Nginx的SSL

Nginx的SSL

SSL原理和工作流程

https和http的区别是https是加密的，它能够防止黑客中间截数据，信息可能会泄露。

浏览器发送一个https的请求给服务器；

服务器要有一套数字证书（这套证书其实就是一对公钥和私钥，要浏览器认可的；）服务器会把公钥传输给客户端；

客户端（浏览器）收到公钥后，会验证其是否合法有效，无效会有警告提醒，有效则会生成一串随机数，并用收到的公钥加密；客户端把加密后的随机字符串传输给服务器；

服务器收到加密随机字符串后，先用私钥解密（公钥加密，私钥解密），获取到这一串随机数后，再用这串随机字符串加密传输的数据（该加密为对称加密，所谓对称加密，就是将数据和私钥也就是这个随机字符串>通过某种算法混合在一起，这样除非知道私钥，否则无法获取数据内容）；

服务器把加密后的数据传输给客户端；客户端收到数据后，再用自己的私钥也就是那个随机字符串解密；

生成SSL密钥对

首先要有一个工具生成密钥，openssl这个软件包

1.安装openssl，在Nginx/conf/下生成密钥

[root@antong ~]# yum install -y openssl
[root@antong ~]# cd /usr/local/nginx/conf/
[root@antong conf]# openssl genrsa -des3 -out tmp.key 2048  //rsa格式的私钥
Generating RSA private key, 2048 bit long modulus
..........+++
............................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:   //会转换取消掉
Verifying - Enter pass phrase for tmp.key:

2.转换key取消密码

[root@antong conf]# openssl rsa -in tmp.key -out test.key
Enter pass phrase for tmp.key:
writing RSA key
[root@antong conf]# rm -rf tmp.key

3.生成请求文件

[root@antong conf]# openssl req -new -key test.key -out test.csr//生成证书请求文件，需要拿这个文件和私钥一起生产公钥文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:at
State or Province Name (full name) []:hushi   
Locality Name (eg, city) [Default City]:hushi
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:17684703342@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:000000
An optional company name []:test 

4.生成公钥文件

[root@antong conf]# openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt                       
Signature ok
subject=/C=at/ST=hushi/L=hushi/O=test/OU=test/CN=test/emailAddress=17684703342@163.com
Getting Private key

Nginx配置SSL

1.生成新的虚拟主机文件

[root@antong conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
    listen 443;
    server_name antong.com;
    index index.html index.php;
    root /data/wwwroot/antong.com;
    ssl on;
    ssl_certificate test.crt;
    ssl_certificate_key test.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
[root@antong conf]# mkdir /data/wwwroot/antong.com
[root@antong conf]# echo "this is ssl." > /data/wwwroot/antong.com/index.html

如果测试重启报错ssl，需要重新编译nginx

2.编译nginx的ssl

[root@antong nginx]# /usr/local/nginx/sbin/nginx -t
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@antong nginx]# /usr/local/nginx/sbin/nginx -s reload
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/nginx/conf/vhost/ssl.conf:7[root@antong conf]# cd /usr/local/src/nginx-1.17.8/
[root@antong nginx-1.17.8]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module    //等待执行完毕
[root@antong nginx-1.17.8]# make && make install
[root@antong nginx-1.17.8]# echo $?
0
[root@antong nginx]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.17.8
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
[root@antong nginx]# /usr/local/nginx/sbin/nginx -t
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@antong nginx]# /usr/local/nginx/sbin/nginx -s reload
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/nginx/conf/vhost/ssl.conf:7

3.测试

[root@antong nginx]# curl https://antong.com   //因为证书不认可，所以报错
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

在PC访问一下（需要设置hosts）

就可以访问了。