Nginx配置HTTPS的例子

Nginx配置单向HTTPS

  • 自建CA
[root@iZ23dastruaZ ~]# mkdir test_ngx_https
[root@iZ23dastruaZ ~]# cd test_ngx_https/
[root@iZ23dastruaZ test_ngx_https]# mkdir certs private
[root@iZ23dastruaZ test_ngx_https]# touch index.txt && echo 01 1>serial
[root@iZ23dastruaZ test_ngx_https]# vim openssl.cnf 

  1 [ ca ]
  2 default_ca = root_ca
  3 
  4 [ root_ca ]
  5 dir = .
  6 certificate = $dir/cacert.pem
  7 database = $dir/index.txt
  8 new_certs_dir = $dir/certs
  9 private_key = $dir/private/cakey.pem
 10 serial = $dir/serial
 11 
 12 default_crl_days = 7
 13 default_days = 365
 14 default_md = sha256
 15 
 16 policy = root_ca_policy
 17 x509_extensions = certificate_extensions
 18 
 19 [ root_ca_policy ]
 20 commonName = supplied
 21 stateOrProvinceName = supplied
 22 countryName = supplied
 23 emailAddress = supplied
 24 organizationName= supplied
 25 organizationalUnitName = optional
 26 
 27 [ certificate_extensions ]
 28 basicConstraints= CA:false
 29 
 30 [ req ]
 31 default_bits = 2048
 32 default_keyfile = ./private/cakey.pem
 33 default_md = sha256
 34 prompt = no
 35 distinguished_name = root_ca_distinguished_name
 36 x509_extensions = root_ca_extensions
 37 
 38 [ root_ca_distinguished_name ]
 39 commonName = TIMD ROOT CA
 40 stateOrProvinceName = BJ
 41 countryName = CN
 42 emailAddress = root_ca@timd.cn
 43 organizationName = Root Certification Authority
 44 
 45 [ root_ca_extensions ]
 46 basicConstraints = CA:true
 47 

[root@iZ23dastruaZ test_ngx_https]# openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 365 -config openssl.cnf 
Generating a 2048 bit RSA private key  
......+++
.....................................................................................................+++
writing new private key to '/var/root_ca/private/cakey.pem'  
Enter PEM pass phrase:  
Verifying - Enter PEM pass phrase:  
-----


记住加密私钥的密码。

  • 生成证书签名请求
[root@iZ23dastruaZ test_ngx_https]# openssl genrsa -out private/testcert.key.pem 2048
Generating RSA private key, 2048 bit long modulus  
.............................................+++
......................................................+++
e is 65537 (0x10001)

[root@iZ23dastruaZ test_ngx_https]# openssl req -new -key private/testcert.key.pem -out testcert.csr
You are about to be asked to enter information that will be incorporated  
into your certificate request.  
What you are about to enter is what is called a Distinguished Name or a DN.  
There are quite a few fields but you can leave some blank  
For some fields there will be a default value,  
If you enter '.', the field will be left blank.  
-----
Country Name (2 letter code) [XX]:CN  
State or Province Name (full name) []:Beijing  
Locality Name (eg, city) [Default City]:Changping  
Organization Name (eg, company) [Default Company Ltd]:TIMD.CN  
Organizational Unit Name (eg, section) []:  
Common Name (eg, your name or your server's hostname) []:www.timd.cn  
Email Address []:testcert@timd.cn

Please enter the following 'extra' attributes  
to be sent with your certificate request  
A challenge password []:  
An optional company name []:  


注意:Common Name,应该是域名;因为是测试所以私钥没用密码进行保护。

  • 使用自建的CA给CSR签名
openssl ca -in testcert.csr -config openssl.cnf -out certs/testcert.pem  
  • Nginx的配置
[root@iZ23dastruaZ test_ngx_https]# vim nginx.conf 

  1 worker_processes  auto;
  2 
  3 events {
  4     worker_connections  1024;
  5 }
  6 
  7 http {
  8     include       /usr/local/openresty/nginx/conf/mime.types;
  9     default_type  application/octet-stream;
 10     keepalive_timeout  60;
 11     tcp_nodelay on;
 12 
 13     server {
 14         listen       9191 ssl;
 15         server_name  www.timd.cn;
 16 
 17         ssl_buffer_size 4k;
 18         ssl_certificate certs/testcert.pem;
 19         ssl_certificate_key private/testcert.key.pem;
 20         ssl_ciphers HIGH:!aNULL:!MD5;
 21         #ssl_password_file password.file;
 22         ssl_prefer_server_ciphers on;
 23         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 24         ssl_session_cache shared:SSL_CACHE:10m;
 25         ssl_session_timeout 10m;
 26 
 27         location / {
 28             autoindex on;
 29             autoindex_exact_size off;
 30             autoindex_localtime on;
 31 
 32             root .;
 33         }
 34     }
 35 }
 36 
  • 启动Nginx
[root@iZ23dastruaZ test_ngx_https]# mkdir -p logs
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p .
  • 测试
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56)  
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.  
>>> import requests
>>> requests.get("https://www.timd.cn:9191/")
Traceback (most recent call last):  
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/api.py", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/adapters.py", line 433, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed  
>>> requests.get("https://www.timd.cn:9191/", verify="cacert.pem")
<Response [200]>  
>>> 

Nginx配置双向HTTPS

  • 创建客户端证书,并使用自建CA给其签名
[root@iZ23dastruaZ test_ngx_https]# openssl genrsa -out private/client.key.pem 2048
Generating RSA private key, 2048 bit long modulus  
............................................................................................................+++
....+++
e is 65537 (0x10001)

[root@iZ23dastruaZ test_ngx_https]# openssl req -new -key private/client.key.pem -out client.csr
You are about to be asked to enter information that will be incorporated  
into your certificate request.  
What you are about to enter is what is called a Distinguished Name or a DN.  
There are quite a few fields but you can leave some blank  
For some fields there will be a default value,  
If you enter '.', the field will be left blank.  
-----
Country Name (2 letter code) [XX]:CN  
State or Province Name (full name) []:Beijing  
Locality Name (eg, city) [Default City]:Changping  
Organization Name (eg, company) [Default Company Ltd]:TIMD.CN  
Organizational Unit Name (eg, section) []:  
Common Name (eg, your name or your server's hostname) []:www.timd.cn  
Email Address []:clientcert@timd.cn

Please enter the following 'extra' attributes  
to be sent with your certificate request  
A challenge password []:  
An optional company name []:

[root@iZ23dastruaZ test_ngx_https]# openssl ca -in client.csr -config openssl.cnf -out certs/client.pem
Using configuration from openssl.cnf  
Enter pass phrase for ./private/cakey.pem:  
Check that the request matches the signature  
Signature ok  
The Subject's Distinguished Name is as follows  
countryName           :PRINTABLE:'CN'  
stateOrProvinceName   :ASN.1 12:'Beijing'  
localityName          :ASN.1 12:'Changping'  
organizationName      :ASN.1 12:'TIMD.CN'  
commonName            :ASN.1 12:'www.timd.cn'  
emailAddress          :IA5STRING:'clientcert@timd.cn'  
Certificate is to be certified until Jul  2 17:11:05 2017 GMT (365 days)  
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y  
Write out database with 1 new entries  
Data Base Updated  
  • 修改Nginx配置文件
[root@iZ23dastruaZ test_ngx_https]# vim nginx.conf 

  1 worker_processes  auto;
  2 
  3 events {
  4     worker_connections  1024;
  5 }
  6 
  7 http {
  8     include       /usr/local/openresty/nginx/conf/mime.types;
  9     default_type  application/octet-stream;
 10     keepalive_timeout  60;
 11     tcp_nodelay on;
 12 
 13     server {
 14         listen       9191 ssl;
 15         server_name  www.timd.cn;
 16 
 17         ssl_buffer_size 4k;
 18         ssl_certificate certs/testcert.pem;
 19         ssl_certificate_key private/testcert.key.pem;
 20         ssl_ciphers HIGH:!aNULL:!MD5;
 21         #ssl_password_file password.file;
 22         ssl_prefer_server_ciphers on;
 23         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 24         ssl_session_cache shared:SSL_CACHE:10m;
 25         ssl_session_timeout 10m;
 26 
 27         #ssl_crl ``file``;
 28         #ssl_trusted_certificate ``file``;
 29         ssl_client_certificate cacert.pem;
 30         ssl_verify_client on;
 31         ssl_verify_depth 1;
 32 
 33         location / {
 34             autoindex on;
 35             autoindex_exact_size off;
 36             autoindex_localtime on;
 37 
 38             root .;
 39         }
 40     }
 41 }
 42 
  • 重启Nginx
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p . -s reload
  • 测试
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56)  
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.  
>>> import requests
>>> requests.get("https://www.timd.cn:9191/", verify="cacert.pem").content
'<html>\r\n<head><title>400 No required SSL certificate was sent</title></head>\r\n<body bgcolor="white">\r\n<center><h1>400 Bad Request</h1></center>\r\n<center>No required SSL certificate was sent</center>\r\n<hr><center>openresty/1.9.3.2</center>\r\n</body>\r\n</html>\r\n'  
>>> requests.get("https://www.timd.cn:9191/", verify="cacert.pem", cert=("certs/client.pem", "private/client.key.pem"))
<Response [200]>  
>>> 

Nginx代理单向HTTPS

  • 修改Nginx配置文件
  1 worker_processes  4;
  2 
  3 events {
  4     worker_connections  1024;
  5 }
  6 
  7 http {
  8     include       /usr/local/openresty/nginx/conf/mime.types;
  9     default_type  application/octet-stream;
 10     keepalive_timeout  60;
 11     tcp_nodelay on;
 12 
 13     server {
 14         listen       9191 ssl;
 15         server_name  www.timd.cn;
 16 
 17         ssl_buffer_size 4k;
 18         ssl_certificate certs/testcert.pem;
 19         ssl_certificate_key private/testcert.key.pem;
 20         ssl_ciphers HIGH:!aNULL:!MD5;
 21         #ssl_password_file password.file;
 22         ssl_prefer_server_ciphers on;
 23         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 24         ssl_session_cache shared:SSL_CACHE:10m;
 25         ssl_session_timeout 10m;
 26 
 27         ##ssl_crl ``file``;
 28         ##ssl_trusted_certificate ``file``;
 29         #ssl_client_certificate cacert.pem;
 30         #ssl_verify_client on;
 31         #ssl_verify_depth 1;
 32 
 33         location / {
 34             autoindex on;
 35             autoindex_exact_size off;
 36             autoindex_localtime on;
 37 
 38             root .;
 39         }
 40     }
 41 
 42     server {
 43         listen 9292;
 44         server_name www.timd.cn;
 45         location / {
 46             proxy_pass https://www.timd.cn:9191;
 47             proxy_set_header Host $host;
 48             proxy_redirect off;
 49             proxy_set_header X-Forwared-For $remote_addr;
 50 
 51             proxy_ssl_ciphers HIGH:!aNULL:!MD5;
 52             #proxy_ssl_crl ``file``;
 53             proxy_ssl_server_name on;
 54             proxy_ssl_session_reuse on;
 55             proxy_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 56             proxy_ssl_trusted_certificate ./cacert.pem;
 57             proxy_ssl_verify on;
 58             proxy_ssl_verify_depth 1;
 59         }
 60     }
 61 }
 62 
  • 重启Nginx
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p . -s reload
  • 测试
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56)  
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.  
>>> import requests
>>> requests.get("http://www.timd.cn:9292/")
<Response [200]>  
>>> 

Nginx代理双向HTTPS

首先测试一种失败的情况

  • 修改Nginx配置文件
[root@iZ23dastruaZ test_ngx_https]# vim nginx.conf 

  1 worker_processes  4;
  2 
  3 events {
  4     worker_connections  1024;
  5 }
  6 
  7 http {
  8     include       /usr/local/openresty/nginx/conf/mime.types;
  9     default_type  application/octet-stream;
 10     keepalive_timeout  60;
 11     tcp_nodelay on;
 12 
 13     server {
 14         listen       9191 ssl;
 15         server_name  www.timd.cn;
 16 
 17         ssl_buffer_size 4k;
 18         ssl_certificate certs/testcert.pem;
 19         ssl_certificate_key private/testcert.key.pem;
 20         ssl_ciphers HIGH:!aNULL:!MD5;
 21         #ssl_password_file password.file;
 22         ssl_prefer_server_ciphers on;
 23         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 24         ssl_session_cache shared:SSL_CACHE:10m;
 25         ssl_session_timeout 10m;
 26 
 27         #ssl_crl ``file``;
 28         #ssl_trusted_certificate ``file``;
 29         ssl_client_certificate cacert.pem;
 30         ssl_verify_client on;
 31         ssl_verify_depth 1;
 32 
 33         location / {
 34             autoindex on;
 35             autoindex_exact_size off;
 36             autoindex_localtime on;
 37 
 38             root .;
 39         }
 40     }
 41 
 42     server {
 43         listen 9292;
 44         server_name www.timd.cn;
 45         location / {
 46             proxy_pass https://www.timd.cn:9191;
 47             proxy_set_header Host $host;
 48             proxy_redirect off;
 49             proxy_set_header X-Forwared-For $remote_addr;
 50 
 51             proxy_ssl_ciphers HIGH:!aNULL:!MD5;
 52             #proxy_ssl_crl ``file``;
 53             proxy_ssl_server_name on;
 54             proxy_ssl_session_reuse on;
 55             proxy_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 56             proxy_ssl_trusted_certificate ./cacert.pem;
 57             proxy_ssl_verify on;
 58             proxy_ssl_verify_depth 1;
 59         }
 60     }
 61 }
 62 
  • 重启Nginx
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p . -s reload
  • 测试
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56)  
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.  
>>> import requests
>>> requests.get("http://www.timd.cn:9292/")
<Response [400]>  
>>> 

下面是能够成功代理双向HTTPS的配置

  • 修改Nginx配置文件
[root@iZ23dastruaZ test_ngx_https]# vim nginx.conf 

  1 worker_processes  4;
  2 
  3 events {
  4     worker_connections  1024;
  5 }
  6 
  7 http {
  8     include       /usr/local/openresty/nginx/conf/mime.types;
  9     default_type  application/octet-stream;
 10     keepalive_timeout  60;
 11     tcp_nodelay on;
 12 
 13     server {
 14         listen       9191 ssl;
 15         server_name  www.timd.cn;
 16 
 17         ssl_buffer_size 4k;
 18         ssl_certificate certs/testcert.pem;
 19         ssl_certificate_key private/testcert.key.pem;
 20         ssl_ciphers HIGH:!aNULL:!MD5;
 21         #ssl_password_file password.file;
 22         ssl_prefer_server_ciphers on;
 23         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 24         ssl_session_cache shared:SSL_CACHE:10m;
 25         ssl_session_timeout 10m;
 26 
 27         #ssl_crl ``file``;
 28         #ssl_trusted_certificate ``file``;
 29         ssl_client_certificate cacert.pem;
 30         ssl_verify_client on;
 31         ssl_verify_depth 1;
 32 
 33         location / {
 34             autoindex on;
 35             autoindex_exact_size off;
 36             autoindex_localtime on;
 37 
 38             root .;
 39         }
 40     }
 41 
 42     server {
 43         listen 9292;
 44         server_name www.timd.cn;
 45         location / {
 46             proxy_pass https://www.timd.cn:9191;
 47             proxy_set_header Host $host;
 48             proxy_redirect off;
 49             proxy_set_header X-Forwared-For $remote_addr;
 50 
 51             proxy_ssl_ciphers HIGH:!aNULL:!MD5;
 52             #proxy_ssl_crl ``file``;
 53             proxy_ssl_server_name on;
 54             proxy_ssl_session_reuse on;
 55             proxy_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
 56             proxy_ssl_trusted_certificate ./cacert.pem;
 57             proxy_ssl_verify on;
 58             proxy_ssl_verify_depth 1;
 59 
 60             proxy_ssl_certificate certs/client.pem;
 61             proxy_ssl_certificate_key private/client.key.pem;
 62         }
 63     }
 64 }
 65 
  • 重启Nginx
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p . -s reload
  • 测试
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56)  
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.  
>>> import requests
>>> requests.get("http://www.timd.cn:9292/")
<Response [200]>  
>>> 

感谢浏览tim chow的作品!

如果您喜欢,可以分享到: 更多

如果您有任何疑问或想要与tim chow进行交流

可点此给tim chow发信

如有问题,也可在下面留言: