nginx配置SSL

2016-04-04 17:02:23

nginx支持https配置SSL

1. 生成自签名证书

需要openssl库,大部分linux默认安装了,如无安装,需手动安装
进入创建证书和私钥的目录

cd /usr/local/nginx/conf/ssl

创建服务器私钥,需输入密码

# openssl genrsa -des3 -out test.com.key 1024

生成一个证书请求(csr),会提示输入省份,城市,域名,邮箱信息等,自签字证书可随便填写

# openssl req -new -key test.com.key -out test.com.csr

除去私钥口令,不然在nginx加载ssl需要输入口令:

# cp test.com.key test.com.key.bak
# openssl rsa -in test.com.key.bak -out test.com.key

最后使用上面的csr和私钥生成crt证书,有效期365天

# openssl x509 -req -days 365 -in test.com.csr -signkey test.com.key -out test.com.crt

自签名颁发的SSL证书虽然能够实现加密传输功能,但得不到浏览器的信任。受浏览器信任的StartSSL免费SSL证书

2. nginx配置项

证书和私钥绝对目录配置如ssl_certificatessl_certificate_key

server {
	listen       443 ssl;
       server_name  test.com;
       ssl on;
    	ssl_certificate      /usr/local/nginx/conf/ssl/test.com.crt;
       ssl_certificate_key  /usr/local/nginx/conf/ssl/test.com.key;
    ssl_session_cache    shared:SSL:10m;
       ssl_session_timeout  5m;
       ssl_ciphers  HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers  on;
       location / { 
           root   html;
           index  index.html index.htm;
       }
    }

启动nginx

/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf

通过https访问测试通过,https://test.com

3. 通过rewrite模块从http跳转到https

通过http://test.com访问,301跳转到https://test.com

server {
   	listen 80;
   	server_name test.com;
   	rewrite ^(.*)$ https://$host$1 permanent;
}

http和https也可配置在一起

server {
   	listen              80;
   	listen              443 ssl;
   	server_name         test.com;
   	ssl_certificate     test.com.crt;
   	ssl_certificate_key test.com.key;
}

4. nginx中ssl相关配置说明

下面配置强制用户连接只能引入SSL/TLS那些强壮的协议版本和强大的加密算法,默认的CBC模式的加密容易受到攻击,可优先使用RC4加密

ssl_protocols  SSLv2 SSLv3 TLSv1;
ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers   on;

配置session缓存,1m缓存约可存放4k个会话,默认缓存超时是5分钟,可设置

ssl_session_cache    shared:SSL:10m;
   ssl_session_timeout  10m;
   keepalive_timeout   70;     #长连接70s超时