nginx配置https(亲测可用)

配置https前需要先创建证书,这里使用自签名ca证书:

1、创建ca自签名证书,使用sha256 算法签名,rsa2048位公钥算法。

openssl req -sha256 -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem -config ca-openssl.cnf -days 730 -extensions v3_req

ca-openssl.cnf配置示例如下:

[req]
distinguished_name  = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName           = CN (2 letter code)
countryName_default = AU
stateOrProvinceName   = ZheJiang (full name)
stateOrProvinceName_default = Some-State
organizationName          = companyName (eg, company)
organizationName_default = Internet Widgits Pty Ltd
commonName            = api.companyName.com (eg, YOUR name)
commonName_default = ca
[v3_req]
basicConstraints = CA:true
keyUsage = critical, keyCertSign

2、根据ca证书创建server证书,同样使用sha256 算法签名,rsa2048位公钥算法。

$ openssl genrsa -out server.key.rsa 2048
$ openssl pkcs8 -topk8 -in server.key.rsa -out server.key -nocrypt
$ rm server.key.rsa
$ openssl req -new -sha256 -key server.key -out server.csr -config server-openssl.cnf

-sha256将会被server-openssl.cnf中的default_md配置项代替

另外在当前目录下还要创建index.txt,创建并初始化serial文件。

touch index.txt
touch serial
echo 00 > serial
server-openssl.cnf配置示例如下:
[req]
distinguished_name  = req_distinguished_name
req_extensions     = v3_req
[req_distinguished_name]
countryName           = CN (2 letter code)
countryName_default   =CN 
stateOrProvinceName   = ZheJiang (full name)
stateOrProvinceName_default =ZheJiang 
localityName          = HangZhou (eg, city)
localityName_default  = HangZhou
organizationName          = companyName (eg, company)
organizationName_default  = companyName
commonName            = api.companyName.com (eg, YOUR name)
commonName_max        = 64
####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section
####################################################################
[ CA_default ]
dir		= . # Where everything is kept
certs		= $dir # Where the issued certs are kept
crl_dir		= $dir		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several ctificates with same subject.
new_certs_dir	= $dir		# default place for new certs.
certificate	= $dir/ca.pem 	# The CA certificate
serial		= $dir/serial
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file
x509_extensions	= usr_cert		# The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions	= crl_ext
default_days	= 730			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha256		# use public key default MD
preserve	= no			# keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_anything
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.companyName.com
DNS.2 = localhost
IP.1 = "125.36.75.163"
IP.2 = "125.46.72.154"
IP.2 = "127.0.0.1"

查看csr信息

openssl req -noout -text -in server.csr

生成server证书

openssl ca -in server.csr -out server.pem -keyfile ca.key -cert ca.pem -verbose -config server-openssl.cnf -days 730 -extensions v3_req -updatedb

转换

openssl x509 -in server.pem -out server.pem -outform PEM

查看证书

openssl x509 -in server.pem -inform pem -noout -text

验证证书

openssl verify -CAfile ca.pem server.pem

3、nginx配置https

自建ca,需要将ca证书添加到浏览器,这样在访问站点时才不会显示不安全连接

nginx.conf配置:

#user  nobody;
worker_processes  1;
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
pid        logs/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
    #access_log  logs/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    gzip  on;
server {
        listen 80;
        server_name  m.domain.com;
      location / {
        rewrite ^ https://$host:443$request_uri? permanent;
     }
}
server{
       listen       443 ssl;
       server_name  m.domain.com;
        access_log   /home/logs/access.log;
        error_log    /home/logs/error.log;
        if ($host = "m.domain.com") {
                rewrite ^/$ /appname/index.shtml;
        }
       location ^~ /assets/ {
                root /home/apps/appname/;
        }
        location ~*  ^.+\.(gif|jpg|png|jpeg|js|ico|css|svg)$ {
         root /home/apps/appname/assets/;
        }
        location / {
                proxy_buffering off;
                client_max_body_size    20m;
                proxy_set_header   X-Real-IP $remote_addr;
                proxy_set_header   X-Scheme $scheme;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header   Host $http_host;
                proxy_pass http://127.0.0.1:8080;
         } 
          ssl_certificate     ~/sshsert/server.pem;
          ssl_certificate_key  ~/sshsert/server.key;
          ssl_session_cache    shared:SSL:10m;
         ssl_session_timeout  50m;
         ssl_prefer_server_ciphers  on;
         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
         ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
      }
}

补充说明:

配置nginx参考链接:

https://segmentfault.com/a/1190000002866627

签名算法列表:

-md4            to use the md4 message digest algorithm            //摘要算法使用md4
-md5            to use the md5 message digest algorithm            //摘要算法使用md5
-ripemd160      to use the ripemd160 message digest algorithm      //摘要算法使用ripemd160
-sha            to use the sha message digest algorithm            //摘要算法使用sha
-sha1           to use the sha1 message digest algorithm           //摘要算法使用sha1
-sha224         to use the sha224 message digest algorithm         //摘要算法使用sha223
-sha256         to use the sha256 message digest algorithm         //摘要算法使用sha256
-sha384         to use the sha384 message digest algorithm         //摘要算法使用sha384
-sha512         to use the sha512 message digest algorithm         //摘要算法使用sha512
-whirlpool      to use the whirlpool message digest algorithm      //摘要算法使用whirlpool

关于tls版本:

https://www.openssl.org/

Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:

• Support TLS v1.2 and TLS v1.1.

原文发布于微信公众号 - java达人(drjava)

原文发表时间:2017-03-12

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏Keegan小钢

读《图解密码技术》(一):密码

以前,对一些密码技术,虽然懂得怎么用,但对其原理却一直不甚了解,比如,用公钥加密后,为什么用私钥就可以解密?DES和AES加密时为什么需要一个初始化向量?想要了...

2232
来自专栏高性能服务器开发

(八)高性能服务器架构设计总结2——以flamigo服务器代码为例

说了这么多,我们来以flamingo的服务器程序的网络框架设计为例来验证上述介绍的理论。flamingo的网络框架是基于陈硕的muduo库,改成C++11的版本...

4495
来自专栏安智客

GP TEE需支持的加解密算法

GP TEE规范规定了TEE所需支持的加解密算法标准,一张图表示如下(点击看大图) ? 密码学博大精深,而且在不断发展研究我们今天只是简要介绍一下,后期会有针对...

2316
来自专栏Pythonista

hashlib 算法介绍

什么是摘要算法呢?摘要算法又称哈希算法、散列算法。它通过一个函数,把任意长度的数据转换为一个长度固定的数据串(通常用16进制的字符串表示)。

1132
来自专栏安恒网络空间安全讲武堂

jarvisoj-Crypto

jarvisoj-Crypto Medium RSA 题目到手后给了一个公钥和一个密文 ? ? 我们对这个公钥提取信息: ? 可以得到 N = 0xC2636A...

1K6
来自专栏我的博客

Discuz用户登录身份标识authcode函数

php /** * $string 明文或密文 * $operation 加密ENCODE或解密DECODE * $key 密钥 * $expiry ...

3977
来自专栏醒者呆

应用密码学初探

关键字:密码学,密码算法,单向哈希函数,对称加密,非对称加密,数字签名,数字证书,Merkle树,同态加密 在计算机科学中,密码学常常用来解决某些特定的难...

4668
来自专栏腾讯移动品质中心TMQ的专栏

【腾讯TMQ】从 wireshark 抓包开始学习 https

目前互联网大量Web的应用层协议从http迁移到了https,https已经在越来越多的场合替换http协议。近期由于业务需要,我们通过Wireshark对ht...

2K2
来自专栏安智客

Key attestation的几个关键点!

Key attestation就是密钥认证,之前介绍过: Key attestation-Google的密钥认证 下图是Google Android密钥认证的架...

6907
来自专栏大闲人柴毛毛

聊聊对称/非对称加密在HTTPS中的应用

目前常用的加密算法主要分成三类: 对称加密算法 非对称加密算法 消息摘要算法 在互联网中,信息防护主要涉及两个方面:信息窃取和信息篡改。对称/非对称加密算法能够...

4275

扫码关注云+社区

领取腾讯云代金券