Nginx服务器的SSL证书配置以及对SSL的反向代理配置_Nginx

Nginx服务器的SSL证书配置以及对SSL的反向代理配置

2019-11-07 14:48goldensun Nginx

这篇文章主要介绍了Nginx服务器的SSL证书配置以及对SSL的反向代理配置方法,通常在开启全站HTTPS时会用到,需要的朋友可以参考下

Nginx的SSL证书配置
1、使用openssl实现证书中心
由于是使用openssl架设私有证书中心，因此要保证以下字段在证书中心的证书、服务端证书、客户端证书中都相同

									Country Name

									 State or Province Name

									 Locality Name

									 Organization Name

									 Organizational Unit Name

									Country Name

									 State or Province Name

									 Locality Name

									 Organization Name

									 Organizational Unit Name

编辑证书中心配置文件

1	`vim` `/etc/pki/tls/openssl.cnf`

									[ CA_default ]

									 dir    = /etc/pki/CA

									 certs   = $dir/certs   # Where the issued certs are kept

									 crl_dir   = $dir/crl    # Where the issued crl are kept

									 database  = $dir/index.txt  # database index file.

									 #unique_subject = no     # Set to 'no' to allow creation of

									 # several ctificates with same subject.

									 new_certs_dir = $dir/newcerts   # default place for new certs.

									 certificate  = $dir/cacert.pem  # The CA certificate

									 serial   = $dir/serial   # The current serial number

									 crlnumber  = $dir/crlnumber  # the current crl number          # must be commented out to leave a V1 CRL

									 crl    = $dir/crl.pem   # The current CRL

									 private_key  = $dir/private/cakey.pem# The private key

									 RANDFILE  = $dir/private/.rand # private random number file

									[ req_distinguished_name ]

									 countryName      = Country Name(2 letter code)

									 countryName_default    = CN

									 countryName_min     = 2

									 countryName_max     = 2

									 stateOrProvinceName    = State or Province Name (full name)

									 stateOrProvinceName_default  = FJ

									 localityName     = Locality Name (eg, city)

									 localityName_default   = FZ

									 0.organizationName    = Organization Name (eg, company)

									 0.organizationName_default  = zdz

									 organizationalUnitName   = Organizational Unit Name (eg, section)

									 organizationalUnitName_default = zdz

创建证书私钥

1	`cd` `/etc/pki/CA/private`

1	`(umask 077;openssl genrsa -out cakey.pem 2048`

)
生成自签证书

									cd /etc/pki/CA/

									 openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days=3655

2、创建服务器证书

1 2	`mkdir` `/usr/local/nginx/ssl` `cd` `/usr/local/nginx/ssl`

1	`(umask 077;openssl genrsa -out nginx.key 1024)`

1 2	`openssl req -new -key nginx.key -out nginx.csr` `openssl ca -in` `nginx.csr -out nginx.crt -days=3650`

3、创建客户端浏览器证书

1	`(umask 077;openssl genrsa -out client.key 1024)`

1 2	`openssl req -new -key client.key -out client.csr` `openssl ca -in` `client.csr -out client.crt -days=3650`

将文本格式的证书转换成可以导入浏览器的证书

1	`openssl pkcs12 -export` `-clcerts -in` `client.crt -inkey client.key -out client.p12`

4、配置nginx服务器验证

1	`vim` `/usr/local/nginx/conf/nginx.conf`

									ssl on;

									ssl_certificate   /usr/local/nginx/ssl/nginx.crt;

									ssl_certificate_key  /usr/local/nginx/ssl/nginx.key;

									ssl_client_certificate /usr/local/nginx/ssl/cacert.pem;

									ssl_session_timeout  5m;

									#ssl_verify_client  on;       服务器验证客户端，暂时不开启，让没有证书的客户端可以访问，先完成单向验证

									ssl_protocols   SSLv2 SSLv3 TLSv1;

SSL反向代理
1.修改nginx.conf配置

									server {

									  listen   443 ssl;

									  server_name  www.zzvips.com;

									  ssl_certificate  ssl/www.zzvips.com.crt;

									  ssl_certificate_key ssl/www.zzvips.com.key;

									  ssl_prefer_server_ciphers on;

									  keepalive_timeout 60;

									 ssl_session_cache shared:SSL:10m;

									  ssl_session_timeout 10m;

									  location / {

									   proxy_pass //www.zzvips.com;

									   proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

									    proxy_set_header  Accept-Encoding "";

									   proxy_set_header  Host   $host;

									   proxy_set_header  X-Real-IP  $remote_addr;

									   proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;

									   proxy_set_header  X-Forwarded-Proto $scheme;

									 add_header    Front-End-Https on;

									   proxy_redirect  off;

									  }

									}