Build Https+nginx Server, mainly install Ngnix and use OpenSSL to generate self-visa book, and configure the process in Nginx
First, installation environment1. Install OPNSSL (SSL support)https://www.openssl.org/source/openssl-1.0.1s.tar.gz2. Install pcre (support rewrite redirection function)Http://120.52.73.44/nchc.dl.sourceforge.net/project/pcre/pcre/8.38/pcre-8.38.zip3. Install zlib (unzip, because the pcre i downloaded is a zip file)4. Installing Nginxhttp://nginx.org/download/nginx-1.9.15.tar.gz
How to install the above software (some can be installed directly via Yum):1. Search directly on the Internet and download it to the Linux server: wget http://xxxx.tar.gz2. Unzip the downloaded installation package: TAR-ZXF xxx.tar.gz3. Enter the unpacked folder: cd XXX4. Configure the software that will be installed (the configured--prefix is the installation path):./configure--prefix=/usr/local/xxx5. Compiling the source code: Make6. Install: make install Description: The configuration command for the Ngnix installation is./configure--prefix=/usr/local/nginx-1.5.1--with-http_ssl_module--with-http_spdy_module-- With-http_stub_status_module--with-pcre=/opt/soft/pcre-8.38--with-openssl=/opt/soft/openssl-1.0.1sbecause Ngnix need to rely on the back, so the next need to add--with, specific software behind the dependent software directory
The following issues were encountered during installation:
1. Problems encountered when installing zlib1. Extract the Times wrong, use TAR-ZXVF zlib command[email protected] zlib-1.2.8]# TAR-ZXVF zlib
tar (Child): Zlib:cannot open:no such file or directory
tar (Child): Error isn't recoverable:exiting now
Tar:child returned status 2Tar:error isn't recoverable:exiting nowWorkaround:tar-xf filename.tar.gz with the command 2. Problems when installing Nginx:at this point, the./configure is./configure--prefix=/usr/local/nginx-1.5.1--with-http_ssl_module--with-http_spdy_module-- With-http_stub_status_module--with-pcre=/usr/local/pcre--with-openssl=/usr/local/sslQuestion one:Cd/usr/local/pcre/
&& If [-f Makefile]; then make distclean; FI/
&& cc= "gcc" cflags= "-o2-fomit-frame-pointer-pipe"/
./configure–disable-shared
/bin/sh:line 2:./configure:no such file or directory
make[1]: * * * [/usr/local/pcre/makefile] Error 127
make[1]: Leaving directory '/usr/local/src/nginx-0.8.54′Make : * * * [build] Error 2Workaround: Change the--with-pcre= path to download the Pcre source path question two: similar to the problem, the problem is changed after the first leak outcd/usr/local/ssl \
&& If [-f Makefile]; then do clean; fi \
&&./config--prefix=/usr/local/ssl/.openssl no-shared no-threads \
&& make \
&& make install Libdir=lib
/bin/sh:line 2:./config:no such file or directory
make[1]: * * * [/usr/local/ssl/.openssl/include/openssl/ssl.h] Error 127
make[1]: Leaving directory '/opt/soft/nginx-1.6.3 'Make : * * * [build] Error 2change the configured--with-openssl path to the source download path so the final configuration is as follows:./configure--prefix=/usr/local/nginx-1.5.1--with-http_ssl_module--with-http_spdy_module--with-http_stub_ Status_module--with-pcre=/opt/soft/pcre-8.38--with-openssl=/opt/soft/openssl-1.0.1s installation See blog:http://www.cnblogs.com/skynet/p/4146083.html
second, generate two-way certificateSee blog http://www.ttlsa.com/nginx/nginx-configuration-ssl/ to generate a private certificate using OpenSSL, make sure that the following is the same in the certificate center, the server side, and the client certificate:Country NAME:CA Country name (CN)State or province Name:ca province (BJ)localty NAME:CA City (BJ)Organization NAME:CA's nameDepartment of Organizational UNIT:CACommon NameEmail AddressCountry Name CNState or province Name BJLocality Name BJOrganization Nameorganizational Unit Name ZhuanzhuanCommon Name QAemail Address [email protected] The
steps are as follows:1. Edit Certificate Center profile: vi/etc/pki/tls/openssl.cnf2. Create a certificate private key Cakey.pem filecd/etc/pki/ca/privateumask 077;openssl genrsa-out CAKEY.PEM 2048 3. Generated from the Visa book Cacert.pemcd/etc/pki/ca/OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3655 4. Create a serverMkdir/usr/local/nginx/sslCd/usr/local/nginx/sslumask 007;openssl genrsa-out nginx.key 1024x768OpenSSL req-new-key nginx.key-out NGINX.CSRopensll ca-in nginx.csr-out nginx.crt-days 3650Description:1.nginx.key is to generate the private key file2.NGINX.CSR is extracting a newly generated private key file to generate the request certificate file3. Submit the request certificate to the certification authority, CA, and generate the certificate file NGINX.CRT 5. Create a client browser certificateumask 007;openssl genrsa-out client.key 1024x768OpenSSL req-new-key client.key-out CLIENT.CSRopensll ca-in client.csr-out client.crt-days 3650OpenSSL pkcs12-export-clcerts-in client.crt-inkey client.key-out client.p12Description: The basic steps are the same as the certificate that created the service, but there is a last one to convert the text-formatted certificate into a certificate that can be imported into the browser CLIENT.P12 6. Configuring Nginx Server Authenticationvi/usr/local/nginx-1.5.1/conf/nginx.confSSL on;ssl_certificate/usr/local/nginx/ssl/nginx.crt;Ssl_certificate_key/usr/local/nginx/ssl/nginx.key;Ssl_client_certificate/usr/local/nginx/ssl/cacert.pem;ssl_session_timeout 5m;#ssl_verify_client on; Server Authentication client, temporarily do not open, so that no certificate of the client can access, first complete one-way authenticationssl_protocols SSLv2 SSLv3 TLSv1;Description: Changed the content of the server{} listening on port 443 in nginx.conf. The port for HTTPS is 443 by default.
problems encountered during configuration:1. You are not prompted to find the file when generating the client certificate:file 1:[email protected] ssl]# OpenSSL ca-in client.csr-out client.crt-days 3650
Using Configuration from/etc/pki/tls/openssl.cnf
/etc/pki/ca/index.txt:no such file or directory
Unable to open '/etc/pki/ca/index.txt '
140196223215432:error:02001002:system library:fopen:No such file or Directory:bss_file.c:398:fopen ('/etc/pki/ca /index.txt ', ' R ')140196223215432:error:20074002:bio routines:FILE_CTRL:system lib:bss_file.c:400: Workaround:manually create the file directlycd/etc/pki/ca/Touch Index.txt File 2:[email protected] ssl]# OpenSSL ca-in client.csr-out client.crt-days 3650
Using Configuration from/etc/pki/tls/openssl.cnf
/etc/pki/ca/serial:no such file or directory
Error while loading serial number
140284298094408:error:02001002:system library:fopen:No such file or Directory:bss_file.c:398:fopen ('/etc/pki/ca /serial ', ' R ')140284298094408:error:20074002:bio routines:FILE_CTRL:system lib:bss_file.c:400: the solution is consistent with the above. Manually CreateTouch Serialecho "xx" >serialNote: Be sure to redirect 00 to the serial file, otherwise the following error will be reported:[email protected]5-218 ssl]# OpenSSL ca-in client.csr-out client.crt-days 3650
Using Configuration from/etc/pki/tls/openssl.cnf
Unable to load number from/etc/pki/ca/serial
Error while loading serial number140584495503176:ERROR:0D066096:ASN1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215: Thanks for this article, let me fix it! http://ju.outofmemory.cn/entry/98015
Three, the experimental configuration good NginxThe following directories are mainly found in the root directory of Nginx:conf: Configuration fileHTML: The contents of the configuration file's default root access (configured in./conf/nginx.conf. Root html)Sbin:nginx file location, via command./nginx start nginx,./nginx-s Reload restart Nginx Enter the Sbin, start Nginx, and then through the browser access to https://192.168.125.218 to view the page, see the following page is the success, the actual is./html/ Contents of the Index.html file (IP address of the Nginx installation machine)Note: If the Nginx configuration file is changed. Need to reboot the Nginx configuration will take effect, nginx-s reload
Build Https+nginx Server