nginx ssl

环境要求

nginx 编译需要 --with-http_ssl_module

./configure --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/usr/local/nginx/client/ --http-proxy-temp-path=/usr/local/nginx/proxy/ --http-fastcgi-temp-path=/usr/local/nginx/fcgi/ --http-uwsgi-temp-path=/usr/local/nginx/uwsgi --http-scgi-temp-path=/usr/local/nginx/scgi --with-pcre

./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

生成密钥对

mkdir -p /usr/local/nginx/conf/key/

cd /usr/local/nginx/conf/key/

openssl req -new -newkey rsa:2048 -sha256 -nodes -out test_com.csr -keyout test_com.key -subj "/C=CN/ST=shanghai/L=shanghai/O=shizi./OU=Web Security/CN=*.test.com" 

但是这么做并不安全，默认是 SHA-1 形式，而现在主流的方案应该都避免 SHA-1，为了确保更强的安全性，我们可以采取迪菲－赫尔曼密钥交换

cd /usr/local/nginx/conf/key/

openssl dhparam -out dhparam.pem 2048

/usr/local/nginx/conf/key/目录下会生成 test.csr  test.key dhparam.pem 

test.key为私钥 

test.csr 为公钥需要提交给证书颁发机构

测试无法提交证书颁发机构按下面自己给自己颁发

1.openssl genrsa -des3 -out test.key 1024   生成一个RSA密钥

2.openssl req -new -key test.key -out test.csr  生成一个证书请求

3.openssl rsa -in test.key -out test_nopass.key  拷贝一个不需要输入密码的密钥文件

4.openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt  自己签发证书 

编辑配置文件

cat /usr/local/nginx/conf/nginx.conf

worker_processes  1;

events {

    worker_connections  1024;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

   server {

        listen       80;

        server_name  www.test.com;

        rewrite ^(.*)$ https://www.test.com$1 permanent;

 } 

    server {

            listen 443;          

            ssl on;

            ssl_certificate key/test.crt;

            ssl_certificate_key key/test_nopass.key;

            ssl_prefer_server_ciphers on;

            ssl_dhparam key/dhparam.pem;

            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

            ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";

            keepalive_timeout 70;

            ssl_session_cache shared:SSL:10m;

            ssl_session_timeout 10m;   

            server_name www.test.com;  

            root   /usr/local/nginx/html;

            index  index.php index.html index.htm;

                    location ~* \.php$ {

    fastcgi_index   index.php;

    fastcgi_pass    127.0.0.1:9000;

    include         fastcgi_params;

    fastcgi_param   SCRIPT_FILENAME    $document_root$fastcgi_script_name;

    fastcgi_param   SCRIPT_NAME        $fastcgi_script_name;

  }

}

}

重启 nginx 完成

http://www.open-open.com/lib/view/open1433390156947.html

http://www.linuxidc.com/Linux/2013-08/88271.htm