ºìÁªLinuxÃÅ»§
Linux°ïÖú

´´½¨²¢²¿Êð×ÔÇ©ÃûµÄSSLÖ¤Êéµ½Nginx

·¢²¼Ê±¼ä:2017-10-14 09:48:24À´Ô´:linuxÍøÕ¾×÷Õß:qq_32144255
×ÔÇ©ÃûµÄ SSL Ö¤Ê飨self-signed SSL certificate£©£¬¾ÍÊÇδ¾­¹ýȨÍþµÚÈý·½ÈÏÖ¤µÄ SSL Ö¤Ê飬³£³£ÓÃ×÷²âÊÔ https Á¬½ÓÖ®Óᣵ±Óû§·ÃÎÊʹÓÃÕâÖÖ SSL Ö¤ÊéµÄÍøվʱ£¬ÍùÍù»á±»Ìáʾ“¸ÃÍøÕ¾µÄ SSL Ö¤Êéδ±»ÈÏÖ¤£¡”¡£Ê¹Óà CloudFlare µÄ CDN ¼ÓËÙ¿ÉÒÔ½â¾öÕâ¸öÎÊÌ⣬CloudFlare ¿ÉÒÔ½«ÄãµÄÍøÕ¾µÄÄÚÈÝ»º´æµ½Æä·Ö²¼È«ÇòµÄ CDN ½ÚµãÉÏ£¬¶øµ±Óû§·ÃÎÊÄãµÄÍøվʱ£¬CloudFlare »á½«ÒѾ­»º´æµÄÍøÕ¾ÄÚÈÝÒÔ https µÄ´«Ê䷽ʽ·¢Ë͵½Óû§µÄä¯ÀÀÆ÷£¬ÕâʱʹÓÃµÄ SSL Ö¤ÊéÊÇ CloudFlare µÄ SSL Ö¤Ê飬ÊǾ­¹ýµÚÈý·½È¨ÍþÈÏÖ¤µÄÖ¤Êé¡£¶ø CloudFlare ץȡÄãµÄÍøÕ¾ÄÚÈÝʱ²¢²»»áÑéÖ¤ÄãµÄÍøÕ¾ SSL Ö¤ÊéÊÇ·ñ¾­¹ýȨÍþµÚÈý·½ÈÏÖ¤¡£Õâ¶ÔÓÚÄÇЩ¶ÔÓÚ SSL Ö¤Êé²»ÊÇÌرðÁ˽â½ö½öÊÇÏë×öһЩ³¢ÊÔµÄÈËÀ´ËµÊÇÒ»¸ö²»´íµÄÑ¡Ôñ¡£
 
´´½¨×ÔÇ©Ãû SSL Ö¤Êé
´´½¨×ÔÇ©ÃûµÄ SSL Ö¤ÊéÐèÒªÓõ½ openssl£¬ÔÚ Windows£¬Mac OS X£¬ÒÔ¼° Linux ƽ̨É϶¼¿ÉÒÔ°²×°Ê¹Óà openssl£¬ÔÚÕâÀïÒÔ Linux ϵͳΪÀý£¬Ò»°ãÀ´Ëµ openssl ±»Ä¬ÈÏ°²×°ÔÚ¸÷´ó Linux ·¢Ðа浱ÖС£
Ê×ÏÈ£¬È·ÈÏϵͳÖа²×°ÁË openssl£º
which openssl
Èç¹ûϵͳÖÐÒѾ­°²×°ÁË openssl£¬µ±Ö´ÐÐÕâÌõÃüÁîºó£¬Öն˻᷵»ØÒ»Ìõ openssl ÃüÁîµÄ·¾¶£¬Èç¹ûÌáʾδ°²×°£¬¿ÉÒÔʹÓÃϵͳÖа²×°µÄ°ü¹ÜÀíÈí¼þÀ´°²×°¡£¶ÔÓÚ Ubuntu ϵͳ£º
sudo apt-get install openssl
 
½ÓÏÂÀ´£¬ÎÒÃÇÏÈÉú³ÉÒ»¸öÃûΪ“ssl.key”µÄ RSA keyÎļþ£º
openssl genrsa -des3 -passout pass:x -out ssl.pass.key 2048
openssl rsa -passin pass:x -in ssl.pass.key -out ssl.key
Ö´ÐÐÍêÕâÁ½ÌõÃüÁîºó£¬µ±Ç°Ä¿Â¼ÏÂÓ¦¸ÃÐÂÔöÁËÁ½¸öÎļþ£ºssl.pass.key ºÍ ssl.key£¬ssl.pass.key ÊÇΪÁËÉú³É ssl.key ²úÉúµÄÖмäÎļþ£¬´ËʱÒѾ­²»ÔÙ±»ÐèÒª£¬¿ÉÒÔɾ³ý£º
rm ssl.pass.key
 
½Ó×Å£¬ÀûÓÃÒѾ­Éú³ÉµÄ ssl.key Îļþ£¬½øÒ»²½Éú³É ssl.csr Îļþ£º
openssl req -new -key ssl.key -out ssl.csr
Ö´ÐдËÐÐÃüÁî»áÌáʾÊäÈëÃÜÂ룬°´»Ø³µ¼´¿É£¬ÒòΪǰÃæÎÒÃÇÔÚÉú³É ssl.key ʱѡÔñÁËÃÜÂëÁô¿Õ¡£
 
×îºóÎÒÃÇÀûÓÃÇ°ÃæÉú³ÉµÄ ssl.key ºÍ ssl.csr ÎļþÀ´Éú³É ssl.crt Îļþ£¬Ò²¾ÍÊÇ×ÔÇ©ÃûµÄ SSL Ö¤ÊéÎļþ£º
openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt
ÕâÒ»²½Ö®ºó£¬ÎÒÃǵõ½Ò»¸ö×ÔÇ©ÃûµÄ SSL Ö¤ÊéÎļþ ssl.crt£¬ÓÐЧÆÚΪ 365 Ìì¡£´Ëʱ£¬ssl.csr ÎļþÒ²ÒѾ­²»ÔÙ±»ÐèÒª£¬¿ÉÒÔɾ³ýµôÁË£º
rm ssl.csr
 
²¿Êð×ÔÇ©ÃûµÄ SSL Ö¤Êéµ½ Nginx
ÔÚÕâÀïÎÒÃÇÈÔÈ»¼ÙÉè Nginx ·þÎñÆ÷ÔËÐÐÔÚ Linux ϵͳ֮ÉÏ¡£ÎÒÃÇÔÚ /etc/nginx Ŀ¼Ï´´½¨ ssl Îļþ¼ÐÓÃÒÔ±£´æÏà¹Ø SSL Ö¤ÊéÎļþ£º
sudo mkdir /etc/nginx/ssl
ͨ¹ý FTP »òÕß SFTP µÈЭÒ齫ÎÒÃÇÔÚ±¾µØÉú³ÉµÄ ssl.key ºÍ ssl.crt ÎļþÉÏ´«µ½ /etc/nginx/ssl Ŀ¼Ï£¨ÎÒÃÇÒ²¿ÉÒÔÖ±½ÓÔÚ Nginx ÔËÐеķþÎñÆ÷ÉϽøÐÐÉÏÒ»²½Éú³É SSL Ö¤ÊéµÄ²Ù×÷£¬ÕâÑù¾ÍÊ¡È¥ÁË´Ó±¾µØÉÏ´«µ½·þÎñÆ÷µÄ²Ù×÷£©¡£Ð޸ĶÔÓ¦ Nginx ÖÐÍøÕ¾µÄÅäÖÃÎļþ£¬ÈçÏ£º
server {
listen 80;
server_name ÄãµÄÓòÃû;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl spdy;
server_name ÄãµÄÓòÃû;
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 60m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#ÆäËûÅäÖÃÄÚÈÝ
}
ÆäÖеÚËÄÐÐ return 301 https://$server\_name$request\_uri; Êǽ«ËùÓÐÖ¸Ïò¸ÃÍøÕ¾µÄ http Á´½Ó×Ô¶¯Öض¨Ïòµ½ https Á´½Ó£¬´Ó¶ø±ÜÃâÁË 404 ´íÎó¡£
 
ÅäÖÃÎļþÐÞ¸ÄÍê±Ïºó£¬ÖØÆô Nginx ·þÎñ£º
service nginx restart
´Ëʱ£¬Ö±½ÓʹÓà https ЭÒé·ÃÎÊÄãµÄÍøվʱ»áÌáʾ“ÍøÕ¾Ö¤Êé²»±»ÐÅÈΔ´íÎó¡£±ðÍüÁË¿ªÆô CloudFlare µÄ CDN ·þÎñ£¬²¢ÔÚ CloudFlare ºǫ́¿ªÆô SSL ¹¦ÄÜ¡£
 
±¾ÎÄÓÀ¾Ã¸üеØÖ·£ºhttp://www.linuxdiyf.com/linux/32789.html