12.20 Nginx配置ssl - 码农教程

Nginx配置ssl目录概要

vim /usr/local/nginx/conf/vhost/ssl.conf//加入如下内容

server
{
    listen 443;
    server_name aming.com;
    index index.html index.php;
    root /data/wwwroot/aming.com;
    ssl on;
    ssl_certificate aminglinux.crt;
    ssl_certificate_key aminglinux.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}

-t && -s reload //若报错unknown directive “ssl” ，需要重新编译nginx，加上--with-http_ssl_module
mkdir /data/wwwroot/aming.com
echo “ssl test page.”>/data/wwwroot/aming.com/index.html
编辑hosts，增加127.0.0.1 aming.com
curl https://aming.com/

Nginx配置ssl

在有了公钥和私钥之后，配置nginx

生成新的配置文件 vim /usr/local/nginx/conf/vhost/ssl.conf

[root@hf-01 conf]# vim /usr/local/nginx/conf/vhost/ssl.conf

添加以下内容
server
{
    listen 443;        //监听端口为443
    server_name aming.com;   //主机名
    index index.html index.php;
    root /data/wwwroot/aming.com;   //root 目录
    ssl on;                                            //开启ssl
    ssl_certificate gurui.crt;      //指定公钥
    ssl_certificate_key gurui.key;   //指定私钥
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;   //ssl 的协议
}
保存退出

ssl 的协议，一般情况下，三种协议都配置上

创建/data/wwwroot/aming.com目录

[root@hf-01 conf]# mkdir /data/wwwroot/aming.com
[root@hf-01 conf]#

检查配置文件语法

[root@hf-01 conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@hf-01 conf]#

报错：
- 因为不知道这个 ssl 配置，在编译nginx的时候，并没有指定支持ssl

[root@hf-01 conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
configure arguments: --prefix=/usr/local/nginx
[root@hf-01 conf]#

解决办法
- 重新编译nginx

重新编译nginx

[root@hf-01 conf]# cd /usr/local/src/nginx-1.12.1/
[root@hf-01 nginx-1.12.1]# ./configure --help |grep -i ssl
  --with-http_ssl_module             enable ngx_http_ssl_module
  --with-mail_ssl_module             enable ngx_mail_ssl_module
  --with-stream_ssl_module           enable ngx_stream_ssl_module
  --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module
  --with-openssl=DIR                 set path to OpenSSL library sources
  --with-openssl-opt=OPTIONS         set additional build options for OpenSSL
[root@hf-01 nginx-1.12.1]#

编译的时候需要加上--with-http_ssl_module

初始化./configure --prefix=/usr/local/nginx --with-http_ssl_module

[root@hf-01 nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module

编译make

[root@hf-01 nginx-1.12.1]# make

然后make install

[root@hf-01 nginx-1.12.1]# make install

查看nginx的编译参数，会看到增加了--with-http_ssl_module

[root@hf-01 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
[root@hf-01 nginx-1.12.1]#

检查配置文件语法错误

[root@hf-01 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 nginx-1.12.1]#

重启nginx

[root@hf-01 nginx-1.12.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl):                          [  确定  ]
[root@hf-01 nginx-1.12.1]#

查看监听端口，会看到多出一个443端口

[root@hf-01 nginx-1.12.1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1533/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      5716/nginx: master  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      5716/nginx: master  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1205/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1533/master         
tcp6       0      0 :::3306                 :::*                    LISTEN      1576/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      1205/sshd           
[root@hf-01 nginx-1.12.1]#

[root@hf-01 nginx-1.12.1]# cd /data/wwwroot/aming.com/
[root@hf-01 aming.com]# ls
[root@hf-01 aming.com]# vim index.html

This is ssl.
保存退出

测试，若是直接访问会报400

[root@hf-01 aming.com]# curl -x127.0.0.1:443 https://aming.com/
curl: (56) Received HTTP code 400 from proxy after CONNECT
[root@hf-01 aming.com]#

在虚拟机中 /etc/写hosts

[root@hf-01 aming.com]# vim /etc/hosts

加入以下内容
127.0.0.1 aming.com

测试，不指定-x访问

[root@hf-01 aming.com]# curl https://aming.com/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[root@hf-01 aming.com]#

就是说你这个证书被标记为不可信任了，因为这个证书是自己颁发的，实际上是已经配置成功了

在windows中的host文件添加，并保存

192.168.74.129  aming.com

浏览器访问aming.com，会看到加载超时
这时查看虚拟机防火墙iptables -nvL，若是防火墙存在，可以直接ipbables -F清空所有规则，若不想清空所有规则可以增加443端口的规则

[root@hf-01 aming.com]# iptables -nvL

[root@hf-01 aming.com]# iptables -F
[root@hf-01 aming.com]#

这时再来访问aming.com，会提示是否信任证书，选择是，会访问成功

这个就是自己颁发证书，浏览器不被信任的时候，会显示红色不安全，而不是绿色
以后若想正常的访问https，可以去沃通买证书