NGINX 实现https自签名证书加密以及http自动跳转实验,可以用nginx-V


nginx 的https 功能基于模块ngx_http_ssl_module实现,因此如果是编译安装的nginx要使用参数 ngx_http_ssl_module开启ssl功能,

但是作为nginx的核心功能,yum安装的nginx默认就是开启的,编译安装的nginx需要指定编译参数--with-http_ssl_module开启。


可以用nginx -V查看编译安装的模块。
[root@rocky8 ~]#nginx -V
nginx version: nginx/1.22.0
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-10) (GCC)
built with OpenSSL 1.1.1k  FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module-master
[root@rocky8 ~]#cd /apps/nginx/ 
[root@rocky8 nginx]# mkdir certs
[root@rocky8 nginx]# cd certs/
[root@rocky8 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt #自签名CA证书
Generating a RSA private key
.............................................................................................++++
.....................................++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家代码
State or Province Name (full name) []:beijing #省份
Locality Name (eg, city) [Default City]:beijing #城市
Organization Name (eg, company) [Default Company Ltd]:guanyu #公司名称
Organizational Unit Name (eg, section) []:gy #部门
Common Name (eg, your name or your server's hostname) []:ca.gy.org #通用名称
Email Address []: #邮箱 (可不填)

查看CA证书和私钥文件

[root@rocky8 certs]#ll
total 8
-rw-r--r-- 1 root root 2021 Sep 17 15:46 ca.crt
-rw------- 1 root root 3272 Sep 17 15:45 ca.key

自制key和csr文件

[root@rocky8 certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.guanyu.org.key -out www.guanyu.org.csr
Generating a RSA private key
......++++
........................................................................................................................................................................................................................................................................................................................++++
writing new private key to 'www.guanyu.org'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:guanyu.org
Organizational Unit Name (eg, section) []:guanyu.org
Common Name (eg, your name or your server's hostname) []:www.guanyu.org
Email Address []:1532105108@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

查看一下

[root@rocky8 certs]#ll
total 16
-rw-r--r-- 1 root root 2021 Sep 17 15:46 ca.crt
-rw------- 1 root root 3272 Sep 17 15:45 ca.key
-rw------- 1 root root 3272 Sep 17 16:05 www.guanyu.org.key
-rw-r--r-- 1 root root 1760 Sep 17 16:07 www.guanyu.org.csr

签发证书

[root@rocky8 certs]# openssl x509 -req -days 3650 -in www.guanyu.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.guanyu.org.crt

验证证书内容

[root@rocky8 certs]# openssl x509 -in www.guanyu.org.crt -noout -text

合并CA和服务器证书成一个文件,注意服务器证书在前

[root@rocky8 certs]#cat www.guanyu.org.crt ca.crt > www.guanyu.org.pem

https 配置

server {
 listen 80;
 listen 443 ssl http2;
 ssl_certificate /apps/nginx/certs/www.guanyu.org.pem;
 ssl_certificate_key /apps/nginx/certs/www.guanyu.org.key;
 ssl_session_cache shared:sslcache:20m;
 ssl_session_timeout 10m;
 root /data/nginx/html; 
}

重启nginx并验证

 

 

可以发现证书已经生效了,但是是自签名证书所以会提示不安全。

接下来我们来设置,实现http到https的自动跳转。自动跳转用到的是nginx的rewrite模块,用法很简单,只需要在配置文件中编辑。

server {
 listen 80;
 listen 443 ssl http2;
 ssl_certificate /apps/nginx/certs/www.guanyu.org.pem;
 ssl_certificate_key /apps/nginx/certs/www.guanyu.org;
 ssl_session_cache shared:sslcache:20m;
 ssl_session_timeout 10m;
 server_name www.wang.org;
 location / {  #针对全站跳转
 root /data/nginx/html/mobile;
   index index.html;
    if ($scheme = http ){   #如果没有加条件判断,会导致死循环
   rewrite ^/(.*) https://$host/$1 redirect;
   }
 }
 location /login {  #针对特定的URL进行跳转https
 if ($scheme = http ){
   rewrite / https://$host/login redirect;
   }
 }
}
[root@rocky8 certs]#nginx -s reload #更新配置文件

使用curl -I 命令验证,成功。

相关内容