Nginx HTTPS
HTTPS基本概述
为什么需要使⽤HTTPS, 因为HTTP不安全
1.传输数据被中间⼈盗⽤, 信息泄露
2.数据内容劫持, 篡改
HTTPS配置语法
Syntax: ssl on | off;
Default: ssl off;
Context: http, server
Syntax: ssl_certificate file;
Default: —
Context: http, server
Syntax: ssl_certificate_key file;
Default: —
Context: http, server
HTTPS配置场景
配置苹果要求的证书
1.服务器所有连接使⽤TLS1.2以上版本(openssl 1.0.2)
2.HTTPS证书必须使⽤SHA256以上哈希算法签名
3.HTTPS证书必须使⽤RSA 2048位或ECC256位以上公钥算法
4.使⽤前向加密技术
秘钥⽣成操作步骤
1.⽣成key密钥
2.⽣成证书签名请求⽂件(csr⽂件)
3.⽣成证书签名⽂件(CA⽂件)
1.检查当前环境
//openssl必须是1.0.2
[root@Nginx ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
//nginx必须有ssl模块
[root@Nginx ~]# nginx -V
--with-http_ssl_module
[root@Nginx ~]# mkdir /etc/nginx/ssl_key -p
[root@Nginx ~]# cd /etc/nginx/ssl_key
2.创建私钥
[root@Nginx ssh_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.....+++
//记住配置密码, 我这⾥是1234
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
3.⽣成使⽤签名请求证书和私钥⽣成⾃签证书
[root@Nginx ssl_key]# openssl req -days 36500 -x509 \
-sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:XU
Organizational Unit Name (eg, section) []:XU
Common Name (eg, your name or your server's hostname) []:xu.com
Email Address []:xu@qq.com
国家名称(2个字⺟代码)[XX]:CN
州或省名称(全名)[]:BJ
地区名称(如城市)[默认城市]:BJ
组织名称(如公司)【Default company Ltd】:WING
组织单位名称(如部⻔)[]:WING
通⽤名称(例如,您的姓名或服务器的主机名)[]:sre.wing.com
电⼦邮件地址[]:wing@qq.com
4.配置 Nginx
[root@Nginx ~]# cat /etc/nginx/conf.d/wing.conf
server {
listen 443 ssl;
server_name sre.xu.com;
root /soft/code/xu.com/ ;
index index.html index.htm;
#ssl_session_cache share:SSL:10m;
ssl_session_timeout 10m;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
ssl_ciphers ECDHE-RSA-AES128-GCMSHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
5.测试访问, 由于该证书⾮第三⽅权威机构颁发,⽽是我们⾃⼰签发的,所以浏览器会警告
6.以上配置如果⽤户忘记在浏览器地址栏输⼊ https:// 那么将不会跳转⾄ https , 需要将访问 http 强制跳转 https
[root@Nginx ~]# cat /etc/nginx/conf.d/wing.conf
server {
listen 443 ssl;
server_name sre.xu.com;
root /soft/code/xu.com/ ;
index index.html index.htm;
#ssl_session_cache share:SSL:10m;
ssl_session_timeout 10m;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
ssl_ciphers ECDHE-RSA-AES128-GCMSHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
server {
listen 80;
server_name sre.xu.com;
rewrite ^(.*) https://$server_name$1 redirect;
}
7.检查是否⽀持苹果要求 ATS 协议
//仅能在苹果终端上使⽤
$ nscurl --ats-diagnostics --verbose https://192.168.69.113
Https公有云实践
xu.top
在云上签发各品牌数字证书,实现⽹站 HTTPS 化,使⽹站可信,防劫持、防篡改、防监听。并进⾏统⼀⽣命周期管
理,简化证书部署,⼀键分发到云上产品。
上传阿⾥云证书, 并解压
[root@Nginx ssl_key]# rz
rz waiting to receive.
Starting zmodem transfer. Press Ctrl+C to cancel.
Transferring 1524377920931.zip...
100% 3 KB 3 KB/sec 00:00:01 0 Errors
//解压
[root@Nginx ssl_key]# unzip 1524377920931.zip
配置 nginx https
[root@Nginx conf.d]# cat wingsredevsecops.top.conf
server {
listen 443 ssl;
server_name xu.top;
index index.html index.htm;
root /soft/code/xu;
ssl_session_timeout 10m;
ssl_certificate ssl_key/9854629_xu.top.pem;
ssl_certificate_key ssl_key/9854629_xu.top.key;
ssl_ciphers ECDHE-RSA-AES128-GCMSHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
server {
listen 80;
server_name xu.top;
rewrite ^(.*) https://$server_name$1 redirect;
}
浙公网安备 33010602011771号