首页 > 系统相关 >nginx之ssl认证(https访问)

nginx之ssl认证(https访问)

时间:2024-08-29 09:03:22浏览次数:9  
标签:key ssl magedu nginx4 nginx https org root

ngx_http_ssl_module

ngx_http_ssl_module模块:
  ssl on | off;            为指定虚拟机启用HTTPS protocol, 建议用listen指令代替
  ssl_certificate file;         当前虚拟主机使用PEM格式的证书文件
  ssl_certificate_key file;         当前虚拟主机上与其证书匹配的私钥文件
  ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];        支持ssl协议版本,默认为后三个
  ssl_session_cache off | none | [builtin[:size]] [shared:name:size];
    none:             通知客户端支持ssl session cache,但实际不支持
    builtin[:size]:          使用OpenSSL内建缓存,为每worker进程私有
    [shared:name:size]:      在各worker之间使用一个共享的缓存
  ssl_session_timeout time;      客户端连接可以复用ssl session cache中缓存的有效时长,默认5m

 

实现https访问站点

 

1、生成证书和私钥

[[email protected] conf.d]# cd /etc/pki/tls/certs/

[[email protected] certs]# make magedu.crt               #借助系统自带功能生产证书
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > magedu.key     #过程:自动生成私钥命令
Generating RSA private key, 2048 bit long modulus
......................+++
....+++
e is 65537 (0x10001)
Enter pass phrase:                                    #设置私钥加密口令,Makefile中指定了,-aes128,可以修改删除
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key magedu.key -x509 -days 365 -out magedu.crt        #过程:自动生成证书命令
Enter pass phrase for magedu.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                                   #以下是生产证书填写的必要信息
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.magedu.org                 #必须和访问域名相同
Email Address []:

生产私钥结果:

[root@lvs-ka2 certs]# cat magedu.key                                  #私钥
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED                                                #加密
DEK-Info: AES-128-CBC,FC321643C6EFE861E1320535A80801EF

RJJ+xZkXTvyW61PFfWs7E7Rst9tNHoag8V4Q0j3WVFsA8kVqQGxz3hLHiv50rgc2
2QlRNc1D4I6QX+hmHrX5/zn41J+JetAcAg8JnsR6ThYjXSFNupLW9cFs1O4uE0ZH
tpsICNFiqQjYgZ4wh9FSlw4BNyPgM1dQLL1mL5QuBFBj3DtZSsqD8tDNJ9AKQoNn
xomgep5FDC4wTeSmlsxrnvko5y5reEBjqnddawlKaotlNVI6kautkpHpoDJ6Oicp
tQczKF9+I5JbutvVXuscCBkybBbTtsMMajQY/QG95aglHQAC1zgjaABLyEqDMF41
g331QXjq+FtO63p3mnDeR4VTRlB72ahegJwLNKGgEsMuxJaaHp9Z1s2s6dc8B/F1
c1oaswdu1BRhoAy552gOGR3VY+diGxplR+ktNvl4sGuE81Kooeh395HMgGomY6aB
pBxGTbNMlC2E96EGA1ogGHqWxkTyNFKKqRY/fQxXvRRWYULdIfYe/Wkop55y1pNk
5EcxW+9+x5j8Z3jmj4E4X6KdusZkcrvflxZx4dopDhK7iDg2kqbfhXjvc4qZx7+H
pcuxIGBVmfJIi40xqo6uA30h8uHxkvOWAVYZMgk2gB2JJxpMdnqttNgW4aGMN2H9
mROQHeXBLEHSQrZGc7r/boutAGzxxXTK44+YN+N+ggVasA5lEN+LVU0550GYOuAp
R6di9oy5KtimrQuSR7lDS6IBtdquthRcR4fRHfCJCe+oSeIbokZd0n+YlaGJXmm/
MK9h4ze1CuyNylD7HC65c4EzgR4nvlNHSOWRxrlrfpspdoGQmi9gH/Ba7VStN+Xb
WFOEcHsP6f8uDZ2Wi6iaYp/e6LZBIJl2GQMfKBrmmVYKD3RoYY+hYffD7/z9AmPI
tRC/VSTtHSiSSGhzQlWrk5hLGjfiiRUWgzoFqkXjHAG4f0+fwfAE+wp1Ft9OpTze
n27Kv50ueWsxqpTwFj6Zq5ha8qlU5ISgcGVGoinSsDJMX8rZHBeZE5h4Ue0sXReb
bLO5/6sehzhCtVSXUWQ7b9UvQiQmIGSexErSndoMqTnsVfYznedWctO3zlmPccno
nJ15DVvTSFS1pMyfKSwtvDh/KoAUum5qB3V90ZZ5KhMGuA/ra/VLRDG62ydmKDlp
ehl6QoLs0CNSgx0hZ7eqvGMHDgjpX4E/9H16xYKO4fr9VSxsJwhZuPFB5hXP87Oj
vsk0RXrXZ2B48nTZBWBeMRQkFw7GneU3QIzYcPV5GA6laXcgsPiGIGcd3woW3Bl3
F7W35vtMSSwMuCmHFhvNj0189SxzoO78pOZrH0eCH42sc7hDRV6OCCsI6DBS0h4m
jqDRtAnS955Qf8NzIxW3O2+1ffZeFWM9Efm06OiQn0fjWLXLsdiDyOz/9r8fpjJY
TqsLoaKlXBVOkjFZY/QPFSHdc3eMpdFEpEi0GTBnSDATGNKoXetDezbby1K5TPEq
fL5zZA1YrSZDAMvcl37hfvrPEq7HbnzoThGqk0mi9cqrC5pL5d4yp6844M0MtkoZ
bfRQRhC/hEpI9/lg+WrUVD5j7ep5o+sp5HQtIp/0x8ZXD56XVDj6CmqHHe6xhe0j
-----END RSA PRIVATE KEY----

 生产解密的私钥:

[[email protected] certs]# openssl rsa -in magedu.key -out magedu.org.key   #生成解密的私钥
Enter pass phrase for magedu.key:                                        #输入加密口令解密
writing RSA key
[[email protected] certs]# ll

-rw-------  1 root root 1330 Mar  7 14:11 magedu.crt
-rw-------  1 root root 1766 Mar  7 14:09 magedu.key
-rw-r--r--  1 root root 1675 Mar  7 14:12 magedu.org.key                 #标准无加密私钥
[[email protected] certs]# cat magedu.org.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA1E2airk0eCIxFhR9LrQQIutgLDk7qSUY+ilbCBzPMdkXO9P5
rqFCq84cRwxS+Mj2Q5BPGDc/piMMfe6CiRP5ihLOld73zV8NQcIa62LQzu72Klkm
EwUPBV2cq28Q2JwvAzUD74cz2xGvR3PXB48Vw3HmlIgGyOR/1O8eCt4ZZ+s4mo2v
gg6JnpAvUukfv4da1maw63xe1E2VAIW9opq8R1k/zUVHR70Xo3L3QwEAZyH9sUTF
KTeFqhLKa3r6qZbZTfmfd8OkVpCVym+xkDTfPwg+3DhrZAuEiJ8DsO7aXPd41BsL
v1U6jefrEb5nvDXEBzyte8Bbkr0BKZxL321RBQIDAQABAoIBAFiSn90sc5WDPlNl
7OwlN246IP+SSS/CSG9l/ZKe4lp7pdPSFiMjKDuhW+7QV3Vv8j4x4K3LrwRTLw0D
CvbBnKRcQFAKm/vUoiVDJBP8P/11eMImO1pIDAJDEe/8AF0+m+aMob22/I1zDVuU
GqwOqBfIV1i0f5AktKhTsob6LkNJ/lfM/8e4ZSfMLevTUc30bFZR32A7pgmg4vsW
SRaNtDvQa4PA6hsxqlUl5PyW8ur3pk6YY6M6XidV+8dmWJJRnRsIGD3SqONwKpKe
Zj/kc9xZrpxOKc6aNDvOVofJ5/603JmpggbgN8ANcZAImr9nA2Mi7RG/s6oWAPyJ
qk+lCSkCgYEA+3qeyLW19yBalbsD/gkn2laCvEMpgATzkwM7H4x/HCz2CBGN/C+v
HPnq24+g/0R+Zq8HuSXxTOxLDHQIm5dIzgS7PSDInDIAb4Q3GwO9C3NkFcUc8E0s
xBQzKRIK7kT5qJa/vqbGaJHbr3r2BEAvbswC8lDHGYuFYn0glAGh1c8CgYEA2B6v
S0YjAiJdnpye/QkQXTaYh/jfVG7sh/3EOJW3dDIWmR/WsqCy3S4lPCESOOH5P5Np
r93qlWFnnLvvYoeQW4BS27PG7hgoILSU5eMWP+kZ5i7misFxbEN8SsSjK6l2xQlp
DH0Jv8MJDZDh8SUVTmBWSTcZykKZi6l7JgSQNOsCgYBsMpzAlFXfJr9yro0QLpZD
/XawU2E2oGq/9OLqNwO1dq7AV/Uz7Lw2Bl0C7HADhE+yFFqJUYbZZsz/ZakScGu1
oBmDOmi1s1m2oTcoW1pp49LK/wztYvcAwgQlBotHasvTulBzUcQJ17+iZ5AT0h3W
WNZntVOEbSANePKcW3tqxwKBgCzEFl1KNuAvTCMZoBkbsocMUwX/OAteOqJknyt1
X52y7lljbe5sOQB1mYLd+s9Lh3xyxXaHShsNJRAjIY/QMsexSfh2QaN5333+ycTg
h/BPEW1Lk7d0IFFjnTBDkOTvYkmoDFlo4QcWmB52P0ba/pHQhK7/udjaeMGkJn0W
fuRnAoGAAyhxkjWXWa7L77xyCiWc8vwTLrOst5EFaVM9ADtCPMu4I9J5eS9KuTNX
aYVTBIaKY/KCL4XLwAxaHx7ZNZBd8V6m92S7o8nilyl/4HrkW51X5VXQO6JTC72p
mOzHyM+iB77NYlKF/TCQ7L0P1IaTRk6BCd01H/rP8s2gIkfaosE=
-----END RSA PRIVATE KEY-----
[[email protected] certs]# mv magedu.crt magedu.org.crt                   #重名命证书
[[email protected] certs]# ll

-rw-------  1 root root 1766 Mar  7 14:09 magedu.key
-rw-------  1 root root 1330 Mar  7 14:11 magedu.org.crt
-rw-r--r--  1 root root 1675 Mar  7 14:12 magedu.org.key

2、创建证书和私钥存放目录

[[email protected] certs]# mkdir /apps/nginx4/ssl               #创建证书和私钥存放目录
[[email protected] certs]# mv magedu.org.* /apps/nginx4/ssl/
[[email protected] certs]# ll /apps/nginx4/ssl/
-rw------- 1 root root 1330 Mar  7 14:11 magedu.org.crt
-rw-r--r-- 1 root root 1675 Mar  7 14:12 magedu.org.key
[[email protected] certs]# chmod 600 /apps/nginx4/ssl/*
[[email protected] certs]# ll /apps/nginx4/ssl/

-rw------- 1 root root 1330 Mar  7 14:11 magedu.org.crt
-rw------- 1 root root 1675 Mar  7 14:12 magedu.org.key

3、创建https访问的roo目录:

[[email protected] certs]# mkdir /data/ssl/
[[email protected] certs]# echo /data/ssl/index.html >/data/ssl/index.html

4、配置https:http和https两个虚拟主机

此示例中,http和https访问方式是建立2个虚拟主机,它们的根目录不同

[[email protected] certs]# vim /apps/nginx4/conf/conf.d/test.conf 

server {                                                     #单独的https虚拟主机
        listen 443 ssl;
        server_name www.magedu.org;
        root /data/ssl/;
        #ssl on;                                             #1.15版本淘汰,改用在listen 设置ssl
        ssl_certificate /apps/nginx4/ssl/magedu.org.crt;     #指定证书
        ssl_certificate_key /apps/nginx4/ssl/magedu.org.key; #指定私钥
        ssl_session_cache shared:sslcache:20m;
        ssl_session_timeout 10m;
        access_log /apps/nginx4/logs/magedu.org.ssl.access.log  access_json ;  #专有日志
}
server {                                                     #http虚拟主机,默认listen 80

        server_name www.magedu.org;
        root /data/site14/;
        access_log /apps/nginx4/logs/magedu.org.access.log  access_json ;
        default_type text/html ;


        gzip on;
        gzip_comp_level 6;
        gzip_min_length 64;
        gzip_vary on;
        gzip_types text/xml text/css application/javascript;
}

查看端口:

[[email protected] certs]# ss -lnt
State       Recv-Q Send-Q                        Local Address:Port                  Peer Address:Port                               
LISTEN      0      128                                       *:80                               *:*                                  
LISTEN      0      128                                       *:443                              *:*  

验证:https访问:

 

 

到此,http,https是分开的连个虚拟主机,而且根目录不一样,显然不合理,实现http和https访问相同的资源

方法一:http和https 2个虚拟主机设置一样的根目录

[[email protected] certs]# vim /apps/nginx4/conf/conf.d/test.conf 

server {
        listen 443 ssl;
        server_name www.magedu.org;
        root /data/site14/;
        #ssl on;
        ssl_certificate /apps/nginx4/ssl/magedu.org.crt;
        ssl_certificate_key /apps/nginx4/ssl/magedu.org.key;
        ssl_session_cache shared:sslcache:20m;
        ssl_session_timeout 10m;
        access_log /apps/nginx4/logs/magedu.org.ssl.access.log  access_json ;
}
server {

        server_name www.magedu.org;
        root /data/site14/;
        access_log /apps/nginx4/logs/magedu.org.access.log  access_json ;
        default_type text/html ;


        gzip on;
        gzip_comp_level 6;
        gzip_min_length 64;
        gzip_vary on;
        gzip_types text/xml text/css application/javascript;

}

方法二:一个虚拟主机同时监听80和443端口

[[email protected] certs]# vim /apps/nginx4/conf/conf.d/test.conf 

server {
        listen 443 ssl;
        listen 80;
        server_name www.magedu.org;
        root /data/site14/;
        #ssl on;
        ssl_certificate /apps/nginx4/ssl/magedu.org.crt;
        ssl_certificate_key /apps/nginx4/ssl/magedu.org.key;
        ssl_session_cache shared:sslcache:20m;
        ssl_session_timeout 10m;
        access_log /apps/nginx4/logs/magedu.org.ssl.access.log  access_json ;
}
#server {

#       server_name www.magedu.org;
#       root /data/site14/;
#       access_log /apps/nginx4/logs/magedu.org.access.log  access_json ;
#       default_type text/html ;
#}

 

但是上边2种方法,不是标准的http到https的重写,可能输入网址是http而不是https,导致即使有https安全访问方式,也会出现由于客户端没有输入https而是http的访问能够正常访问

http到https重写,请查看rewrite配置

 

标签:key,ssl,magedu,nginx4,nginx,https,org,root
From: https://www.cnblogs.com/cnblogsfc/p/14578157.html

相关文章

  • nginx
    一、I/O模型二、nginx概述官网:http://nginx.org 2.1、nginx介绍nginx:engineX,是由1994年毕业于俄罗斯国立莫斯科鲍曼科技大学的同学为俄罗斯rambler.ru公司开发的,开发工作最早从2002年开始,第一次公开发布时间是2004年10月4日,版本号是0.1.0nginx......
  • Nginx 的编译并打包成二.txt
    Nginx的编译并打包成二进制文件是一个涉及源代码编译和静态链接的过程。‌下面是一个简单的步骤说明,‌帮助你从源代码编译Nginx并生成一个可独立运行的二进制文件。‌安装依赖首先,‌确保你的系统上安装了编译Nginx所需的依赖项。‌对于大多数Linux发行版,‌你可能需要安......
  • Python编码系列—Python中的HTTPS与加密技术:构建安全的网络通信
    ......
  • 利用api方式部署流式接口到nginx服务器,api无法流式输出,但localhost和ip可以的问题
    需要在nginx代理中,配置:proxy_cacheoff;#关闭缓存proxy_bufferingoff;#关闭代理缓冲chunked_transfer_encodingon;#开启分块传输编码tcp_nopushon;#开启TCPNOPUSH选项,禁止Nagle算法tcp_nodelayon;#开启TCPNODELAY选项,禁止延迟ACK算法keepalive_t......
  • 防范SSL协议降级攻击:Nginx负载均衡的安全策略
    引言在网络安全领域,SSL/TLS协议降级攻击是一种常见的攻击手段,攻击者通过诱导客户端使用较低版本的SSL/TLS协议,利用已知的安全漏洞来截取或篡改通信内容。Nginx作为广泛使用的Web服务器和反向代理,提供了多种配置选项来防范此类攻击。本文将详细介绍SSL协议降级攻击的原理、N......
  • 强化Nginx负载均衡的请求保护:策略与实践
    引言Nginx作为流行的高性能HTTP服务器和反向代理,提供了丰富的功能来实现负载均衡和请求保护。请求保护是指一系列措施,用于防止恶意请求对服务器造成压力过大、资源耗尽甚至服务中断。本文将深入探讨如何在Nginx中实现请求的负载保护,确保Web服务的稳定性和安全性。请求负载......
  • nginx平滑升级+location案例
    这里是接着上一边文章的实验继续做的一、步骤1、获取之前的编译参数2、下载新模块3、重新编译软件,加上–add-module=新模块的解压路径4、停止服务并备份原程序5、把源程序用新程序覆盖6、启动新程序二、搭建nginxnginx搭建详情:http://t.csdnimg.cn/B1QsL三、平滑......
  • nginx访问控制、用户认证、https
    环境rockylinux9虚拟机,时钟同步已完成,基本工具,命令已安装192.168.100.111nginx服务器192.168.100.112客户端访问192.168.100.114客户端访问nginx已经配置完成做了平滑升级一、nginx访问控制默认允许所有主机访问stub_status模块stub_status模块主要作用于查看ng......
  • http和https
    C++遍历数组的有几种方式?answer:1、下标遍历,传统的遍历方式2、指针遍历,数组本身也是指针,所以可以使用指针进行遍历3、for(range-based),用于同一类型的范围数据进行遍历4、迭代器,使用迭代器iter的函数集可以进行较快的遍历,自动回收。http和https的区别?answer:主要区别后置增加......
  • 【学习笔记】SSL证书之文件格式
    SSL证书及密钥以文件的形式存在于我们的电脑上,这些文件一般为以下4种格式:DERPEMPFX/PKCS#12PKCS#71、DERDistinguishedEncodingRules(可辨别编码规则)是在线证书的格式二进制编码,如果用TXT进行查看会呈现出乱码。在SSL证书领域,我们一般不用DER格式的文件来交换证书(因为DER......