Nginx之Https 证书加密

 

SSL证书是数字证书的一种，类似于驾驶证、护照和营业执照的电子副本。因为配置在服务器上，也称为SSL服务器证书。

 

• 1、检查SSL模块状态
• 2、准备私钥和证书
• 3、开启Nginx SSL
• 4、 HTTPS常见报错

目录

1、检查SSL模块状态

[root@web-node1~]# /application/nginx/sbin/nginx -V

nginx version: nginx/1.6.3

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)

TLS SNI support enabled

configure arguments: --prefix=/application/nginx-1.6.3 --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module

2、准备私钥和证书

2.1创建服务器私钥

[root@web-node1~]# cd /application/nginx/conf/

[root@web-node1 conf]# mkdir key

[root@web-node1 conf]# cd key/

[root@web-node1 key]# openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus

..++++++

...++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

2.2签发证书

[root@web-node1 key]# openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:BJ

Locality Name (eg, city) [Default City]:BJ

Organization Name (eg, company) [Default Company Ltd]:SDU

Organizational Unit Name (eg, section) []:SA         

Common Name (eg, your name or your server's hostname) []:Qiuyt

Email Address []:qiuyuetao@163.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:     

An optional company name []:

2.3删除服务器私钥口令

[root@web-node1 key]# cp server.key server.key.ori

[root@web-node1 key]# openssl rsa -in server.key.ori -out server.key

Enter pass phrase for server.key.ori:

writing RSA key

2.4生成使用签名请求证书
和私钥生成自签证书

[root@web-node1 key]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=/C=CN/ST=BJ/L=BJ/O=SDU/OU=SA/CN=XuBuSi/emailAddress=qiuyt@yilonghc.com

Getting Private key

3、开启Nginx SSL

[root@web-node1 ~]# cat /application/nginx/conf/vhosts/www.conf

server

    {

        listen 443 default_server;

        server_name 自己域名;

 

 

#Globalsign New-2

        ssl                  on;

        ssl_certificate      /usr/local/nginx/conf/new-2-ssl/server.cer;

        ssl_certificate_key  /usr/local/nginx/conf/new-2-ssl/server.key;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

        ssl_prefer_server_ciphers on;

 

        index index.html index.htm index.php;

        root  /yilongdata/webs/******/public; ##自己网站根目录

 

    location / {

#           return 503;

        try_files $uri $uri/ /index.php$is_args$query_string;

        }

 

        location ~ [^/]\.php(/|$)

        {

#            limit_conn perip 60;

#            limit_req zone=perreq nodelay;

            try_files $uri =404;

            fastcgi_pass   myfastcgi;

            fastcgi_index index.php;

            include fastcgi.conf;

            fastcgi_param  HTTPS on;

        expires      -1;

        }

 

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$

        {

            expires      30d;

        }

 

        location ~ .*\.(js|css)?$

        {

            expires      12h;

        }

 

        access_log  /yilongdata/logs/*******/access/www.yilonghc.cn.log  main;

 

        location ~ /\.ht {

          deny all;

        }

 

    }

##注意

#PHP 开启方式 1:

php-fpm.conf: listen = 127.0.0.1:9000

nginx.conf: fastcgi_pass 127.0.0.1:9000;

#方式2:

php-fpm.conf: listen = /tmp/php-fpm.sock

nginx.conf: fastcgi_pass unix:/tmp/php-cgi.sock;

#php 配置文件注销

使用; 不能用#

3.1重启nginx生效

[root@web-node1 ~]# /application/nginx/sbin/nginx -s reload

[root@web-node1 ~]# netstat -lntup|grep 443

tcp        0    0 0.0.0.0:443                 0.0.0.0:*                   LISTEN    1711/nginx

3.2测试https

由于该证书非第三方权威机构颁发，而是我们自己签发的，所以浏览器会警告，如果是对外的业务需要加密，必须使用商用第三方签名证书。

1.4配置重定向80端口转443端口

以上配置有个不好的地方，如果用户使用时忘了使用https或者443端口，那么将会报错，所以我们需要80端口的访问转到443端口并使用ssl加密访问。

只需要增加一个server段，使用301永久重定向。

[root@web-node1 ~]# tail -5 /application/nginx/conf/vhosts/www.conf

server {

        listen 80;

        server_name jianguo.yi*****.cn;

        rewrite ^(.*) https://$server_name$1 permanent;

}

[root@web-node1 ~]# /application/nginx/sbin/nginx -t

nginx: the configuration file /application/nginx-1.6.3/conf/nginx.conf syntax is ok

nginx: configuration file /application/nginx-1.6.3/conf/nginx.conf test is successful

[root@web-node1 ~]# /application/nginx/sbin/nginx -s reload

4、 HTTPS常见报错

生产中遇到个错误，原因是将业务迁到云上后，原环境是apache，现在用的是nginx，ssl整数配置一致，但是出现如下错误

[root@Lhapp key]# /application/nginx/sbin/nginx -t

nginx: [emerg] PEM_read_bio_X509_AUX("/application/nginx-1.8.1//conf/key/lhapi.csr") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

nginx: configuration file /application/nginx-1.8.1//conf/nginx.conf test failed

#经过百度查阅，发现在apache中，公钥配置如下

 

[root@files conf.d]# grep -nr "SSLCertificateFile" ./

./ssl.conf:123:SSLCertificateFile /etc/httpd/lhapissl/214026611150535.pem

#它这里没有server.csr 而是用的*.pem做为工作，所以我把nginx也改为*.pem就OK了

ssl_certificate key/214026611150535.pem;

结果OK，证书生效