1、HTTPS協(xié)議的實(shí)現(xiàn)

1、為什么需要HTTPS？

原因：HTTP不安全

• 1、傳輸數(shù)據(jù)被中間人盜用、信息泄露
• 2、數(shù)據(jù)內(nèi)容劫持、篡改

對(duì)傳輸內(nèi)容進(jìn)行加密以及身份驗(yàn)證

2、對(duì)稱加密

非對(duì)稱加密

3、HTTPS加密協(xié)議原理

4、中間人偽造客戶端和服務(wù)端

證書(shū)是在客戶端的，進(jìn)行校驗(yàn)。

2、生成密鑰和CA證書(shū)

#openssl version

OpenSSL 1.0.1e-fips 11 Feb 2013

#nginx-v

-with-http_ssl_module

步驟一、生成key密鑰

[root@web-01 ssl_key]# openssl genrsa -idea -out lewen.key 1024 Generating RSA private key, 1024 bit long modulus ......................................++++++ ..............................++++++ e is 65537 (0x10001) Enter pass phrase for lewen.key: #密碼要寫.或者不寫 Verifying - Enter pass phrase for lewen.key: View Code

步驟二、生成證書(shū)簽名請(qǐng)求文件(csr文件)

[root@web-01 ssl_key]# openssl req -new -key lewen.key -out lewen.csr Enter pass phrase for lewen.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SZ Locality Name (eg, city) [Default City]:futian Organization Name (eg, company) [Default Company Ltd]:fadewalk Organizational Unit Name (eg, section) []:fadewalk.com Common Name (eg, your name or your server's hostname) []:fadewalk.com Email Address []:fadewalk@163.comPlease enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #沒(méi)有要求就為空 An optional company name []: [root@web-01 ssl_key]# ls lewen.csr lewen.key View Code

步驟三、生成證書(shū)簽名文件(CA文件)

[root@web-01 ssl_key]# openssl x509 -req -days 3650 -in lewen.csr -signkey lewen.key -out lewen.crt Signature ok subject=/C=CN/ST=SZ/L=futian/O=fadewalk/OU=fadewalk.com/CN=fadewalk.com/emailAddress=fadewalk@163.com Getting Private key Enter pass phrase for lewen.key: [root@web-01 ssl_key]# ls lewen.crt lewen.csr lewen.key View Code

3、Nginx的HTTPS語(yǔ)法配置

例子server {listen 443 ssl;keepalive_timeout 70;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;ssl_certificate /usr/local/nginx/conf/cert.pem;ssl_certificate_key /usr/local/nginx/conf/cert.key;ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;...}[root@web-01 ~]# nginx -s reloadnginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/cp4/test_https.conf:4key設(shè)置了密碼，每次重啟都要輸入密碼很麻煩

4、場(chǎng)景-配置蘋果要求的證書(shū)

a、服務(wù)器所有的連接使用TLS1.2以上版本(openssl 1.0.2)

b、HTTPS證書(shū)必須使用SHA 256以上哈希算法簽名

C、HTTPS證書(shū)必須使用RSA 2048位或ECC256位以上公鑰算法

d、使用前向加密技術(shù)

查看證書(shū)信息

[root@web-01 ssl_key]# openssl x509 -noout -text -in ./lewen_apple.crt

一鍵生成證書(shū)

[root@web-01 ssl_key]# openssl req -days 3650 -x509 -sha256 -nodes -newkey rsa:2048 -keyout lewen.key -out lewen_apple.crt Generating a 2048 bit RSA private key ......................................................................................+++ ..+++ writing new private key to 'lewen.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:guangdong Locality Name (eg, city) [Default City]:sz Organization Name (eg, company) [Default Company Ltd]:fadewlak Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: [root@web-01 ssl_key]# ls lewen_apple.crt lewen.key View Code

nginx 1.15 以后開(kāi)啟ssl的正確姿勢(shì)

2019/06/17 17:06:54 [warn] 36807#36807: the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/cp4/test_https.conf:4 不推薦使用“ssl”指令，而是在/etc/nginx/conf.d/cp4/test_https中使用“l(fā)isten ... ssl”指令。CONF：4 ssl on 這種方式開(kāi)啟ssl已經(jīng)不行了 listen 443 ssl 采用這種

測(cè)試網(wǎng)頁(yè)自己生成的證書(shū)，會(huì)被提示不安全

去掉之前分步生成輸入的保護(hù)碼

openssl rsa -in ./lewen.key -out ./lewen_nopassword.key

5、HTTPS服務(wù)優(yōu)化

方法一、激活keepalive長(zhǎng)連接

方法二、設(shè)置ssl session緩存

server {listen 443 ssl;server_name web01.fadewalk.com;# ssl on; nginx 1.15之后這樣配置無(wú)效keepalive_timeout 100;ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;ssl_certificate /etc/nginx/ssl_key/lewen_apple.crt;ssl_certificate_key /etc/nginx/ssl_key/lewen.key;#ssl_certificate_key /etc/nginx/ssl_key/lewen_nopass.key;location / {root /opt/app/code/cp4/code;index lewen.html lewen.htm;} }

總結(jié)

以上是生活随笔為你收集整理的基于Nginx的https服务的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。