Nginx基础-配置安全web服务

1.HTTPS配置语法

Syntax: ssl on | off;
Default: ssl off;
Context: http, server

Syntax: ssl_certificate file;
Default:Context: http, server

Syntax: ssl_certificate_key file;
Default:Context: http, server

2.HTTPS配置场景

配置苹果要求的证书
1.服务器所有连接使用TLS1.2以上版本(openssl 1.0.2)
2.HTTPS证书必须使用SHA256以上哈希算法签名
3.HTTPS证书必须使用RSA 2048位或ECC256位以上公钥算法
4.使用前向加密技术

秘钥生成操作步骤
1.生成key密钥
2.生成证书签名请求文件(csr文件)
3.生成证书签名文件(CA文件)

3.创建私钥

[root@localhost ~]# mkdir /etc/nginx/ssl_key
[root@localhost ~]# cd /etc/nginx/ssl_key
[root@localhost ssh_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.....+++
#记住配置密码
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

4.生成使用签名请求证书和私钥生成自签证书

[root@localhost ssl_key]# openssl req -days 36500 -x509 \
-sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SC
Locality Name (eg, city) [Default City]:CD
Organization Name (eg, company) [Default Company Ltd]:example Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:admin
Email Address []:admin@example.com

5.配置Nginx

[root@localhost ~]# vim /etc/nginx/conf.d/ssl.conf
    server {
        listen 443;
        server_name localhost;
        ssl on;
        index index.html index.htm;
        #ssl_session_cache share:SSL:10m;
        ssl_session_timeout 10m;
        ssl_certificate ssl_key/server.crt;
        ssl_certificate_key ssl_key/server.key;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        location / {
            root /soft/code;
            access_log /logs/ssl.log main;
        }
    }

6.测试访问, 由于该证书非第三方权威机构颁发,而是我们自己签发的,所以浏览器会警告

7.以上配置如果用户忘记在浏览器地址栏输入https://那么将不会跳转至https, 需要将访问http强制跳转https

[root@localhost ~]# cat /etc/nginx/conf.d/ssl.conf 
    server {
        listen 443;
        server_name localhost;
        ssl on;
        index index.html index.htm;
        #ssl_session_cache share:SSL:10m;
        ssl_session_timeout 10m;
        ssl_certificate ssl_key/server.crt;
        ssl_certificate_key ssl_key/server.key;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        location / {
            root /soft/code;
        }
    }

    server {
		listen 80;
		server_name localhost;
		rewrite ^(.*) https://$server_name$1 redirect;
    }
posted @   wanghongwei-dev  阅读(209)  评论(0编辑  收藏  举报
相关博文:
·  Ingress Nginx Controller常用注解
·  TinySSH部署和使用教程
·  Nginx上的HTTPS的配置
·  nginx 之 https 证书配置
·  Nginx 配置HTTPS
阅读排行:
· TypeScript + Deepseek 打造卜卦网站:技术与玄学的结合
· Manus的开源复刻OpenManus初探
· 三行代码完成国际化适配,妙~啊~
· .NET Core 中如何实现缓存的预热?
· 如何调用 DeepSeek 的自然语言处理 API 接口并集成到在线客服系统
点击右上角即可分享
微信分享提示
SQL AI 助手