nginx配置https(亲测可用)

时间:2022-04-25
本文章向大家介绍nginx配置https(亲测可用),主要内容包括其使用实例、应用技巧、基本知识点总结和需要注意事项,具有一定的参考价值,需要的朋友可以参考一下。

配置https前需要先创建证书,这里使用自签名ca证书:

1、创建ca自签名证书,使用sha256 算法签名,rsa2048位公钥算法。

openssl req -sha256 -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem -config ca-openssl.cnf -days 730 -extensions v3_req

ca-openssl.cnf配置示例如下: 

[req]
distinguished_name  = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName           = CN (2 letter code)
countryName_default = AU
stateOrProvinceName   = ZheJiang (full name)
stateOrProvinceName_default = Some-State
organizationName          = companyName (eg, company)
organizationName_default = Internet Widgits Pty Ltd
commonName            = api.companyName.com (eg, YOUR name)
commonName_default = ca
[v3_req]
basicConstraints = CA:true
keyUsage = critical, keyCertSign

2、根据ca证书创建server证书,同样使用sha256 算法签名,rsa2048位公钥算法。

$ openssl genrsa -out server.key.rsa 2048
$ openssl pkcs8 -topk8 -in server.key.rsa -out server.key -nocrypt
$ rm server.key.rsa
$ openssl req -new -sha256 -key server.key -out server.csr -config server-openssl.cnf

-sha256将会被server-openssl.cnf中的default_md配置项代替

另外在当前目录下还要创建index.txt,创建并初始化serial文件。

touch index.txt
touch serial
echo 00 > serial
server-openssl.cnf配置示例如下:
[req]
distinguished_name  = req_distinguished_name
req_extensions     = v3_req
[req_distinguished_name]
countryName           = CN (2 letter code)
countryName_default   =CN 
stateOrProvinceName   = ZheJiang (full name)
stateOrProvinceName_default =ZheJiang 
localityName          = HangZhou (eg, city)
localityName_default  = HangZhou
organizationName          = companyName (eg, company)
organizationName_default  = companyName
commonName            = api.companyName.com (eg, YOUR name)
commonName_max        = 64
####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section
####################################################################
[ CA_default ]
dir		= . # Where everything is kept
certs		= $dir # Where the issued certs are kept
crl_dir		= $dir		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several ctificates with same subject.
new_certs_dir	= $dir		# default place for new certs.
certificate	= $dir/ca.pem 	# The CA certificate
serial		= $dir/serial
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file
x509_extensions	= usr_cert		# The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions	= crl_ext
default_days	= 730			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha256		# use public key default MD
preserve	= no			# keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_anything
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.companyName.com
DNS.2 = localhost
IP.1 = "125.36.75.163"
IP.2 = "125.46.72.154"
IP.2 = "127.0.0.1"

查看csr信息

openssl req -noout -text -in server.csr

生成server证书

openssl ca -in server.csr -out server.pem -keyfile ca.key -cert ca.pem -verbose -config server-openssl.cnf -days 730 -extensions v3_req -updatedb

转换

openssl x509 -in server.pem -out server.pem -outform PEM

查看证书

openssl x509 -in server.pem -inform pem -noout -text

验证证书

openssl verify -CAfile ca.pem server.pem

3、nginx配置https

自建ca,需要将ca证书添加到浏览器,这样在访问站点时才不会显示不安全连接

nginx.conf配置:

#user  nobody;
worker_processes  1;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
pid        logs/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
    #access_log  logs/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    gzip  on;
server {
        listen 80;
        server_name  m.domain.com;
      location / {
        rewrite ^ https://$host:443$request_uri? permanent;
     }
}
server{
       listen       443 ssl;
       server_name  m.domain.com;
        access_log   /home/logs/access.log;
        error_log    /home/logs/error.log;
        if ($host = "m.domain.com") {
                rewrite ^/$ /appname/index.shtml;
        }
       location ^~ /assets/ {
                root /home/apps/appname/;
        }
        location ~*  ^.+.(gif|jpg|png|jpeg|js|ico|css|svg)$ {
         root /home/apps/appname/assets/;
        }
        location / {
                proxy_buffering off;
                client_max_body_size    20m;
                proxy_set_header   X-Real-IP $remote_addr;
                proxy_set_header   X-Scheme $scheme;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header   Host $http_host;
                proxy_pass http://127.0.0.1:8080;
         } 
          ssl_certificate     ~/sshsert/server.pem;
          ssl_certificate_key  ~/sshsert/server.key;
          ssl_session_cache    shared:SSL:10m;
         ssl_session_timeout  50m;
         ssl_prefer_server_ciphers  on;
         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
         ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
      }
}

补充说明:

配置nginx参考链接:

https://segmentfault.com/a/1190000002866627

签名算法列表:

-md4            to use the md4 message digest algorithm            //摘要算法使用md4
-md5            to use the md5 message digest algorithm            //摘要算法使用md5
-ripemd160      to use the ripemd160 message digest algorithm      //摘要算法使用ripemd160
-sha            to use the sha message digest algorithm            //摘要算法使用sha
-sha1           to use the sha1 message digest algorithm           //摘要算法使用sha1
-sha224         to use the sha224 message digest algorithm         //摘要算法使用sha223
-sha256         to use the sha256 message digest algorithm         //摘要算法使用sha256
-sha384         to use the sha384 message digest algorithm         //摘要算法使用sha384
-sha512         to use the sha512 message digest algorithm         //摘要算法使用sha512
-whirlpool      to use the whirlpool message digest algorithm      //摘要算法使用whirlpool

关于tls版本:

https://www.openssl.org/

Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:

• Support TLS v1.2 and TLS v1.1.

随机文章
本站知识点必读
最近更新