如何在Nginx上为CentOS/RHEL创建一个自签名SSL证书
时间:2020-01-09 10:42:48 来源:igfitidea点击:
我在由CentOS Linux v6.4支持的云服务器上经营一个小型网站。
如何加密我的网站信息并创建一个更安全的连接。
如何在Nginx上为基于CentOS/Fedora或者Red Hat Enterprise Linux的服务器创建自签名SSL证书?
ssl加密您的连接。
例如,对https://www.theitroad.local/的访问导致以下结果:
- 所有页面在通过Internet传输之前均已加密。
- 加密使未经授权的人员很难查看在客户端浏览器和nginx服务器之间传输的信息。
关于自签名证书与第三方颁发的证书的说明
由名为GeoTrust,Inc.的第三方CA加密和验证的theitroad.local连接。
- 通常,由第三方颁发的SSL证书。它通过加密流量来提供公共网络上两台计算机(客户端和服务器)之间的隐私和安全性。 CA(证书颁发机构)可能会向您颁发SSL证书",用于验证组织身份"(公司名称),位置和服务器详细信息。
- 自签名证书对客户端(浏览器)和服务器之间的通信进行加密。但是,它"无法验证组织身份"。您"不依赖第三方"来验证您的位置和服务器详细信息。
我们的样品设置
- 域名:
theitroad.com - 目录名称:
/etc/nginx/ssl/theitroad.com - theitroad.com的SSL证书文件:
/etc/nginx/ssl/theitroad.com/self-ssl.crt - 用于theitroad.com的ssl证书密钥:
/etc/nginx/ssl/theitroad.com/self-ssl.key - theitroad.com的Nginx配置文件:
/etc/nginx/virtual/theitroad.com.conf
步骤1:确保已安装SSL感知的nginx
只需执行以下命令即可验证nginx的版本和功能:
$ /usr/sbin/nginx -V
输出示例
nginx version: nginx/1.4.3 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf ... .... ..
如果未安装nginx,请执行以下命令以使用yum命令下载并安装nginx:
# yum install nginx
有关更多信息,请参见如何使用yum命令在CentOS Linux 6或者Red Hat Enterprise Linux 6上安装Nginx Web服务器。
步骤2:创建目录
执行以下mkdir命令以创建用于存储ssl证书的目录:
# mkdir -p /etc/nginx/ssl/theitroad.com
使用以下cd命令更改目录:
# cd /etc/nginx/ssl/theitroad.com
步骤3:创建SSL私钥
要生成SSL私钥,请执行:
# openssl genrsa -des3 -out self-ssl.key 1024
或者最好尝试使用2048位密钥:
# openssl genrsa -des3 -out self-ssl.key 2048
输出示例:
Generating RSA private key, 1024 bit long modulus ...++++++ ...............++++++ e is 65537 (0x10001) Enter pass phrase for self-ssl.key: Type-Your-PassPhrase-Here Verifying - Enter pass phrase for self-ssl.key: Retype-Your-PassPhrase-Here
警告:请确保记住密码短语。
生成csr或者启动/停止ssl时,需要此密码来访问SSL密钥。
步骤4:创建证书签名请求(CSR)
要生成CSR,请执行:
# openssl req -new -key self-ssl.key -out self-ssl.csr
输出示例:
Enter pass phrase for self-ssl.key: Type-Your-PassPhrase-Here You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ---- Country Name (2 letter code) [XX]:IN State or Province Name (full name) []:Delhi Locality Name (eg, city) [Default City]:New Delhi Organization Name (eg, company) [Default Company Ltd]:theitroad LTD Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:theitroad.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
步骤5:删除Nginx的密码短语(可选)
您可以从nginx服务器的self-ssl.key中删除密码短语,执行:
# cp -v self-ssl.{key,original}
# openssl rsa -in self-ssl.original -out self-ssl.key
# rm -v self-ssl.original
输出示例:
Enter pass phrase for self-ssl.original: Type-Your-PassPhrase-Here writing RSA key
步骤6:创建证书
最后,生成SSL证书,即使用自己的.csr文件对SSL证书签名一年:
# openssl x509 -req -days 365 -in self-ssl.csr -signkey self-ssl.key -out self-ssl.crt
输出示例:
Signature ok subject=/C=IN/ST=Delhi/L=New Delhi/O=theitroad LTD/OU=IT/CN=theitroad.com/[email protected] Getting Private key
步骤7:为nginx配置证书
编辑/etc/nginx/virtual/theitroad.com.conf,执行:
# vi /etc/nginx/virtual/theitroad.com.conf
nginx SSL配置的常规语法如下:
server {
#for ipv4
listen 443 ssl http2;
#for ipv6
#listen [::]:443 ssl http2;
ssl_certificate /path/to/self-ssl.crt;
ssl_certificate_key /path/to/self-ssl.key;
server_name theitroad.com;
location / {
....
...
....
}
}
这是我的theitroad.com示例配置:
server {
###########################[Note]##############################
## Note: Replace IP and server name as per your actual setup ##
###############################################################
## IP:Port and server name
listen 75.126.153.211:443 ssl http2;
server_name theitroad.com;
## SSL settings
ssl_certificate /etc/nginx/ssl/theitroad.com/self-ssl.crt;
ssl_certificate_key /etc/nginx/ssl/theitroad.com/self-ssl.key;
## SSL caching/optimization
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
## SSL log files
access_log /var/log/nginx/theitroad.com/ssl_theitroad.com_access.log;
error_log /var/log/nginx/theitroad.com/ssl_theitroad.com_error.log;
## Rest of server config goes here
location / {
proxy_set_header Accept-Encoding "";
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
## Hey, ADD YOUR location / specific CONFIG HERE ##
## STOP: YOUR location / specific CONFIG HERE ##
}
}
步骤8:重新启动/重新加载Nginx
输入以下命令
# /usr/sbin/nginx -t
输出示例:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
要正常重启/重新加载nginx服务器,请输入以下命令:
# /etc/init.d/nginx reload
或者
# /usr/sbin/nginx -s reload
或者
# service nginx reload
步骤9:打开TCP HTTPS端口#443
执行以下命令为所有人打开端口443:
# /sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
保存新的防火墙设置:
# service iptables save
有关更多信息,请参见如何为Web服务器设置防火墙。
步骤10:测试
触发浏览器并输入以下网址:
https://theitroad.com/
输出示例:
由于自签名证书,未验证SSL连接。
单击添加例外按钮以继续。
步骤11:验证SSL证书
您可以使用以下命令来验证SSL证书:
# openssl verify pem-file # openssl verify self-ssl.crt
