12.17 Nginx负载均衡 12.18 ssl原理 12.19 生成ssl密钥对12.20 Nginx配置ssl
# cd /usr/local/nginx/conf/#需要openssl这个命令,怎么样去查看一个命令是用哪个包安装的吗?需要安装那个包
rpm -qf which openssl
# rpm -qf `which openssl`openssl-1.0.2k-8.el7.x86_64# yum install -y openssl-1.0.2k-8.el7.x86_64已加载插件:fastestmirrorLoading mirror speeds from cached hostfile
* base: mirrors.163.com
* epel: ftp.riken.jp
* extras: mirrors.163.com
* updates: mirrors.163.com软件包 1:openssl-1.0.2k-8.el7.x86_64 已安装并且是最新版本
无须任何处理#
openssl genrsa -des3 -out tmp.key 2048 命令解释:找到 rsa格式的私钥,长度2048,名字叫tmp.key key文件为私钥
# openssl genrsa -des3 -out tmp.key 2048Generating RSA private key, 2048 bit long modulus
.............................+++
...........................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
#
第二步 转换key,取消密码 openssl rsa -in tmp.key -out aminglinux.key ,rm -f tpm.key
# openssl rsa -in tmp.key -out aminglinux.keyEnter pass phrase for tmp.key:
writing RSA key
# # rm -f tmp.key
第三步,生成一个证书请求的文件 生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件
# openssl req -new -key aminglinux.key -out aminglinux.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :chinastring is too long, it needs to be less than2 bytes long
Country Name (2 letter code) :11State or Province Name (full name) []:BeiJing
Locality Name (eg, city) :BeiJing
Organization Name (eg, company) :aming
Organizational Unit Name (eg, section) []:aming
Common Name (eg, your name or your server's hostname) []:aminglinux
Email Address []:aming@aminglinux.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:lishiming
An optional company name []:aming
#
# openssl x509 -req -days 365 -in aminglinux.csr -signkey aminglinux.key -out aminglinux.crtSignature ok
subject=/C=11/ST=BeiJing/L=BeiJing/O=aming/OU=aming/CN=aminglinux/emailAddress=aming@aminglinux.com
Getting Private key
# # ls aminglinux.aminglinux.crtaminglinux.csraminglinux.key
这里的aminglinux.crt为公钥
12.20 Nginx配置ssl
有了公钥私钥之后,就可以来配置nginx
生成一个新的配置文件
# vim ssl.conf
+已停止 vim ssl.conf
# mkdir /data/wwwroot/aming.com
# fg
vim ssl.confserver{
listen 443;
server_name aming.com;
index index.html index.php;
root /data/wwwroot/aming.com;
ssl on;
ssl_certificate aminglinux.crt;
ssl_certificate_key aminglinux.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
~
~
:wq
最早编译nginx的 并没有指定支持ssl ,需要重新编译下,让大家不要去删除源码包,后期有可能还要进一步编译
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
configure arguments: --prefix=/usr/local/nginx
进入nginx源码包下 查找需要加上这个配置才行 --with-http_ssl_module
初始化make ,make install
# cd /usr/local/src/nginx-1.12.1/
# ./configure --help |grep -i ssl
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-stream_ssl_module enable ngx_stream_ssl_module
--with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL# # ./configure --prefix=/usr/local/nginx --with-http_ssl_module
nginx path prefix: "/usr/local/nginx"
nginx binary file: "/usr/local/nginx/sbin/nginx"
nginx modules path: "/usr/local/nginx/modules"
nginx configuration prefix: "/usr/local/nginx/conf"
nginx configuration file: "/usr/local/nginx/conf/nginx.conf"
nginx pid file: "/usr/local/nginx/logs/nginx.pid"
nginx error log file: "/usr/local/nginx/logs/error.log"
nginx http access log file: "/usr/local/nginx/logs/access.log"
nginx http client request body temporary files: "client_body_temp"
nginx http proxy temporary files: "proxy_temp"
nginx http fastcgi temporary files: "fastcgi_temp"
nginx http uwsgi temporary files: "uwsgi_temp"
nginx http scgi temporary files: "scgi_temp"# # makesed -e "s|%%PREFIX%%|/usr/local/nginx|" \
-e "s|%%PID_PATH%%|/usr/local/nginx/logs/nginx.pid|" \
-e "s|%%CONF_PATH%%|/usr/local/nginx/conf/nginx.conf|" \
-e "s|%%ERROR_LOG_PATH%%|/usr/local/nginx/logs/error.log|" \
< man/nginx.8 > objs/nginx.8
make: 离开目录“/usr/local/src/nginx-1.12.1”
# # make install
|| mkdir -p '/usr/local/nginx/logs'test -d '/usr/local/nginx/html' \
|| cp -R html '/usr/local/nginx'test -d '/usr/local/nginx/logs' \
|| mkdir -p '/usr/local/nginx/logs'make: 离开目录“/usr/local/src/nginx-1.12.1”
#
现在再看看,多了一个参数 --with-http_ssl_module
# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
#
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
#
# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5682/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 874/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1783/master
tcp6 0 0 :::3306 :::* LISTEN 1578/mysqld
tcp6 0 0 :::22 :::* LISTEN 874/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1783/master
这里出错了,并没有出现 443 端口被监听,所以 肯定是哪里错了,
原来是创建的 ssl.conf配置文件 不是在vhost目录下 在conf下 创建了,所以失效,后面删除掉conf目录下的 ssl.conf文件,到vhost目录下重新创建配置文件ssl.conf 就好了
把之前的 conf目录下的 ssl.conf 文件删掉,
去vhost目录下 重新创建配置文件 vim ssl.conf 加入下面的配置
# cd vhost/
# vim ssl.conf
# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [确定]
# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5682/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 874/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1783/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5682/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 1578/mysqld
tcp6 0 0 :::22 :::* LISTEN 874/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1783/master
#
到aming.com目录下创建一个1.txt测试文件
用curl访问下,这样就不对了
# cd /data/wwwroot/aming.com/# ls# vim 1.txtThis is ssl.
~
~
~
:wq
# mv 1.txt index.html# curl -x12.0.0.1:443 https://aming.com/curl: (7) Failed connect to 12.0.0.1:443; 拒绝连接
#
这样访问是不对的,改下hosts文件
# vi /etc/hosts127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6192.168.202.131 www.qq123.com www.13.com www.aming.com127.0.0.1 www.13.com aming.com
~
~
~
:wq
# vi /etc/hosts# curl https://aming.com/curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
#
页:
[1]