./configure --prefix=/usr/local/nginx --with-http_ssl_module
1)创建SSL证书私钥,输入两次密码,生成文件为server.key
openssl genrsa -des3 -out server.key 2048
2)利用私钥生成一个不需要输入密码的密钥文件,生成文件为 server_nopass.key, 需要输入一次密码
openssl rsa -in server.key -out server_nopass.key
3)创建SSL证书签名请求文件,生成SSL证书时需要使用到,生成文件为server.csr;
在生成过程中,我们需要输入一些信息,需要注意的是Common Name需要和网站域名一致
openssl req -new -key server.key -out server.csr
4)生成SSL证书,有效期为365天,生成文件为server.crt;
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
如果需要用pfx 可以用以下命令生成 openssl pkcs12 -export -inkey ssl.key -in ssl.crt -out ssl.pfx 在需要使用证书的nginx配置文件的server节点里加入以下配置就可以了。
没有域名也没事,直接配置 hosts 文件也是可以的
别忘了配完后刷新 dns 缓存: ipconfig/flushdns
ssl证书脚本
#!/bin/bash client_ip=192.168.1.3 # 生成文件目标路径 dir=/var/dlp/data/emqx/certs # 生成自签名的CA key和证书(简单起见客户端和服务端共用一个CA证书) sudo openssl genrsa -out $dir/ca.key 2048 sudo openssl req -x509 -new -nodes -key $dir/ca.key -sha256 -days 3650 -subj "/CN=www.emqx.io" -out $dir/ca.pem # 生成服务器端的key和证书 sudo openssl genrsa -out $dir/server.key 2048 sudo openssl req -new -key $dir/server.key -out $dir/server.csr -subj "/CN=127.0.0.1" sudo openssl x509 -req -in $dir/server.csr -CA $dir/ca.pem -CAkey $dir/ca.key -CAcreateserial -out $dir/server.pem -days 3650 -sha256 # 生成客户端key和证书 sudo openssl genrsa -out $dir/client.key 2048 sudo openssl req -new -key $dir/client.key -out $dir/client.csr -subj "/CN=$client_ip" sudo openssl x509 -req -in $dir/client.csr -CA $dir/ca.pem -CAkey $dir/ca.key -CAcreateserial -out $dir/client.pem -days 3650 -sha256 # PKCS1私钥转换为PKCS8(该格式java调用) sudo openssl pkcs8 -topk8 -inform PEM -in $dir/client.key -outform pem -nocrypt -out $dir/pkcs8.pem
某域名下ssl证书生成
> openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /usr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt > Country Name (2 letter code) [AU]:CN > State or Province Name (full name) [Some-State]:BEIJING > Locality Name (eg, city) []:BEIJING > Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mock > Organizational Unit Name (eg, section) []:Mock > # 注意此处必须是网站域名 > Common Name (e.g. server FQDN or YOUR name) []:www.a.com > Email Address []:a@11.com
–with-http_ssl_module
#server {
#listen 80;
#server_name ip;
##把http的域名请求转成https
#return 301 https://$host$request_uri;
#}
server {
listen 80;
listen 443 ssl;
server_name ip;
#ssl on;
ssl_certificate /usr/local/nginx/ssl/server.crt;
ssl_certificate_key /usr/local/nginx/ssl/server_nopass.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # SSL协议版本
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; # SSL加密算法
ssl_prefer_server_ciphers on; # 优先采取服务器算法
ssl_session_cache shared:SSL:10m; # 共享会话缓存大小
ssl_session_timeout 10m; # 会话超时时间
location / {
root /data/vue_admin/dist;
index index.html index.htm;
proxy_redirect off;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
try_files $uri $uri/ /index.html =404;
client_max_body_size 1024m;
}
location /api {
proxy_pass http://192.168.3.101:8080; # 设置代理服务访问地址
proxy_set_header Host $host; # 设置客户端真实的域名(包括端口号)
proxy_set_header X-Real-IP $remote_addr; # 设置客户端真实IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 设置在多层代理时会包含真实客户端及中间每个代理服务器的IP
proxy_set_header X-Forwarded-Proto $scheme; # 设置客户端真实的协议(http还是https)
#proxy_set_header REMOTE-HOST $remote_addr;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
Nginx与SpringBoot做Https认证
在SpringBoot的application.yml里面进行配置
server:
tomcat:
remoteip:
protocol-header: x-forwarded-proto
remote-ip-header: x-forwarded-for
remote:
port-header: X-Forwarded-Port
forward-headers-strategy: none
或者application.properties:
server.tomcat.remote_ip_header=x-forwarded-for
server.tomcat.protocol_header=x-forwarded-proto
server.tomcat.port-header=X-Forwarded-Port
server.use-forward-headers=true
server {
listen 80;
server_name 172.168.1.149 ;
rewrite ^(.*)$ https://${server_name}$1 permanent;
location / {
proxy_pass http://172.168.1.149:8080/api/test;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
server {
listen 443 ssl;
server_name 172.168.1.149;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
ssl_client_certificate ssl/ca.crt;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://172.168.1.149:8080/api/test;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
}
