nginx之ssl认证(https访问)

起点·漫步前行 / 2024-08-29 / 原文

ngx_http_ssl_module

ngx_http_ssl_module模块：
　　ssl on | off; 　　　　　　　　　　为指定虚拟机启用HTTPS protocol，建议用listen指令代替
　　ssl_certificate file; 　　　　　　　当前虚拟主机使用PEM格式的证书文件
　　ssl_certificate_key file; 　　　　当前虚拟主机上与其证书匹配的私钥文件
　　ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; 　　　　　　支持ssl协议版本，默认为后三个
　　ssl_session_cache off | none | [builtin[:size]] [shared:name:size];
　　　　none: 　　　　　　　　　　通知客户端支持ssl session cache，但实际不支持
　　　　builtin[:size]：　　　　　　使用OpenSSL内建缓存，为每worker进程私有
　　　　[shared:name:size]：　　　在各worker之间使用一个共享的缓存
　　ssl_session_timeout time; 　　　客户端连接可以复用ssl session cache中缓存的有效时长，默认5m

实现https访问站点

1、生成证书和私钥

[root@centos7.6 conf.d]# cd /etc/pki/tls/certs/

[root@centos7.6 certs]# make magedu.crt               #借助系统自带功能生产证书
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > magedu.key     #过程：自动生成私钥命令
Generating RSA private key, 2048 bit long modulus
......................+++
....+++
e is 65537 (0x10001)
Enter pass phrase:                                    #设置私钥加密口令，Makefile中指定了，-aes128，可以修改删除
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key magedu.key -x509 -days 365 -out magedu.crt        #过程：自动生成证书命令
Enter pass phrase for magedu.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                                   #以下是生产证书填写的必要信息
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.magedu.org                 #必须和访问域名相同
Email Address []:

生产私钥结果：

[root@lvs-ka2 certs]# cat magedu.key                                  #私钥
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED                                                #加密
DEK-Info: AES-128-CBC,FC321643C6EFE861E1320535A80801EF

RJJ+xZkXTvyW61PFfWs7E7Rst9tNHoag8V4Q0j3WVFsA8kVqQGxz3hLHiv50rgc2
2QlRNc1D4I6QX+hmHrX5/zn41J+JetAcAg8JnsR6ThYjXSFNupLW9cFs1O4uE0ZH
tpsICNFiqQjYgZ4wh9FSlw4BNyPgM1dQLL1mL5QuBFBj3DtZSsqD8tDNJ9AKQoNn
xomgep5FDC4wTeSmlsxrnvko5y5reEBjqnddawlKaotlNVI6kautkpHpoDJ6Oicp
tQczKF9+I5JbutvVXuscCBkybBbTtsMMajQY/QG95aglHQAC1zgjaABLyEqDMF41
g331QXjq+FtO63p3mnDeR4VTRlB72ahegJwLNKGgEsMuxJaaHp9Z1s2s6dc8B/F1
c1oaswdu1BRhoAy552gOGR3VY+diGxplR+ktNvl4sGuE81Kooeh395HMgGomY6aB
pBxGTbNMlC2E96EGA1ogGHqWxkTyNFKKqRY/fQxXvRRWYULdIfYe/Wkop55y1pNk
5EcxW+9+x5j8Z3jmj4E4X6KdusZkcrvflxZx4dopDhK7iDg2kqbfhXjvc4qZx7+H
pcuxIGBVmfJIi40xqo6uA30h8uHxkvOWAVYZMgk2gB2JJxpMdnqttNgW4aGMN2H9
mROQHeXBLEHSQrZGc7r/boutAGzxxXTK44+YN+N+ggVasA5lEN+LVU0550GYOuAp
R6di9oy5KtimrQuSR7lDS6IBtdquthRcR4fRHfCJCe+oSeIbokZd0n+YlaGJXmm/
MK9h4ze1CuyNylD7HC65c4EzgR4nvlNHSOWRxrlrfpspdoGQmi9gH/Ba7VStN+Xb
WFOEcHsP6f8uDZ2Wi6iaYp/e6LZBIJl2GQMfKBrmmVYKD3RoYY+hYffD7/z9AmPI
tRC/VSTtHSiSSGhzQlWrk5hLGjfiiRUWgzoFqkXjHAG4f0+fwfAE+wp1Ft9OpTze
n27Kv50ueWsxqpTwFj6Zq5ha8qlU5ISgcGVGoinSsDJMX8rZHBeZE5h4Ue0sXReb
bLO5/6sehzhCtVSXUWQ7b9UvQiQmIGSexErSndoMqTnsVfYznedWctO3zlmPccno
nJ15DVvTSFS1pMyfKSwtvDh/KoAUum5qB3V90ZZ5KhMGuA/ra/VLRDG62ydmKDlp
ehl6QoLs0CNSgx0hZ7eqvGMHDgjpX4E/9H16xYKO4fr9VSxsJwhZuPFB5hXP87Oj
vsk0RXrXZ2B48nTZBWBeMRQkFw7GneU3QIzYcPV5GA6laXcgsPiGIGcd3woW3Bl3
F7W35vtMSSwMuCmHFhvNj0189SxzoO78pOZrH0eCH42sc7hDRV6OCCsI6DBS0h4m
jqDRtAnS955Qf8NzIxW3O2+1ffZeFWM9Efm06OiQn0fjWLXLsdiDyOz/9r8fpjJY
TqsLoaKlXBVOkjFZY/QPFSHdc3eMpdFEpEi0GTBnSDATGNKoXetDezbby1K5TPEq
fL5zZA1YrSZDAMvcl37hfvrPEq7HbnzoThGqk0mi9cqrC5pL5d4yp6844M0MtkoZ
bfRQRhC/hEpI9/lg+WrUVD5j7ep5o+sp5HQtIp/0x8ZXD56XVDj6CmqHHe6xhe0j
-----END RSA PRIVATE KEY----

生产解密的私钥：

[root@centos7.6 certs]# openssl rsa -in magedu.key -out magedu.org.key   #生成解密的私钥
Enter pass phrase for magedu.key:                                        #输入加密口令解密
writing RSA key
[root@centos7.6 certs]# ll

-rw-------  1 root root 1330 Mar  7 14:11 magedu.crt
-rw-------  1 root root 1766 Mar  7 14:09 magedu.key
-rw-r--r--  1 root root 1675 Mar  7 14:12 magedu.org.key                 #标准无加密私钥
[root@centos7.6 certs]# cat magedu.org.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA1E2airk0eCIxFhR9LrQQIutgLDk7qSUY+ilbCBzPMdkXO9P5
rqFCq84cRwxS+Mj2Q5BPGDc/piMMfe6CiRP5ihLOld73zV8NQcIa62LQzu72Klkm
EwUPBV2cq28Q2JwvAzUD74cz2xGvR3PXB48Vw3HmlIgGyOR/1O8eCt4ZZ+s4mo2v
gg6JnpAvUukfv4da1maw63xe1E2VAIW9opq8R1k/zUVHR70Xo3L3QwEAZyH9sUTF
KTeFqhLKa3r6qZbZTfmfd8OkVpCVym+xkDTfPwg+3DhrZAuEiJ8DsO7aXPd41BsL
v1U6jefrEb5nvDXEBzyte8Bbkr0BKZxL321RBQIDAQABAoIBAFiSn90sc5WDPlNl
7OwlN246IP+SSS/CSG9l/ZKe4lp7pdPSFiMjKDuhW+7QV3Vv8j4x4K3LrwRTLw0D
CvbBnKRcQFAKm/vUoiVDJBP8P/11eMImO1pIDAJDEe/8AF0+m+aMob22/I1zDVuU
GqwOqBfIV1i0f5AktKhTsob6LkNJ/lfM/8e4ZSfMLevTUc30bFZR32A7pgmg4vsW
SRaNtDvQa4PA6hsxqlUl5PyW8ur3pk6YY6M6XidV+8dmWJJRnRsIGD3SqONwKpKe
Zj/kc9xZrpxOKc6aNDvOVofJ5/603JmpggbgN8ANcZAImr9nA2Mi7RG/s6oWAPyJ
qk+lCSkCgYEA+3qeyLW19yBalbsD/gkn2laCvEMpgATzkwM7H4x/HCz2CBGN/C+v
HPnq24+g/0R+Zq8HuSXxTOxLDHQIm5dIzgS7PSDInDIAb4Q3GwO9C3NkFcUc8E0s
xBQzKRIK7kT5qJa/vqbGaJHbr3r2BEAvbswC8lDHGYuFYn0glAGh1c8CgYEA2B6v
S0YjAiJdnpye/QkQXTaYh/jfVG7sh/3EOJW3dDIWmR/WsqCy3S4lPCESOOH5P5Np
r93qlWFnnLvvYoeQW4BS27PG7hgoILSU5eMWP+kZ5i7misFxbEN8SsSjK6l2xQlp
DH0Jv8MJDZDh8SUVTmBWSTcZykKZi6l7JgSQNOsCgYBsMpzAlFXfJr9yro0QLpZD
/XawU2E2oGq/9OLqNwO1dq7AV/Uz7Lw2Bl0C7HADhE+yFFqJUYbZZsz/ZakScGu1
oBmDOmi1s1m2oTcoW1pp49LK/wztYvcAwgQlBotHasvTulBzUcQJ17+iZ5AT0h3W
WNZntVOEbSANePKcW3tqxwKBgCzEFl1KNuAvTCMZoBkbsocMUwX/OAteOqJknyt1
X52y7lljbe5sOQB1mYLd+s9Lh3xyxXaHShsNJRAjIY/QMsexSfh2QaN5333+ycTg
h/BPEW1Lk7d0IFFjnTBDkOTvYkmoDFlo4QcWmB52P0ba/pHQhK7/udjaeMGkJn0W
fuRnAoGAAyhxkjWXWa7L77xyCiWc8vwTLrOst5EFaVM9ADtCPMu4I9J5eS9KuTNX
aYVTBIaKY/KCL4XLwAxaHx7ZNZBd8V6m92S7o8nilyl/4HrkW51X5VXQO6JTC72p
mOzHyM+iB77NYlKF/TCQ7L0P1IaTRk6BCd01H/rP8s2gIkfaosE=
-----END RSA PRIVATE KEY-----
[root@centos7.6 certs]# mv magedu.crt magedu.org.crt                   #重名命证书
[root@centos7.6 certs]# ll

-rw-------  1 root root 1766 Mar  7 14:09 magedu.key
-rw-------  1 root root 1330 Mar  7 14:11 magedu.org.crt
-rw-r--r--  1 root root 1675 Mar  7 14:12 magedu.org.key

2、创建证书和私钥存放目录

[root@centos7.6 certs]# mkdir /apps/nginx4/ssl               #创建证书和私钥存放目录
[root@centos7.6 certs]# mv magedu.org.* /apps/nginx4/ssl/
[root@centos7.6 certs]# ll /apps/nginx4/ssl/
-rw------- 1 root root 1330 Mar  7 14:11 magedu.org.crt
-rw-r--r-- 1 root root 1675 Mar  7 14:12 magedu.org.key
[root@centos7.6 certs]# chmod 600 /apps/nginx4/ssl/*
[root@centos7.6 certs]# ll /apps/nginx4/ssl/

-rw------- 1 root root 1330 Mar  7 14:11 magedu.org.crt
-rw------- 1 root root 1675 Mar  7 14:12 magedu.org.key

3、创建https访问的roo目录：

[root@centos7.6 certs]# mkdir /data/ssl/
[root@centos7.6 certs]# echo /data/ssl/index.html >/data/ssl/index.html

4、配置https：http和https两个虚拟主机

此示例中，http和https访问方式是建立2个虚拟主机，它们的根目录不同

[root@centos7.6 certs]# vim /apps/nginx4/conf/conf.d/test.conf 

server {                                                     #单独的https虚拟主机
        listen 443 ssl;
        server_name www.magedu.org;
        root /data/ssl/;
        #ssl on;                                             #1.15版本淘汰，改用在listen 设置ssl
        ssl_certificate /apps/nginx4/ssl/magedu.org.crt;     #指定证书
        ssl_certificate_key /apps/nginx4/ssl/magedu.org.key; #指定私钥
        ssl_session_cache shared:sslcache:20m;
        ssl_session_timeout 10m;
        access_log /apps/nginx4/logs/magedu.org.ssl.access.log  access_json ;  #专有日志
}
server {                                                     #http虚拟主机，默认listen 80

        server_name www.magedu.org;
        root /data/site14/;
        access_log /apps/nginx4/logs/magedu.org.access.log  access_json ;
        default_type text/html ;


        gzip on;
        gzip_comp_level 6;
        gzip_min_length 64;
        gzip_vary on;
        gzip_types text/xml text/css application/javascript;
}

查看端口：

[root@centos7.6 certs]# ss -lnt
State       Recv-Q Send-Q                        Local Address:Port                  Peer Address:Port                               
LISTEN      0      128                                       *:80                               *:*                                  
LISTEN      0      128                                       *:443                              *:*

验证：https访问：

到此，http，https是分开的连个虚拟主机，而且根目录不一样，显然不合理，实现http和https访问相同的资源

方法一：http和https 2个虚拟主机设置一样的根目录

[root@centos7.6 certs]# vim /apps/nginx4/conf/conf.d/test.conf 

server {
        listen 443 ssl;
        server_name www.magedu.org;
        root /data/site14/;
        #ssl on;
        ssl_certificate /apps/nginx4/ssl/magedu.org.crt;
        ssl_certificate_key /apps/nginx4/ssl/magedu.org.key;
        ssl_session_cache shared:sslcache:20m;
        ssl_session_timeout 10m;
        access_log /apps/nginx4/logs/magedu.org.ssl.access.log  access_json ;
}
server {

        server_name www.magedu.org;
        root /data/site14/;
        access_log /apps/nginx4/logs/magedu.org.access.log  access_json ;
        default_type text/html ;


        gzip on;
        gzip_comp_level 6;
        gzip_min_length 64;
        gzip_vary on;
        gzip_types text/xml text/css application/javascript;

}

方法二：一个虚拟主机同时监听80和443端口

[root@centos7.6 certs]# vim /apps/nginx4/conf/conf.d/test.conf 

server {
        listen 443 ssl;
        listen 80;
        server_name www.magedu.org;
        root /data/site14/;
        #ssl on;
        ssl_certificate /apps/nginx4/ssl/magedu.org.crt;
        ssl_certificate_key /apps/nginx4/ssl/magedu.org.key;
        ssl_session_cache shared:sslcache:20m;
        ssl_session_timeout 10m;
        access_log /apps/nginx4/logs/magedu.org.ssl.access.log  access_json ;
}
#server {

#       server_name www.magedu.org;
#       root /data/site14/;
#       access_log /apps/nginx4/logs/magedu.org.access.log  access_json ;
#       default_type text/html ;
#}

但是上边2种方法，不是标准的http到https的重写，可能输入网址是http而不是https，导致即使有https安全访问方式，也会出现由于客户端没有输入https而是http的访问能够正常访问

http到https重写，请查看rewrite配置