nginx配置文件-安全配置-https(ssl/tls)和http2的配置

前期准备

# 查看 nginx 是否已经安装及具体版本号 
sh-4.2# rpm -qa | grep -i nginx
nginx-1.12.2-1.el7_4.ngx.x86_64
# 查看 nginx 的安装目录
sh-4.2# rpm -ql nginx-1.12.2-1.el7_4.ngx.x86_64
/etc/logrotate.d/nginx
/etc/nginx
/etc/nginx/conf.d
/etc/nginx/conf.d/default.conf
/etc/nginx/fastcgi_params
/etc/nginx/koi-utf
/etc/nginx/koi-win
/etc/nginx/mime.types
/etc/nginx/modules
/etc/nginx/nginx.conf
/etc/nginx/scgi_params
/etc/nginx/uwsgi_params
/etc/nginx/win-utf
/etc/sysconfig/nginx
/etc/sysconfig/nginx-debug
/usr/lib/systemd/system/nginx-debug.service
/usr/lib/systemd/system/nginx.service
/usr/lib64/nginx
/usr/lib64/nginx/modules
/usr/libexec/initscripts/legacy-actions/nginx
/usr/libexec/initscripts/legacy-actions/nginx/check-reload
/usr/libexec/initscripts/legacy-actions/nginx/upgrade
/usr/sbin/nginx
/usr/sbin/nginx-debug
/usr/share/doc/nginx-1.12.2
/usr/share/doc/nginx-1.12.2/COPYRIGHT
/usr/share/man/man8/nginx.8.gz
/usr/share/nginx
/usr/share/nginx/html
/usr/share/nginx/html/50x.html
/usr/share/nginx/html/index.html
/var/cache/nginx
/var/log/nginx
sh-4.2#

将 证书相关 文件 放到 /etc/nginx/https_cert目录里。
新建这个https_cert目录,其实可以指定的别的目录,只要配置文件引用目录正确就行了。
https证书的获取,可以查看密码和证书-https(ssl/tls)之证书的概述及获取和网站部署

一、配置https的操作:

1.1、开启443 端口

listen  443  ssl;

1.2、添加密钥

备注:nginx  即可以 读取 crt 文件 也可以读取  pem 文件。

# 这里是 相对路径 ,绝对路径是 /etc/nginx/https_cert/huaijiujia_ca_chained.crt
# 因为 nginx的主配置文件路径是 /etc/nginx/nginx.conf 

# 证书文件,里面有公钥
ssl_certificate     https_cert/huaijiujia_ca_chained.crt;
# 私钥
ssl_certificate_key https_cert/huaijiujia_private.key;

(1)补充:ssl_client_certificate      /etc/ssl/certs/ca.crt;
这个是客户端证书文件,用来验证客户端的身份的,比如访问银行网站需要的K宝证书文件。一般的网站基本用不到。

(2)补充:一般申请的证书,会给出三个文件。

第一个是证书文件,里面有公钥。第二个是私钥。第三个是证书组文件,因为公钥是由中间机构签发的,一些浏览器可能不能识别,所以证书组就是为了证明从根证书到中间签发机构都是可信的。

SSLCertificateFile /etc/ssl/example_com.crt 
SSLCertificateKeyFile /etc/ssl/private/example_com.key 
SSLCertificateChainFile /etc/ssl/example_com.ca-bundle

在nginx配置文件中:只有ssl_certificate和 ssl_certificate_key ,所以需要将证书文件和证书组文件,组合在一起,生成一个证书链文件。

cat example_com.crt example_com.ca-bundle > example_com.chained.crt

记得一定要先将证书放在前面,然后将证书组放在后面。这样才能解析成功。
但是在实际生成过程中:证书链生成的还是有问题。实际用cat生成时,中间的

-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

###  会合并成一行
-----END CERTIFICATE----------BEGIN CERTIFICATE-----

###  特别注意:切分的时候,每一行的格式都是统一的,前面都是 -----  五个破折号

下面举例,正确的证书链文件内容:

-----BEGIN CERTIFICATE-----
MIIFbDCCBFSgAwIBAgISA5WD5KQw2Su8QWrrv6G5nlVfMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODExMjMxMDAwMjdaFw0x
OTAyMjExMDAwMjdaMB0xGzAZBgNVBAMTEnd3dy5odWFpaml1amlhLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPB7xpQSEdD5ZvYU80fBiWaTRHa4
p1ONueojFD6NabMRMw2ct4PLHsiIt8z5hGF02JhKb/ZxLIIBh5dtqFxAy4OcYRWa
J+7Qi+1tgD695t0JkqsW/KGbbZtZRFHikhx4TTLyd5IWuEKjJA87+8ufgCv/zuEM
hpdqNs5YhjqrVNjLo5yIIwVWF4FRs3rkSqUthaw6bF3+ER5Cnlrmy4nM6t811KuS
aFAFU9ZpfxzbtFefVNZGn79CxMf9huvHUklJTZeUmtr8SkfRLSC8yclP2vW4l70G
EiT1UK7jPb+/x2qynnDMv+/EfYk3oJq1emTg1UNizLmKPAItWDhI50BGKa8CAwEA
AaOCAncwggJzMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUCG4SDRTDi0shGxdi/x7S
ZFrxaSswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUH
AQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5
cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5
cHQub3JnLzAtBgNVHREEJjAkgg5odWFpaml1amlhLmNvbYISd3d3Lmh1YWlqaXVq
aWEuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHW
eQIEAgSB9QSB8gDwAHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYA
AAFnQDpiswAABAMARzBFAiEAyP9RowhmAeFy0FIw864vexsfEi7+I8eXXgRBgdma
lXACIFuyRLDwlDSymNcSibTq/RJt4AlYtVAs2zA9lOUOGwN4AHYAY/Lbzeg7zCzP
C3KEJ1drM6SNYXePvXWmOLHHaFRL2I0AAAFnQDpiuAAABAMARzBFAiEAtLhwBegO
6Hvo3lTzkb1OBW1pmI00QMalMyyp7a8l3DICICdx6IzPP8Q9Aj5nwHXr7TZId+ye
pT2ApN87VE74fiT8MA0GCSqGSIb3DQEBCwUAA4IBAQBJZ0dI9Uq8WzRagYaRZI3p
BelzOZ0ImRW3iipi/XBHFB3hXbEIMBvaPlzduZzYe70WRYJFkHTCdVWrUqhUuEv9
B0Q5ovW9KDcrDJVw7C9Y4UbpfDnq6NBxXXRr3azNUahCoYIVvTTNcfFiWXvhW2Ie
Yw3v1dfH4pxdeZodBInaikJ1o2IAYWXQVRuX06ywcItFIcH9aUuvP8g0DEEe3xwf
iIV3IJ+rUzEHLh/r+9CabSotT5TqwvYPLWnhBUD3YaD56VXGlipdZ7bQiH80CUXw
WvmDH84qEJ+D7btxFBYl+OP7irl3cdcQNmYYJOQWyMOK0h+AhSEBx7qpDOC/Ew1b
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

1.3、配置 SSL协议和加密方式

 ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers     HIGH:!aNULL:!MD5;

二、配置http2的操作:

2.1、在443 监听端口时,配置 http2 标签。

listen 443 http2 ssl; 

2.2、提高加密的方式:【http 2 需要安全度高的加密方式】

ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

三、具体配置文件:

server {
  #  listen       80;
     listen [::]:443 ssl http2 ipv6only=on;
     listen  443 http2  ssl;

    server_name  www.huaijiujia.com;
    ssl_certificate     https_cert/huaijiujia_ca_chained.crt;
    ssl_certificate_key https_cert/huaijiujia_private.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
  #  ssl_ciphers         HIGH:!aNULL:!MD5;
  ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

    #charset koi8-r;
    #access_log  /var/log/nginx/host.access.log  main;

    root   /var/www/www.huaijiujia.com;  #wordpress local
    index index.php index.html index.htm;


    location / {

        # try_files $uri $uri/ =404;
         try_files $uri $uri/ /index.php?q=$uri&args;

    }

location ~ \.php$ {
        try_files $uri =404;
      #  fastcgi_pass   127.0.0.1:9000;
      #  fastcgi_pass unix:/var/run/php-fpm/php-fcgi.sock;
        fastcgi_pass unix:/dev/shm/php-fcgi.sock; # put into memorey ,but get error , i give up,finally get ok https://blog.linuxeye.cn/364.html
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
}

四、其他问题

注意nginx开启了,https后,要记得 防火墙 开 443 端口的   tcp

firewallcmd permanent addport=443/tcp
firewallcmd reload

如果是源码编译安装nginx,可能没有安装ssl模块,需要重新 编译安装。
[楼主是用yum安装,和源码安装的目录位置 可能不同 ]

1.the "ssl" parameter requires ngx_http_ssl_module  in /usr/local/nginx/conf/nginx.conf:37
原因是nginx缺少http_ssl_module模块,编译安装时带上--with-http_ssl_module配置就可以了
2.如果已经安装过nginx,想要添加模块看下面
1)切换到nginx源码包
cd /usr/local/src/nginx-1.11.3
2)查看ngixn原有的模块
/usr/local/nginx/sbin/nginx -V
3)重新配置
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
4)重新编译,不需要make  install安装。否则会覆盖
make
5)备份原有已经安装好的nginx
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
6)将刚刚编译好的nginx覆盖掉原来的nginx(ngixn必须停止)
cp ./objs/nginx /usr/local/nginx/sbin/ 
这时,会提示是否覆盖,请输入yes,直接回车默认不覆盖
7)启动nginx,查看nginx模块,发现已经添加
/usr/local/nginx/sbin/nginx -V

 

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments