人妖在线一区,国产日韩欧美一区二区综合在线,国产啪精品视频网站免费,欧美内射深插日本少妇

新聞動(dòng)態(tài)

nginx結(jié)合openssl實(shí)現(xiàn)https的方法

發(fā)布日期:2021-12-15 00:38 | 文章來源:CSDN

在未使用SSL證書對(duì)服務(wù)器數(shù)據(jù)進(jìn)行加密認(rèn)證的情況下,用戶的數(shù)據(jù)將會(huì)以明文的形式進(jìn)行傳輸,這樣一來使用抓包工具是可以獲取到用戶密碼信息的,非常危險(xiǎn)。而且也無法驗(yàn)證數(shù)據(jù)一致性和完整性,不能確保數(shù)據(jù)在傳輸過程中沒被改變。所以網(wǎng)站如果有涉及用戶賬戶等重要信息的情況下通常要配置使用SSL證書,實(shí)現(xiàn)https協(xié)議。

在生產(chǎn)環(huán)境中的SSL證書都需要通過第三方認(rèn)證機(jī)構(gòu)購(gòu)買,分為專業(yè)版OV證書(瀏覽器地址欄上不顯示企業(yè)名稱)和高級(jí)版EV(可以顯示企業(yè)名稱)證書,證書所保護(hù)的域名數(shù)不同也會(huì)影響價(jià)格(比如只對(duì)www認(rèn)證和通配*認(rèn)證,價(jià)格是不一樣的),且不支持三級(jí)域名。測(cè)試中可以自己作為證書頒發(fā)機(jī)構(gòu)來制作證書,瀏覽器會(huì)顯示為紅色,代表證書過期或者無效,如果是黃色的話代表網(wǎng)站有部分連接使用的仍然是http協(xié)議。

不管使用哪種方法,在拿到證書后對(duì)Nginx的配置都是一樣的,所以這里以搭建OpenSSL并制作證書來進(jìn)行完整說明

一、準(zhǔn)備環(huán)境

1)nginx服務(wù)

2)ssl模塊

[root@ns3 ~]# systemctl stop firewalld
[root@ns3 ~]# iptables -F
[root@ns3 ~]# setenforce 0
[root@ns3 ~]# yum -y install pcre zlib pcre-devel zlib-devel
[root@ns3 ~]# tar xf nginx-1.16.0.tar.gz -C /usr/src/
[root@ns3 ~]#cd /usr/src/nginx-1.16.0
[root@ns3 ~]#./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module&&make && make install #后續(xù)需要的模塊一次性安裝

3)檢測(cè)openssl是否安裝

[root@ns3 ~]# rpm -qa openssl 2 openssl-1.0.1e-42.el7.x86_64

若沒有安裝

[root@ns3 ~]# yum -y install openssl openssl-devel

二、創(chuàng)建根證書CA

1、生成CA私鑰

[root@ns3 ~]# cd zhengshu/
[root@ns3 zhengshu]# openssl genrsa -out local.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................................................................................................................................................................................................+++
............................................................................................................................................................................................+++
e is 65537 (0x10001)
[root@ns3 zhengshu]# ls
local.key

 2、生成CA證書請(qǐng)求

[root@ns3 zhengshu]# openssl req -new -key local.key -out local.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  #國(guó)家
State or Province Name (full name) []:BJ   #省份
Locality Name (eg, city) [Default City]:BJ  #城市
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test   #部門
Common Name (eg, your name or your server's hostname) []:test   #主機(jī)名
Email Address []:test@test.com  #郵箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wuminyan  #密碼
An optional company name []:wuminyan  #姓名
[root@ns3 zhengshu]# ls
local.csr  local.key
req: 這是一個(gè)大命令,提供生成證書請(qǐng)求文件,驗(yàn)證證書,和創(chuàng)建根CA
 -new: 表示新生成一個(gè)證書請(qǐng)求
 -x509: 直接輸出證書
 -key: 生成證書請(qǐng)求時(shí)用到的私鑰文件
 -out:輸出文件

3、生成CA根證書

這個(gè)生成CA證書的命令會(huì)讓人迷惑
1.通過秘鑰 生成證書請(qǐng)求文件
2.通過證書請(qǐng)求文件 生成最終的證書
 -in 使用證書請(qǐng)求文件生成證書,-signkey 指定私鑰,這是一個(gè)還沒搞懂的參數(shù)
[root@ns3 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting Private key

三、根據(jù)CA證書創(chuàng)建server端證書

1、生成server私匙

[root@ns3 zhengshu]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.........................................+++
e is 65537 (0x10001)
[root@ns3 zhengshu]# ls
local.crt  local.csr  local.key  my_server.key

2、生成server證書請(qǐng)求

[root@ns3 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting Private key
[root@ns3 zhengshu]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................+++
.........................................+++
e is 65537 (0x10001)
[root@ns3 zhengshu]# openssl req -new -key my_server.key -out my_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:test@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wuminyan
An optional company name []:wuminyan
[root@ns3 zhengshu]# ls
local.crt  local.csr  local.key  my_server.csr  my_server.key

3、生成server證書

[root@ns3 zhengshu]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt
 Signature ok
 subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
 Getting CA Private Key

四、配置nginx支持SSL

[root@ns3 ~]# vim /etc/nginx.cof      #這里設(shè)置了一個(gè)軟連接:lln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
server {
        listen 80;
        listen       443 default  ssl;  #監(jiān)聽433端口
                keepalive_timeout 100;  #開啟keepalive 激活keepalive長(zhǎng)連接,減少客戶端請(qǐng)求次數(shù)
                   ssl_certificate      /root/zhengshu/local.crt;   #server端證書位置
                   ssl_certificate_key  /root/zhengshu/local.key;   #server端私鑰位置ssl_session_cache    shared:SSL:10m;         #緩存session會(huì)話ssl_session_timeout  10m;                    # session會(huì)話    10分鐘過期
                   ssl_ciphers  HIGH:!aNULL:!MD5;
                   ssl_prefer_server_ciphers  on;
        server_name   test.com;
        charset utf-8;
        location / {
            root   html;
            index  index.html index.htm;
        }
    }
}

五、測(cè)試

輸入https://192.168.200.115

到此這篇關(guān)于nginx結(jié)合openssl實(shí)現(xiàn)https的文章就介紹到這了,更多相關(guān)nginx實(shí)現(xiàn)https內(nèi)容請(qǐng)搜索本站以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持本站!

版權(quán)聲明:本站文章來源標(biāo)注為YINGSOO的內(nèi)容版權(quán)均為本站所有,歡迎引用、轉(zhuǎn)載,請(qǐng)保持原文完整并注明來源及原文鏈接。禁止復(fù)制或仿造本網(wǎng)站,禁止在非www.sddonglingsh.com所屬的服務(wù)器上建立鏡像,否則將依法追究法律責(zé)任。本站部分內(nèi)容來源于網(wǎng)友推薦、互聯(lián)網(wǎng)收集整理而來,僅供學(xué)習(xí)參考,不代表本站立場(chǎng),如有內(nèi)容涉嫌侵權(quán),請(qǐng)聯(lián)系alex-e#qq.com處理。

相關(guān)文章

實(shí)時(shí)開通

自選配置、實(shí)時(shí)開通

免備案

全球線路精選!

全天候客戶服務(wù)

7x24全年不間斷在線

專屬顧問服務(wù)

1對(duì)1客戶咨詢顧問

在線
客服

在線客服:7*24小時(shí)在線

客服
熱線

400-630-3752
7*24小時(shí)客服服務(wù)熱線

關(guān)注
微信

關(guān)注官方微信
頂部