Nginx配置单向HTTPS

[root@iZ23dastruaZ ~]# mkdir test_ngx_https
[root@iZ23dastruaZ ~]# cd test_ngx_https/
[root@iZ23dastruaZ test_ngx_https]# mkdir certs private
[root@iZ23dastruaZ test_ngx_https]# touch index.txt && echo 01 1>serial
[root@iZ23dastruaZ test_ngx_https]# vim openssl.cnf 

  1 [ ca ]
  2 default_ca = root_ca
  3 
  4 [ root_ca ]
  5 dir = .
  6 certificate = $dir/cacert.pem
  7 database = $dir/index.txt
  8 new_certs_dir = $dir/certs
  9 private_key = $dir/private/cakey.pem
 10 serial = $dir/serial
 11 
 12 default_crl_days = 7
 13 default_days = 365
 14 default_md = sha256
 15 
 16 policy = root_ca_policy
 17 x509_extensions = certificate_extensions
 18 
 19 [ root_ca_policy ]
 20 commonName = supplied
 21 stateOrProvinceName = supplied
 22 countryName = supplied
 23 emailAddress = supplied
 24 organizationName= supplied
 25 organizationalUnitName = optional
 26 
 27 [ certificate_extensions ]
 28 basicConstraints= CA:false
 29 
 30 [ req ]
 31 default_bits = 2048
 32 default_keyfile = ./private/cakey.pem
 33 default_md = sha256
 34 prompt = no
 35 distinguished_name = root_ca_distinguished_name
 36 x509_extensions = root_ca_extensions
 37 
 38 [ root_ca_distinguished_name ]
 39 commonName = TIMD ROOT CA
 40 stateOrProvinceName = BJ
 41 countryName = CN
 42 emailAddress = root_ca@timd.cn
 43 organizationName = Root Certification Authority
 44 
 45 [ root_ca_extensions ]
 46 basicConstraints = CA:true
 47 

[root@iZ23dastruaZ test_ngx_https]# openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 365 -config openssl.cnf 
Generating a 2048 bit RSA private key
......+++
.....................................................................................................+++
writing new private key to '/var/root_ca/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----

记住加密私钥的密码。

[root@iZ23dastruaZ test_ngx_https]# openssl genrsa -out private/testcert.key.pem 2048
Generating RSA private key, 2048 bit long modulus
.............................................+++
......................................................+++
e is 65537 (0x10001)

[root@iZ23dastruaZ test_ngx_https]# openssl req -new -key private/testcert.key.pem -out testcert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Changping
Organization Name (eg, company) [Default Company Ltd]:TIMD.CN
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.timd.cn
Email Address []:testcert@timd.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

注意:Common Name,应该是域名;因为是测试所以私钥没用密码进行保护。

openssl ca -in testcert.csr -config openssl.cnf -out certs/testcert.pem
[root@iZ23dastruaZ test_ngx_https]# vim nginx.conf 

  1 worker_processes  auto;
  2 
  3 events {
  4     worker_connections  1024;
  5 }
  6 
  7 http {
  8     include       /usr/local/openresty/nginx/conf/mime.types;
  9     default_type  application/octet-stream;
 10     keepalive_timeout  60;
 11     tcp_nodelay on;
 12 
 13     server {
 14         listen       9191 ssl;
 15         server_name  www.timd.cn;
 16 
 17         ssl_buffer_size 4k;
 18         ssl_certificate certs/testcert.pem;
 19         ssl_certificate_key private/testcert.key.pem;
 20         ssl_ciphers HIGH:!aNULL:!MD5;
 21         #ssl_password_file password.file;
 22         ssl_prefer_server_ciphers on;
 23         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 24         ssl_session_cache shared:SSL_CACHE:10m;
 25         ssl_session_timeout 10m;
 26 
 27         location / {
 28             autoindex on;
 29             autoindex_exact_size off;
 30             autoindex_localtime on;
 31 
 32             root .;
 33         }
 34     }
 35 }
 36 
[root@iZ23dastruaZ test_ngx_https]# mkdir -p logs
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p .
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56) 
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("https://www.timd.cn:9191/")
Traceback (most recent call last):
  File "", line 1, in 
  File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/api.py", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/adapters.py", line 433, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> requests.get("https://www.timd.cn:9191/", verify="cacert.pem")

>>> 

Nginx配置双向HTTPS

* 创建客户端证书,并使用自建CA给其签名  
[root@iZ23dastruaZ test_ngx_https]# openssl genrsa -out private/client.key.pem 2048
Generating RSA private key, 2048 bit long modulus
............................................................................................................+++
....+++
e is 65537 (0x10001)

[root@iZ23dastruaZ test_ngx_https]# openssl req -new -key private/client.key.pem -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Changping
Organization Name (eg, company) [Default Company Ltd]:TIMD.CN
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.timd.cn
Email Address []:clientcert@timd.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@iZ23dastruaZ test_ngx_https]# openssl ca -in client.csr -config openssl.cnf -out certs/client.pem
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'CN'
stateOrProvinceName   :ASN.1 12:'Beijing'
localityName          :ASN.1 12:'Changping'
organizationName      :ASN.1 12:'TIMD.CN'
commonName            :ASN.1 12:'www.timd.cn'
emailAddress          :IA5STRING:'clientcert@timd.cn'
Certificate is to be certified until Jul  2 17:11:05 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@iZ23dastruaZ test_ngx_https]# vim nginx.conf 

  1 worker_processes  auto;
  2 
  3 events {
  4     worker_connections  1024;
  5 }
  6 
  7 http {
  8     include       /usr/local/openresty/nginx/conf/mime.types;
  9     default_type  application/octet-stream;
 10     keepalive_timeout  60;
 11     tcp_nodelay on;
 12 
 13     server {
 14         listen       9191 ssl;
 15         server_name  www.timd.cn;
 16 
 17         ssl_buffer_size 4k;
 18         ssl_certificate certs/testcert.pem;
 19         ssl_certificate_key private/testcert.key.pem;
 20         ssl_ciphers HIGH:!aNULL:!MD5;
 21         #ssl_password_file password.file;
 22         ssl_prefer_server_ciphers on;
 23         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 24         ssl_session_cache shared:SSL_CACHE:10m;
 25         ssl_session_timeout 10m;
 26 
 27         #ssl_crl ``file``;
 28         #ssl_trusted_certificate ``file``;
 29         ssl_client_certificate cacert.pem;
 30         ssl_verify_client on;
 31         ssl_verify_depth 1;
 32 
 33         location / {
 34             autoindex on;
 35             autoindex_exact_size off;
 36             autoindex_localtime on;
 37 
 38             root .;
 39         }
 40     }
 41 }
 42 
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p . -s reload

Nginx代理单向HTTPS

  1 worker_processes  4;
  2 
  3 events {
  4     worker_connections  1024;
  5 }
  6 
  7 http {
  8     include       /usr/local/openresty/nginx/conf/mime.types;
  9     default_type  application/octet-stream;
 10     keepalive_timeout  60;
 11     tcp_nodelay on;
 12 
 13     server {
 14         listen       9191 ssl;
 15         server_name  www.timd.cn;
 16 
 17         ssl_buffer_size 4k;
 18         ssl_certificate certs/testcert.pem;
 19         ssl_certificate_key private/testcert.key.pem;
 20         ssl_ciphers HIGH:!aNULL:!MD5;
 21         #ssl_password_file password.file;
 22         ssl_prefer_server_ciphers on;
 23         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 24         ssl_session_cache shared:SSL_CACHE:10m;
 25         ssl_session_timeout 10m;
 26 
 27         ##ssl_crl ``file``;
 28         ##ssl_trusted_certificate ``file``;
 29         #ssl_client_certificate cacert.pem;
 30         #ssl_verify_client on;
 31         #ssl_verify_depth 1;
 32 
 33         location / {
 34             autoindex on;
 35             autoindex_exact_size off;
 36             autoindex_localtime on;
 37 
 38             root .;
 39         }
 40     }
 41 
 42     server {
 43         listen 9292;
 44         server_name www.timd.cn;
 45         location / {
 46             proxy_pass https://www.timd.cn:9191;
 47             proxy_set_header Host $host;
 48             proxy_redirect off;
 49             proxy_set_header X-Forwared-For $remote_addr;
 50 
 51             proxy_ssl_ciphers HIGH:!aNULL:!MD5;
 52             #proxy_ssl_crl ``file``;
 53             proxy_ssl_server_name on;
 54             proxy_ssl_session_reuse on;
 55             proxy_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 56             proxy_ssl_trusted_certificate ./cacert.pem;
 57             proxy_ssl_verify on;
 58             proxy_ssl_verify_depth 1;
 59         }
 60     }
 61 }
 62 
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p . -s reload
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56) 
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("http://www.timd.cn:9292/")

>>> 

Nginx代理双向HTTPS

首先测试一种失败的情况

[root@iZ23dastruaZ test_ngx_https]# vim nginx.conf 

  1 worker_processes  4;
  2 
  3 events {
  4     worker_connections  1024;
  5 }
  6 
  7 http {
  8     include       /usr/local/openresty/nginx/conf/mime.types;
  9     default_type  application/octet-stream;
 10     keepalive_timeout  60;
 11     tcp_nodelay on;
 12 
 13     server {
 14         listen       9191 ssl;
 15         server_name  www.timd.cn;
 16 
 17         ssl_buffer_size 4k;
 18         ssl_certificate certs/testcert.pem;
 19         ssl_certificate_key private/testcert.key.pem;
 20         ssl_ciphers HIGH:!aNULL:!MD5;
 21         #ssl_password_file password.file;
 22         ssl_prefer_server_ciphers on;
 23         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 24         ssl_session_cache shared:SSL_CACHE:10m;
 25         ssl_session_timeout 10m;
 26 
 27         #ssl_crl ``file``;
 28         #ssl_trusted_certificate ``file``;
 29         ssl_client_certificate cacert.pem;
 30         ssl_verify_client on;
 31         ssl_verify_depth 1;
 32 
 33         location / {
 34             autoindex on;
 35             autoindex_exact_size off;
 36             autoindex_localtime on;
 37 
 38             root .;
 39         }
 40     }
 41 
 42     server {
 43         listen 9292;
 44         server_name www.timd.cn;
 45         location / {
 46             proxy_pass https://www.timd.cn:9191;
 47             proxy_set_header Host $host;
 48             proxy_redirect off;
 49             proxy_set_header X-Forwared-For $remote_addr;
 50 
 51             proxy_ssl_ciphers HIGH:!aNULL:!MD5;
 52             #proxy_ssl_crl ``file``;
 53             proxy_ssl_server_name on;
 54             proxy_ssl_session_reuse on;
 55             proxy_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 56             proxy_ssl_trusted_certificate ./cacert.pem;
 57             proxy_ssl_verify on;
 58             proxy_ssl_verify_depth 1;
 59         }
 60     }
 61 }
 62 
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p . -s reload
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56) 
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("http://www.timd.cn:9292/")

>>> 

下面是能够成功代理双向HTTPS的配置

[root@iZ23dastruaZ test_ngx_https]# vim nginx.conf 

  1 worker_processes  4;
  2 
  3 events {
  4     worker_connections  1024;
  5 }
  6 
  7 http {
  8     include       /usr/local/openresty/nginx/conf/mime.types;
  9     default_type  application/octet-stream;
 10     keepalive_timeout  60;
 11     tcp_nodelay on;
 12 
 13     server {
 14         listen       9191 ssl;
 15         server_name  www.timd.cn;
 16 
 17         ssl_buffer_size 4k;
 18         ssl_certificate certs/testcert.pem;
 19         ssl_certificate_key private/testcert.key.pem;
 20         ssl_ciphers HIGH:!aNULL:!MD5;
 21         #ssl_password_file password.file;
 22         ssl_prefer_server_ciphers on;
 23         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 24         ssl_session_cache shared:SSL_CACHE:10m;
 25         ssl_session_timeout 10m;
 26 
 27         #ssl_crl ``file``;
 28         #ssl_trusted_certificate ``file``;
 29         ssl_client_certificate cacert.pem;
 30         ssl_verify_client on;
 31         ssl_verify_depth 1;
 32 
 33         location / {
 34             autoindex on;
 35             autoindex_exact_size off;
 36             autoindex_localtime on;
 37 
 38             root .;
 39         }
 40     }
 41 
 42     server {
 43         listen 9292;
 44         server_name www.timd.cn;
 45         location / {
 46             proxy_pass https://www.timd.cn:9191;
 47             proxy_set_header Host $host;
 48             proxy_redirect off;
 49             proxy_set_header X-Forwared-For $remote_addr;
 50 
 51             proxy_ssl_ciphers HIGH:!aNULL:!MD5;
 52             #proxy_ssl_crl ``file``;
 53             proxy_ssl_server_name on;
 54             proxy_ssl_session_reuse on;
 55             proxy_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 56             proxy_ssl_trusted_certificate ./cacert.pem;
 57             proxy_ssl_verify on;
 58             proxy_ssl_verify_depth 1;
 59 
 60             proxy_ssl_certificate certs/client.pem;
 61             proxy_ssl_certificate_key private/client.key.pem;
 62         }
 63     }
 64 }
 65 
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p . -s reload
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56) 
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("http://www.timd.cn:9292/")

>>>