nginx ssl

環境要求

 

nginx 編譯需要 --with-http_ssl_module

 

./configure --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/usr/local/nginx/client/ --http-proxy-temp-path=/usr/local/nginx/proxy/ --http-fastcgi-temp-path=/usr/local/nginx/fcgi/ --http-uwsgi-temp-path=/usr/local/nginx/uwsgi --http-scgi-temp-path=/usr/local/nginx/scgi --with-pcre

 

./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

生成密鑰對

 

mkdir -p /usr/local/nginx/conf/key/

cd /usr/local/nginx/conf/key/

openssl req -new -newkey rsa:2048 -sha256 -nodes -out test_com.csr -keyout test_com.key -subj "/C=CN/ST=shanghai/L=shanghai/O=shizi./OU=Web Security/CN=*.test.com" 

但是這麼做並不安全，默認是 SHA-1 形式，而現在主流的方案應該都避免 SHA-1，爲了確保更強的安全性，我們可以採取迪菲－赫爾曼密鑰交換

cd /usr/local/nginx/conf/key/

openssl dhparam -out dhparam.pem 2048

/usr/local/nginx/conf/key/目錄下會生成 test.csr  test.key dhparam.pem 

 

test.key爲私鑰 

test.csr 爲公鑰需要提交給證書頒發機構

 

測試無法提交證書頒發機構按下面自己給自己頒發

1.openssl genrsa -des3 -out test.key 1024   生成一個RSA密鑰

2.openssl req -new -key test.key -out test.csr  生成一個證書請求

3.openssl rsa -in test.key -out test_nopass.key  拷貝一個不需要輸入密碼的密鑰文件

4.openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt  自己簽發證書 

編輯配置文件

 

cat /usr/local/nginx/conf/nginx.conf

 

worker_processes  1;

events {

    worker_connections  1024;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    

   server {

        listen       80;

        server_name  www.test.com;

        rewrite ^(.*)$ https://www.test.com$1 permanent;

 } 

    server {

            listen 443;          

            ssl on;

            ssl_certificate key/test.crt;

            ssl_certificate_key key/test_nopass.key;

            ssl_prefer_server_ciphers on;

            ssl_dhparam key/dhparam.pem;

            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

            ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

            keepalive_timeout 70;

            ssl_session_cache shared:SSL:10m;

            ssl_session_timeout 10m;   

            

            server_name www.test.com;  

            root   /usr/local/nginx/html;

            index  index.php index.html index.htm;

                    location ~* \.php$ {

    fastcgi_index   index.php;

    fastcgi_pass    127.0.0.1:9000;

    include         fastcgi_params;

    fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;

    fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;

  }

}

}

重啓 nginx 完成

 

http://www.open-open.com/lib/view/open1433390156947.html

http://www.linuxidc.com/Linux/2013-08/88271.htm