) Generating RSA private key, 2048 bit long modulus .....................................................+++ ................................................................+++ e is 65537 (0x10001)
b.生成证书签署请求文件
[root@www certs]# openssl req -new -key nginx.key -out nginx.csr -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HA Locality Name (eg, city) [Default City]:ZZ Organization Name (eg, company) [Default Company Ltd]:sut31 Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:bbs.stu31.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3.配置nginx服务器使用数字证书
a.CA服务器签署nginx服务器的请求证书
[root@www certs]# openssl ca -in nginx.csr -out nginx.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 27 23:11:47 2014 GMT Not After : Dec 24 23:11:47 2024 GMT Subject: countryName = CN stateOrProvinceName = HA organizationName = sut31 organizationalUnitName = ops commonName = bbs.stu31.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 16:5B:54:BF:51:25:DF:8A:0D:9C:FE:09:B1:65:E1:AB:A6:CA:9E:2A X509v3 Authority Key Identifier: keyid:36:8D:23:60:59:82:3E:EA:ED:F6:02:DC:09:EB:17:04:A4:AB:06:51 Certificate is to be certified until Dec 24 23:11:47 2024 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
[root@www ~]# ls /etc/nginx/certs/ nginx.crt nginx.csr nginx.key
3.为nginx的虚拟主机bbs.stu31.com开启https
额外添加:
[root@www ~]# vim /etc/nginx/extra/nginx-vhost.conf server { listen 443 ssl; server_name bbs.stu31.com; ssl_certificate /etc/nginx/certs/nginx.crt; ssl_certificate_key /etc/nginx/certs/nginx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root /www/vhosts/bbs.stu31.com; index index.html index.htm; access_log /var/log/nginx/https.bbs.stu31.com-access.log main; } }
4.重启测试:
[root@www ~]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
重启nginx
[root@www ~]# service nginx restart nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful Stopping nginx: [ OK ] Starting nginx: [ OK ]
先到客户端安装CA服务器的证书
#复制证书到客户端
安装证书:
这样就可以通过以下方式访问:
至此,Nginx的ssl模块就介绍完毕!