資料結構
網路
關係型資料庫管理系統
作業系統
Java
MS Excel
iOS
HTML
CSS
Android
Python
C 程式設計
C++
C#
MongoDB
MySQL
Javascript
PHP
物理
化學
生物
數學
英語
經濟學
心理學
社會學
時尚研究
法律研究如何在 Ubuntu 16.04 上為 Nginx 生成和配置自簽名 TSL/SSL 證書
在本文中,我們將學習如何在 Ubuntu 16.04 上為 Nginx 生成和配置自簽名 SSL/TSL 證書。TSL 是傳輸層安全協議,其前身是 SSL(安全套接字層),用於保護普通流量在加密資料包中傳輸,流量從伺服器傳輸到客戶端,並且不會被外部入侵者攔截。證書還可以幫助使用者驗證他們訪問的網站身份是否正確。
如果我們沒有與站點或伺服器例項關聯的任何正確的域名,則可以使用自簽名證書。
先決條件
為了完成此演示,我們需要以下要求。
- 具有 sudo 許可權的非 root 使用者。
- 已安裝 Nginx Web 伺服器。
在伺服器上安裝 OpenSSL 包
我們需要在伺服器上安裝 OpenSSL 包,以下是 Ubuntu 16.04 上安裝 SSL 的命令
$ sudo apt-get install openssl Output: Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: libyaml-0-2 python-crypto python-ecdsa python-jinja2 python-markupsafe python-paramiko python-pkg-resources python-setuptools python-six python-yaml sshpass Use 'sudo apt autoremove' to remove them. Suggested packages: ca-certificates The following NEW packages will be installed: openssl 0 upgraded, 1 newly installed, 0 to remove and 13 not upgraded. Need to get 491 kB of archives. After this operation, 956 kB of additional disk space will be used. Get:1 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 openssl amd64 1.0.2g-1ubuntu4.1 [491 kB] Fetched 491 kB in 1s (283 kB/s) Selecting previously unselected package openssl. (Reading database ... 92688 files and directories currently installed.) Preparing to unpack .../openssl_1.0.2g-1ubuntu4.1_amd64.deb ... Unpacking openssl (1.0.2g-1ubuntu4.1) ... Processing triggers for man-db (2.7.5-1) ... Setting up openssl (1.0.2g-1ubuntu4.1) ..
建立自簽名 SSL 證書
SSL 將使用公鑰和私鑰的組合工作,其中 SSL 金鑰將位於伺服器上以加密傳送到訪問伺服器的客戶端的資料。SSL 將與請求內容的公眾或客戶端共享,並將用於解密與 SSL 金鑰關聯的資料。
以下是使用 OpenSSL 建立自簽名證書和金鑰對的命令。
$sudo openssl req -x509 -nodes -days 365 -newkeyrsa:2048 -keyout /etc/ssl/private/nginx-demosite.key -out /etc/ssl/certs/nginx-demosite.crt
Output: Generating a 2048 bit RSA private key ................... ................... ..........+++ ..... ...+++ writing new private key to '/etc/ssl/private/nginx-demosite.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:TELENGANA Locality Name (eg, city) []:HYDERABAD Organization Name (eg, company) [Internet Widgits Pty Ltd]:demosite.com Organizational Unit Name (eg, section) []:demo Common Name (e.g. server FQDN or YOUR name) []: demosite Email Address []:admin@demosite.com
由於上述命令將生成帶有證書的兩個金鑰檔案,因此它會詢問一些與我們即將生成的證書相關的資訊。
以下是我們在上述命令中使用的選項的說明 -
openssl - > This is a command line tool to create the certificates and keys. -req - > X.509 is a public key infrastructure standard for the SSL the ‘req’ is the sub command which allows to specify the standards for the SSL, the –x509 specifies that we want to generate self-signed certificate instead of generating the certificate signed. -nodes - > As we want to read the Nginx to read the certificate file with our any password or user interventions, if we don’t use this command the it will ask for a passphrase. -days 35 -> This will set the validity of the certificate for one year. -newkey rsa:2048 - > This option specifies that we will generate a new certificate and key with 2048 bit encryption. -keyout -> This will tell the OpenSSL to place private key which is generated. -out -> This will tell the OpenSSL to place the certificate file which is generated.
生成 SSL 金鑰後,我們將使用 Diffie-Hellman 組強化 SSL 證書。
以下是強化 SSL 證書的命令。
$sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 Output: Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time .................................................+.+...............+....................................................... ........................+.......................................................................+.......................... ......................+......................................... .......................................................... ........................................................................................................................... .....................................................+..............+.......+..........+.................................+. ..................................................................................+.................................+.....+ ......................+...............................+...................................................................................................................................................+............................................................................................................+.......................................................................................................+.....................+............................................................... ….
使用自簽名 SSL 證書配置 Nginx
由於所有證書和金鑰都已生成並儲存在 /etc/ssl 目錄中,因此我們需要修改 Nginx 配置檔案以使用這些生成的檔案。
我們需要更改一些配置,我們需要在配置檔案中調整這些配置。
包含 SSL 證書和金鑰檔案的程式碼段
$ sudo vi /etc/nginx/snippets/selfsigned.conf
輸出:ssl_certificate /etc/ssl/certs/nginx-demosite.crt; ssl_certificate_key /etc/ssl/private/nginx-demosite.key;
程式碼段包含強大的 SSL 設定,可以在以後的配置中與任何證書全域性使用。
$ sudo vi /etc/nginx/snippets/ssl-params.conf Output: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # Disable preloading HSTS for now. You can use the commented out header line that includes # the "preload" directive if you understand the implications. #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_dhparam /etc/ssl/certs/dhparam.pem;
調整 Nginx 伺服器塊以處理 SSL 請求。
由於所有程式碼段都已準備就緒,我們現在將在 Nginx 配置檔案中啟用 SSL。
$ sudo vi /etc/nginx/sites-available/default-ssl
Output:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name IP addrres or demositename;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}在伺服器上應用 Nginx 更改
由於我們已更改 Nginx 的配置並添加了程式碼段,因此我們將測試 nginx 配置檔案。
以下是檢查 Nginx 語法錯誤的命令。
$ sudo nginx –t Output: nginx: [warn] "ssl_stapling" ignored, issuer certificate not found nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
所有 Nginx 配置似乎都正確,我們現在將重新啟動 Nginx,以便配置將應用於伺服器。
$ sudo systemclt restart nginx.
配置防火牆以允許 SSL
以下是檢查防火牆狀態的命令
$ sudo ufw status Output: Status: active To Action From -- ------ ---- Nginx HTTP ALLOW Anywhere OpenSSH ALLOW Anywhere Nginx HTTP (v6) ALLOW Anywhere (v6) OpenSSH (v6) ALLOW Anywhere (v6)
首先,我們將列出防火牆提供的所有配置檔案。以下是列出應用程式配置檔案的命令列表。
$ sudo ufw app list Output: Available applications: Nginx Full Nginx HTTP Nginx HTTPS OpenSSH
由於“Nginx Full”配置檔案未被允許,我們將允許“Nginx Full”並從防火牆中刪除“Nginx HTTP”,然後我們將檢查允許“Nginx Full”配置檔案後的防火牆狀態。
$ sudo ufw allow 'Nginx Full' Rule added Rule added (v6) $ sudo ufw delete allow 'Nginx HTTP' Rule deleted Rule deleted (v6) $ sudo ufw status Output: Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Nginx Full ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Nginx Full (v6) ALLOW Anywhere (v6)
使用加密測試 Nginx 配置
開啟任何瀏覽器,並嘗試使用系統的 IP 地址透過 https://IP-Address 訪問伺服器。
https://ip-address-or-dns-name
訪問站點後,我們將看到一條警告訊息,指出證書無效,因為它是自簽名的。
由於 SSL 未進行數字簽名,我們需要單擊“高階”以繼續。
單擊“繼續訪問(不安全)”以訪問站點。
透過此設定,我們可以建立自己的自簽名 SSL/TSL 證書,並配置 Nginx 使用 SSL 配置,我們還可以使用強加密讓客戶端安全地連線和提供請求,這將防止入侵者訪問資料。
更新於: 2020年1月23日
511 次瀏覽
廣告