Home>

SSL certificate configuration for nginx

1.Using openssl to implement certificate centerSince openssl is used to set up a private certificate center,Therefore, make sure that the following fields are the same in the certificate of the certificate center, the server certificate, and the client certificate

country name
 state or province name
 locality name
 organization name
 organizational unit name
country name
 state or province name
 locality name
 organization name
 organizational unit name

Edit the certificate authority configuration file

vim /etc/pki/tls/openssl.cnf
[ca_default]
 dir =/etc/pki/ca
 certs=$dir/certs #where the issued certs are kept
 crl_dir=$dir/crl #where the issued crl are kept
 database=$dir/index.txt #database index file.
 #unique_subject=no #set to "no" to allow creation of
 #several ctificates with same subject.
 new_certs_dir=$dir/newcerts #default place for new certs.
 certificate=$dir/cacert.pem #the ca certificate
 serial=$dir/serial #the current serial number
 crlnumber=$dir/crlnumber #the current crl number #must be commented out to leave a v1 crl
 crl=$dir/crl.pem #the current crl
 private_key=$dir/private/cakey.pem #the private key
 randfile=$dir/private/.rand #private random number file
[req_distinguished_name]
 countryname=country name (2 letter code)
 countryname_default=cn
 countryname_min=2
 countryname_max=2
 stateorprovincename=state or province name (full name)
 stateorprovincename_default=fj
 localityname=locality name (eg, city)
 localityname_default=fz
 0.organizationname=organization name (eg, company)
 0.organizationname_default=zdz
 organizationalunitname=organizational unit name (eg, section)
 organizationalunitname_default=zdz

Create certificate private key

cd/etc/pki/ca/​​private
(umask 077;openssl genrsa -out cakey.pem 2048

)

Generate self-signed certificate

cd/etc/pki/ca /
 openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days=3655
Create a server certificate
mkdir/usr/local/nginx/ssl
 cd/usr/local/nginx/ssl
(umask 077;openssl genrsa -out nginx.key 1024)
openssl req -new -key nginx.key -out nginx.csr
 openssl ca -in nginx.csr -out nginx.crt -days=3650

Create a client browser certificate

(umask 077;openssl genrsa -out client.key 1024)
openssl req -new -key client.key -out client.csr
 openssl ca -in client.csr -out client.crt -days=3650

Convert a certificate in text format into a certificate that can be imported into a browser

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

4.Configure nginx server authentication

vim /usr/local/nginx/conf/nginx.conf
ssl on;
 ssl_certificate /usr/local/nginx/ssl/nginx.crt;
 ssl_certificate_key /usr/local/nginx/ssl/nginx.key;
 ssl_client_certificate /usr/local/nginx/ssl/cacert.pem;
 ssl_session_timeout 5m;
 #ssl_verify_client on;The server verifies the client,Not open for now,Make it accessible to clients without a certificate,Complete one-way authentication first
 ssl_protocols sslv2 sslv3 tlsv1;

ssl reverse proxy

1. Modify the nginx.conf configuration

server {
  listen 443 ssl;
  ssl_prefer_server_ciphers on;
  keepalive_timeout 60;
 ssl_session_cache shared:ssl:10m;
  ssl_session_timeout 10m;
  location/{
   proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    proxy_set_header accept-encoding "";
   proxy_set_header host $host;
   proxy_set_header x-real-ip $remote_addr;
   proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
   proxy_set_header x-forwarded-proto $scheme;
 add_header front-end-https on;
   proxy_redirect off;
  }
}

2. Restart the service

#/usr/local/nginx/sbin/nginx -t
#/usr/local/nginx/sbin/nginx -s reload
  • Previous jquery limit text box can only enter numbers (integer and decimal)
  • Next IOS-like effect ListView with spring animation