Nginx配置Https单向、双向认证

SSL相关概念及原料请参考OpenSSL 与 SSL 数字证书概念贴SSL/TLS原理详解
为了便于理解,我们将CA服务器与Nginx服务器部署在两台不同的机器上:
CA: 192.168.1.100
Nginx: 192.168.1.101

1. 在两台CentOS服务器上安装OpenSSL软件

# 安装命令
[root@cd-dev01 ~]# yum install openssl openssl-devel
# 更新命令
[root@cd-dev01 ~]# yum update openssl openssl-devel

2. 配置CA服务器(192.168.1.100)

生成自签署证书的密钥

# 进入证书目录(安装了OpenSSL软件就会存在该目录)
[root@cd-dev01 ~]# cd /etc/pki/CA/
# 使用rsa加密算法生成自签署证书的密钥(此处指定密钥长度为2048)
[root@cd-dev01 CA]# openssl genrsa -out private/cakey.pem 2048
# 修改权限,增加安全性
[root@cd-dev01 CA]# chmod 600 private/cakey.pem

利用密钥生成CA服务器的证书文件, 为了方便,首先在OpenSSL配置文件中设置一些默认值

# 编辑配置文件
[root@cd-dev01 CA]# vim /etc/pki/tls/openssl.cnf

修改内容如下(部分内容):

# 找到如下部分,在签署证书时证书中会写入如下内容(大概128行)
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
# 配置默认国家
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
# 默认省份名称
stateOrProvinceName_default    = SiChuan

localityName                    = Locality Name (eg, city)
# 默认城市名称
localityName_default            = ChengDu

0.organizationName              = Organization Name (eg, company)
# 默认公司名称
0.organizationName_default      = SkyGuard

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
# 默认组织单位名称
organizationalUnitName_default = BigData

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

生成自签署证书:

#用刚刚生成的密钥文件生成一个有效期为10年的证书
[root@cd-dev01 CA]# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#以下几项使用刚刚配置的默认值,所有直接回车
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [SkyGuard]:
Organizational Unit Name (eg, section) [BigData]:
# 此处配置CA服务器名字,建议使用DNS上能查找到的域名(测试可随便指定)
Common Name (eg, your name or your server's hostname) []:ca.skyguard.com.cn
# 此处设置管理员邮箱(测试可随便指定)
Email Address []:ca@skyguard.com.cn

创建如下两个文件

# 创建存放颁发证书的数据库文件
[root@cd-dev01 CA]# touch index.txt
# 当前颁发证书的序列号文件,颁发下一个证书时会自动加1
[root@cd-dev01 CA]# echo "00" > serial

3. 配置Nginx服务器(192.168.1.101)Https单向认证

编译安装Nginx服务器

[root@cd-dev02 ~]# wget http://nginx.org/download/nginx-1.11.12.tar.gz
[root@cd-dev02 ~]# tar -zvxf nginx-1.11.12.tar.gz
[root@cd-dev02 ~]# cd nginx-1.11.12
#一定要将ssl模块编译进去
[root@cd-dev02 nginx-1.11.12]# ./configure --with-http_ssl_module
[root@cd-dev02 nginx-1.11.12]# make
[root@cd-dev02 nginx-1.11.12]# make install
# 进入到Nginx目录
[root@cd-dev02 nginx-1.11.12]# cd /usr/local/nginx

配置Nginx服务器支持ssl

# 创建存放ssl先关的目录,并进入目录
[root@cd-dev02 nginx]# mkdir ssl
[root@cd-dev02 nginx]# cd ssl
# 生成本地密钥
[root@cd-dev02 ssl]# openssl genrsa 2048 > httpd.key
# 修改权限,增加安全性
[root@cd-dev02 ssl]# chmod 600 httpd.key
# 生成证书申请文件,以便传入CA服务器申请证书
[root@cd-dev02 ssl]# openssl req -new -key httpd.key -out httpd.crq
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#以下几项与CA服务器信息保持一致
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SiChuan
Locality Name (eg, city) [Default City]:ChengDu
Organization Name (eg, company) [Default Company Ltd]:SkyGuard
Organizational Unit Name (eg, section) []:BigData
# Nginx中虚拟主机名,只对该虚拟主机的请求加密
Common Name (eg, your name or your server's hostname) []:nginx.skyguard.com.cn
# 管理员邮箱
Email Address []:nginx@skyguard.com.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
# 设置单独密码,忽略即可
A challenge password []:
An optional company name []
# 将证书申请文件传输到CA服务器,
[root@cd-dev02 ssl]# scp httpd.crq 192.168.1.100:/tmp/

登录到CA服务器(192.168.1.100)对证书进行签署,切换到CA目录

[root@cd-dev01 CA]# openssl ca -in /tmp/httpd.crq -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Mar 25 05:25:03 2017 GMT
            Not After : Mar 23 05:25:03 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = SiChuan
            organizationName          = SkyGuard
            organizationalUnitName    = BigData
            commonName                = nginx.skyguard.com.cn
            emailAddress              = nginx@skyguard.com.cn
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F2:09:FE:0E:53:0D:00:1C:DB:FA:0D:B0:2F:76:A4:4E:5E:23:18:3C
            X509v3 Authority Key Identifier: 
                keyid:C2:C4:46:FB:37:A8:8E:CF:38:E7:72:2F:E1:7B:35:0F:22:23:19:1D

Certificate is to be certified until Mar 23 05:25:03 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 将证书传回Nginx服务器的ssl目录中
[root@cd-dev01 CA]# scp /tmp/httpd.crt 192.168.1.101:/usr/local/nginx/ssl/
# 删除CA服务器上的crq与crt文件
[root@cd-dev01 CA]# rm -rf /tmp/httpd.crq /tmp/httpd.crt

登录到Nginx服务器(192.168.1.101)配置Nginx

[root@cd-dev02 nginx]# vim conf/nginx.conf
# 增加如下虚拟主机
server {
        listen 443 ssl;
        server_name nginx.skyguard.com.cn;

        ssl on;
        ssl_certificate ../ssl/httpd.crt;
        ssl_certificate_key ../ssl/httpd.key;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers on;
        location / {
                root   html;
                index  index.html index.htm;
         }
}
# 启动Nginx服务器
[root@cd-dev02 nginx]# ./sbin/nginx

然后用浏览器打开https://192.168.1.101

4. 配置Nginx服务器(192.168.1.101)Httpss双向认证

在CA服务器(192.168.1.100)上生成客户端证书

[root@cd-dev01 CA]# mkdir users
[root@cd-dev01 CA]# openssl genrsa 2048 > users/client.key
Generating RSA private key, 2048 bit long modulus
.............+++
......................+++
e is 65537 (0x10001)
[root@cd-dev01 CA]# openssl req -new -key ./users/client.key -out ./users/client.crq
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [SkyGuard]:
Organizational Unit Name (eg, section) [BigData]:
Common Name (eg, your name or your server's hostname) []:client.skyguard.com.cn
Email Address []:client@skyguard.com.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cd-dev01 CA]# openssl ca -in ./users/client.crq -out ./users/client.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 25 06:17:27 2017 GMT
            Not After : Mar 23 06:17:27 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = SiChuan
            organizationName          = SkyGuard
            organizationalUnitName    = BigData
            commonName                = client.skyguard.com.cn
            emailAddress              = client@skyguard.com.cn
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                C9:00:A4:37:14:80:FC:30:DC:7A:88:D4:03:09:7C:90:34:91:F5:7C
            X509v3 Authority Key Identifier: 
                keyid:C2:C4:46:FB:37:A8:8E:CF:38:E7:72:2F:E1:7B:35:0F:22:23:19:1D

Certificate is to be certified until Mar 23 06:17:27 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Update
# 导出浏览器识别的证书格式
[root@cd-dev01 CA]# openssl pkcs12 -export -clcerts -in ./users/client.crt -inkey ./users/client.key -out ./users/client.p12
# 无密码直接回车
Enter Export Password:
Verifying - Enter Export Password:
# 将CA自签署证书复杂到Nginx服务器
[root@cd-dev01 CA]# scp cacert.pem 192.168.1.101:/usr/local/nginx/ssl/

在Nginx服务器(192.168.1.101)配置开启双向认证

[root@cd-dev02 nginx]# vim conf/nginx.conf
#修改单项认证虚拟主机
server {
        listen 443 ssl;
        server_name nginx.skyguard.com.cn;

        ssl on;
        ssl_certificate ../ssl/httpd.crt;
        ssl_certificate_key ../ssl/httpd.key;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers on;

        # 开启客户端认证
        ssl_client_certificate ../ssl/cacert.pem;
        ssl_verify_client on;

        location / {
                root   html;
                index  index.html index.htm;
         }
}
# 启动Nginx服务器
[root@cd-dev02 nginx]# ./sbin/nginx

5. Chrome浏览器中访问双向认证服务器

修改Windows的hosts文件(C:\Windows\System32\drivers\etc\hosts),加入如下一行数据

192.168.1.101       nginx.skyguard.com.cn

向浏览器导入证书,进入:设置=>显示高级设置=>管理证书

Paste_Image.png

点击导入证书

Paste_Image.png
Paste_Image.png

然后一直下一步完成即可,然后在浏览器中输入:

Paste_Image.png
最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 204,793评论 6 478
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 87,567评论 2 381
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 151,342评论 0 338
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 54,825评论 1 277
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 63,814评论 5 368
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 48,680评论 1 281
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 38,033评论 3 399
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 36,687评论 0 258
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 42,175评论 1 300
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 35,668评论 2 321
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 37,775评论 1 332
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 33,419评论 4 321
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 39,020评论 3 307
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 29,978评论 0 19
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 31,206评论 1 260
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 45,092评论 2 351
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 42,510评论 2 343

推荐阅读更多精彩内容