Nginx服务器的SSL证书配置以及对SSL的反向代理配置
Nginx的SSL证书配置
1、使用openssl实现证书中心
由于是使用openssl架设私有证书中心,因此要保证以下字段在证书中心的证书、服务端证书、客户端证书中都相同
CountryName StateorProvinceName LocalityName OrganizationName OrganizationalUnitName CountryName StateorProvinceName LocalityName OrganizationName OrganizationalUnitName
编辑证书中心配置文件
vim/etc/pki/tls/openssl.cnf
[CA_default] dir=/etc/pki/CA certs=$dir/certs#Wheretheissuedcertsarekept crl_dir=$dir/crl#Wheretheissuedcrlarekept database=$dir/index.txt#databaseindexfile. #unique_subject=no#Setto'no'toallowcreationof #severalctificateswithsamesubject. new_certs_dir=$dir/newcerts#defaultplacefornewcerts. certificate=$dir/cacert.pem#TheCAcertificate serial=$dir/serial#Thecurrentserialnumber crlnumber=$dir/crlnumber#thecurrentcrlnumber#mustbecommentedouttoleaveaV1CRL crl=$dir/crl.pem#ThecurrentCRL private_key=$dir/private/cakey.pem#Theprivatekey RANDFILE=$dir/private/.rand#privaterandomnumberfile [req_distinguished_name] countryName=CountryName(2lettercode) countryName_default=CN countryName_min=2 countryName_max=2 stateOrProvinceName=StateorProvinceName(fullname) stateOrProvinceName_default=FJ localityName=LocalityName(eg,city) localityName_default=FZ 0.organizationName=OrganizationName(eg,company) 0.organizationName_default=zdz organizationalUnitName=OrganizationalUnitName(eg,section) organizationalUnitName_default=zdz
创建证书私钥
cd/etc/pki/CA/private
(umask077;opensslgenrsa-outcakey.pem2048
)
生成自签证书
cd/etc/pki/CA/ opensslreq-new-x509-keyprivate/cakey.pem-outcacert.pem-days=36552、创建服务器证书
mkdir/usr/local/nginx/ssl cd/usr/local/nginx/ssl
(umask077;opensslgenrsa-outnginx.key1024)
opensslreq-new-keynginx.key-outnginx.csr opensslca-innginx.csr-outnginx.crt-days=3650
3、创建客户端浏览器证书
(umask077;opensslgenrsa-outclient.key1024)
opensslreq-new-keyclient.key-outclient.csr opensslca-inclient.csr-outclient.crt-days=3650
将文本格式的证书转换成可以导入浏览器的证书
opensslpkcs12-export-clcerts-inclient.crt-inkeyclient.key-outclient.p12
4、配置nginx服务器验证
vim/usr/local/nginx/conf/nginx.conf
sslon; ssl_certificate/usr/local/nginx/ssl/nginx.crt; ssl_certificate_key/usr/local/nginx/ssl/nginx.key; ssl_client_certificate/usr/local/nginx/ssl/cacert.pem; ssl_session_timeout5m; #ssl_verify_clienton;服务器验证客户端,暂时不开启,让没有证书的客户端可以访问,先完成单向验证 ssl_protocolsSSLv2SSLv3TLSv1;
SSL反向代理
1.修改nginx.conf配置
server{ listen443ssl; server_namewww.nhooo.com; ssl_certificatessl/www.nhooo.com.crt; ssl_certificate_keyssl/www.nhooo.com.key; ssl_prefer_server_cipherson; keepalive_timeout60; ssl_session_cacheshared:SSL:10m; ssl_session_timeout10m; location/{ proxy_passhttps://www.nhooo.com; proxy_next_upstreamerrortimeoutinvalid_headerhttp_500http_502http_503http_504; proxy_set_headerAccept-Encoding""; proxy_set_headerHost$host; proxy_set_headerX-Real-IP$remote_addr; proxy_set_headerX-Forwarded-For$proxy_add_x_forwarded_for; proxy_set_headerX-Forwarded-Proto$scheme; add_headerFront-End-Httpson; proxy_redirectoff; } }
2.重启服务
#/usr/local/nginx/sbin/nginx-t #/usr/local/nginx/sbin/nginx-sreload