LNMP架構——HTTPS原理及Ngnix配置

ssl原理

1， 客戶端向服務器發送https請求；
2， 服務器上存儲了一套數字證書，其實質爲一對公私鑰。數字證書可以自己製作，也可以向組織申請。前者在客戶端訪問時需要驗證才能繼續訪問；後者不會彈出驗證提示；
3， 服務器將公鑰傳輸給客戶端；
4，客戶端驗證公鑰是否合法：無效（自己製作的）會彈出警告，有效的則生成一串隨機數，用此隨機數加密公鑰；
5， 客戶端將加密後的字符串傳輸給服務器 服務器收到字符串後，先使用私鑰進行解密，獲取加密使用的隨機數，並以此隨機數加密傳輸的數據（對稱機密）；
6， 服務器將加密後的數據傳輸給客戶端； 客戶端收到數據後，使用自己的私鑰（即隨機字符串）進行解密。
7，服務器將加密後的數據傳輸給客戶端；
8，客戶端收到數據後，使用自己的私鑰（即隨機字符串）進行解密。

說明：對稱加密：將數據和私鑰（隨機字符串）通過某種算法混合在一起，除非知道私鑰，否則無法解密。

---

生成SSL密鑰對

創建私鑰Key

[root@dl-001 ~]# cd /usr/local/nginx/conf

// 創建私鑰key文件，必須輸入密碼，否則無法生成key文件
[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
..............................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:

---

轉換key，取消密碼

[root@dl-001 conf]# openssl rsa -in tmp.key -out test.key
Enter pass phrase for tmp.key:
writing RSA key

[root@dl-001 conf]# rm -f tmp.key 

---

生成證書

[root@dl-001 conf]# openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    
State or Province Name (full name) []:ZheJiang
Locality Name (eg, city) [Default City]:QuZhou
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

// 需要使用csr文件與私鑰一起生成.crt文件
[root@dl-001 conf]# openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt
Signature ok
subject=/C=CN/ST=ZheJiang/L=QuZhou/O=Default Company Ltd
Getting Private key

---

Nginx配置SSL

創建新虛擬主機配置文件

[root@dl-001 conf]#vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
    listen 443;
    server_name test.com;
    index index.html index.php;
    root /data/www/test.com;
    ssl on;
    ssl_certificate test.crt;
    ssl_certificate_key test.key;
    ssl_protocols TLSv1 TLS1.1 TLS1.2；
}

---

創建對應目錄及文件

[root@dl-001 conf]# mkdir -p /data/www/test.com
[root@dl-001 conf]# vim /data/www/test.com/index.php
ssl test page.

---

重載服務

[root@dl-001 conf]# /usr/local/nginx/sbin/nginx -t
[root@dl-001 conf]# /usr/local/nginx/sbin/nginx -s reload

設置時報錯 – unknown directive “ssl”

這時由於一開始編譯時未將http_ssl_module模塊編譯進nginx，需要重新編譯安裝

[root@dl-001 conf]# cd /usr/local/src/nginx-1.12.2/
[root@dl-001 nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@dl-001 nginx-1.12.2]# make && make install

說明：重新編譯後將導致之前配置的虛擬主機配置文件丟失，最後在重新編譯前對有用的nginx虛擬主機文件進行備份

---

編譯完成後查看

[root@dl-001 conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/ --with-http_ssl_module

---

重啓Nginx服務

// 重新編譯後的nginx必須使用/etc/init.d/nginx腳本進行重啓
[root@dl-001 conf]# /etc/init.d/nginx restart
Restarting nginx (via systemctl):                          [  確定  ]

// 查看443端口是否開放
[root@dl-001 conf]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1354/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2116/master         
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4953/nginx: master  
tcp6       0      0 :::3306                 :::*                    LISTEN      2156/mysqld         
tcp6       0      0 :::22                   :::*                    LISTEN      1354/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      2116/master         

---

測試

1，使用curl

// 如果不想使用-x指定ip，可以在/etc/hosts內添加如下代碼
[root@dl-001 conf]# vim /etc/hosts
127.0.0.1 test.com

// curl測試
[root@dl-001 conf]# curl https://test.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

2，使用瀏覽器

• 如果使用瀏覽器需要在物理機上的hosts中添加ip 和域名，才能進行訪問。
• 同時要檢查服務器端的防火牆是否開放443端口，這裏爲了測試方便，直接清空了iptables規則表

[root@dl-001 conf]# iptables -F

• 由於證書是自己創建的，所以會顯示無效的證書，點擊“仍要繼續”即可訪問。但是並不能達到安全的效果，需要購買證書。