网站HTTPS化, 使网站可信,防劫持、防篡改、防监听。
HTTPS配置语法
Syntax: ssl on | off;
Default: ssl off;
Context: http, server
Syntax: ssl_certificate file;
Default: —
Context: http, server
Syntax: ssl_certificate_key file;
Default: —
Context: http, server
Syntax: ssl_ciphers ciphers;
Default: ssl_ciphers HIGH:!aNULL:!MD5;
Context: http, server
苹果证书要求
- 服务器所有连接使用TLS1.2以上版本(openssl 1.0.2)
- HTTPS证书必须使用SHA256以上哈希算法签名
- HTTPS证书必须使用RSA 2048位或ECC256位以上公钥算法
- 使用前向加密技术
秘钥生成操作
- 生成key秘钥
- 生成证书签名请求文件(csr文件)
- 生成证书签名文件(CA文件)
[root@my-node10 ~]# openssl version
OpenSSL 1.1.1c FIPS 28 May 2019
[root@my-node10 ~]# nginx -V
nginx version: nginx/1.22.1
--with-http_ssl_module
创建私钥
[root@my-node10 ~]# mkdir ssl_key [root@my-node10 ~]# cd ssl_key/
[root@my-node10 ssl_key]# openssl genrsa -idea -out server.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) .............................+++++ .................................................................+++++ e is 65537 (0x010001) Enter pass phrase for server.key: 140629560358720:error:28078065:UI routines:UI_set_result_ex:result too small:crypto/ui/ui_lib.c:903:You must type in 4 to 1023 characters Enter pass phrase for server.key: // mynode2023 Verifying - Enter pass phrase for server.key:
[root@my-node10 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a RSA private key
................................................................................................+++++
.............................................................+++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SD
Locality Name (eg, city) [Default City]:QD
Organization Name (eg, company) [Default Company Ltd]:kunking
Organizational Unit Name (eg, section) []:sa
Common Name (eg, your name or your server's hostname) []:mynode
Email Address []:mynode@kunking.com
[root@my-node10 conf.d]# cat demo-ssl.conf
server {
listen 443 ssl;
server_name www.mydemo.com;
# ssl on;
ssl_certificate /etc/nginx/conf.d/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl_key/server.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
location / {
root /application/nginx/demo;
index index.html;
}
}
访问http 强制跳转 https
server {
listen 80;
server_name www.mydemo.com;
rewrite ^(.*) https://$server_name$1 redirect;
}
浙公网安备 33010602011771号