Recently in the knowledge of Linux, as a necessary knowledge of operations engineer, a Web service especially run on the Internet is very easy to attack, so in order to ensure the minimum security needs to configure the Web service SSL, this can improve the security, so we introduce today, CENTOS7 +nginx The SSL service is issued and configured through the Windows CA, of course, if it is a build environment, generally will apply for third-party certificates, such as Wosign and other third-party certification authorities, today we mainly use the internal Windows CA service to issue a certificate for Nginx, Of course, you can also use Nginx self-signed certificate, but so every visit will have relevant warning reminders, specifically see below:
After preparing the operating system and installing the corresponding configuration:
3. Add Firewall rule: firewall-cmd–zone=public--add-port= "80/tcp" –permenant
650) this.width=650; "title=" clip_image001 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image001 "src=" Http://s3.51cto.com/wyfs02/M00/8B/84/wKiom1hP-jOhxvpRAADOccggjwI404.png "height=" 241 "/>
650) this.width=650; "title=" clip_image001[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image001[4]" src= "Http://s3.51cto.com/wyfs02/M00/8B/84/wKiom1hP-jWDFhFSAACcTKNIjok866.png" height= "221"/ >
650) this.width=650; "title=" clip_image002 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image002" src= "Http://s3.51cto.com/wyfs02/M00/8B/81/wKioL1hP-jeTRizyAADIBywzVi8979.png" height= "306"/>
Vim/usr/share/nginx/html/index.html
Then start the Nginx service
Systemctl start Nginx
650) this.width=650; "title=" clip_image003 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image003" src= "http://s3.51cto.com/wyfs02/M01/8B/81/wKioL1hP-jjgZVv6AABvIfAUjs4228.png" height= "297"/>
Then start applying for the private key
Cd/etc/pki/tlsopenssl genrsa-out Server.key 2048server.key is the private key
650) this.width=650; "title=" clip_image004 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image004" src= "http://s3.51cto.com/wyfs02/M02/8B/81/wKioL1hP-jnzHPItAADOemqNHXg621.png" height= "/>"
Generate a certificate with a private key Serverkey file Request file CSR
OpenSSL Req-new-key server.key-out SERVER.CSRSERVER.CSR is a certificate request file domain name, also known as Common name, Because a special certificate is not necessarily a domain name: nginx.ixmsoft.com organization or company name (Organization): Example, Ixmsoft Department (Department): Can not fill, City: Beijing Province (state/province): Beijing Country (country): CN encryption Strength: 2048-bit, if your machine performance is strong, you can also choose 4,096-bit if it is a generic domain name certificate, you should fill in *. Ixmsoft.com
650) this.width=650; "title=" clip_image005 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image005" src= "Http://s3.51cto.com/wyfs02/M02/8B/84/wKiom1hP-jzS-QU0AAFmAc1GH5E363.png" height= "266"/>
650) this.width=650; "title=" clip_image006 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image006" src= "http://s3.51cto.com/wyfs02/M00/8B/84/wKiom1hP-j3AFDk3AABRYyMe4_s043.png" height= "/>"
We open the CSR file that we just generated
650) this.width=650; "title=" clip_image007 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image007" src= "Http://s3.51cto.com/wyfs02/M00/8B/81/wKioL1hP-j_B-X77AAIrry9qMYk001.png" height= "306"/>
At this point, we have a CSR file that we use to request a certificate on the internal Windows CA server
650) this.width=650; "title=" clip_image008 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image008" src= "Http://s3.51cto.com/wyfs02/M01/8B/84/wKiom1hP-kCDNFodAAEtQzKUU0M690.png" height= "482"/>
Submit a certificate request using Base64-bit encoded CMC or RKCS
650) this.width=650; "title=" clip_image009 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image009" src= "Http://s3.51cto.com/wyfs02/M01/8B/81/wKioL1hP-kKiqHMZAADF2LCoL9o945.png" height= "484"/>
Then we paste the contents of the CSR file, select the Web Service certificate template to submit
650) this.width=650; "title=" clip_image010 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image010 "src=" Http://s3.51cto.com/wyfs02/M02/8B/81/wKioL1hP-kSDdWKtAAEV221XkhQ988.png "height=" 484 "/>
Be sure to download the BASIC64 encoding this type, or in the Nginx startup when the wrong return
650) this.width=650; "title=" clip_image011 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image011" src= "Http://s3.51cto.com/wyfs02/M02/8B/84/wKiom1hP-kWyMRPZAABzujJY6lA028.png" height= "417"/>
Download Certificate Completion
650) this.width=650; "title=" clip_image012 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image012" src= "Http://s3.51cto.com/wyfs02/M00/8B/84/wKiom1hP-kqjd_wuAAEv_Tw05QE961.png" height= "319"/>
We upload the certificate to 192.168.5.20 on the Nginx server.
650) this.width=650; "title=" clip_image013 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image013 "src=" http://s3.51cto.com/wyfs02/M00/8B/81/wKioL1hP-kugFS5FAAA9PA5f0Ww134.png "height="/>
We copy the certificate to the certificate directory
CP Certnew.cer/etc/pki/tlsls
650) this.width=650; "title=" clip_image001[6] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image001[6]" src= "Http://s3.51cto.com/wyfs02/M01/8B/85/wKiom1hP-k2A_7nEAABtIfEPdgc847.png" height= "94"/ >
For the certificate unified configuration, and then the Nginx directory created an SSL directory, dedicated to store the certificate file
Cd/etc/nginxmkdir SSL
650) this.width=650; "title=" clip_image002[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image002[4]" src= "http://s3.51cto.com/wyfs02/M01/8B/81/wKioL1hP-k7BZ_bOAACBiB8HbEU349.png" height= "127"/ >
And then we copy the three files that we just made to this directory.
Cp/etc/pki/tls/server.key SERVER.CSR certnew.crt/etc/nginx/ssl/
650) this.width=650; "title=" clip_image003[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image003[4]" src= "Http://s3.51cto.com/wyfs02/M02/8B/85/wKiom1hP-k-A2dviAAB1-wWyrmM320.png" height= "117"/ >
650) this.width=650; "title=" clip_image004[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image004[4]" src= "Http://s3.51cto.com/wyfs02/M00/8B/85/wKiom1hP-lDT1rMrAABD8RHjPF8656.png" height= "134"/ >
We will change the name and extension of the application certificate for the sake of the bearer.
MV Certnew.cer WEB.PEM
650) this.width=650; "title=" clip_image005[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ IMAGE005[4] "src=" http://s3.51cto.com/wyfs02/M02/8B/85/wKiom1hP-lKiCj6XAABUWj0t2KE074.png "height=" 146 "/>
Before we configure SSL, we first access the following, the default is 80
650) this.width=650; "title=" clip_image006[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image006[4]" src= "http://s3.51cto.com/wyfs02/M01/8B/81/wKioL1hP-lOz8lVeAAB4iNWiN0A670.png" height= "423"/ >
650) this.width=650; "title=" clip_image007[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image007[4]" src= "Http://s3.51cto.com/wyfs02/M02/8B/85/wKiom1hP-lXzNh70AAFrh7x7u4M637.png" height= "208"/ >
Next we configure SSL, the default configuration file
Vim/etc/nginx/conf.d/default.conf
650) this.width=650; "title=" clip_image008[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image008[4]" src= "http://s3.51cto.com/wyfs02/M00/8B/81/wKioL1hP-leSM38kAAEh7k4akQQ049.png" height= "407"/ >
We do not use 80, so default.conf, MV default.conf default.conf.bak Rename
We create a new configuration file under/etc/nginx/conf.d/
Vim Nginx-ssl.confserver {Listen 443;server_name Nginx.ixmsoft.com;ssl On;ssl_certificate/etc/nginx/ssl/web.pem;ssl _certificate_key/etc/nginx/ssl/server.key;access_log logs/ssl_access.log;location/{root/usr/share/nginx/html;}}
We guarantee that the configuration file is not a problem and can be tested using the following command
Nginx-t
650) this.width=650; "title=" clip_image009[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image009[4]" src= "http://s3.51cto.com/wyfs02/M02/8B/81/wKioL1hP-ljz-GKoAAB-ym2GLxw828.png" height= "146"/ >
Viewing port information
650) this.width=650; "title=" clip_image010[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image010[4]" src= "Http://s3.51cto.com/wyfs02/M00/8B/81/wKioL1hP-lnQZYErAAFEDmj5JXE683.png" height= "199"/ >
Next we try to access, 443 can be accessed, and the certificate load is right
650) this.width=650; "title=" clip_image011[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ IMAGE011[4] "src=" http://s3.51cto.com/wyfs02/M01/8B/81/wKioL1hP-luBLAcgAACwTvx0liE583.png "height=" 371 "/>
If you want to access 80 jump to 443, then we need to modify the nginx_ssl.conf file just now.
We need to configure
server {Listen 80;server_name nginx.ixmsoft.com;rewrite ^ (. *) https://$server _name$1 permanent;} server {Listen 443;server_name Nginx.ixmsoft.com;ssl on;ssl_certificate/etc/nginx/ssl/web.pem;ssl_certificate_key/ Etc/nginx/ssl/server.key;access_log logs/ssl_access.log;location/{root/usr/share/nginx/html;}}
After this restart Nginx, after using 80 access will automatically jump to 443 port under HTTPS
This article from "Gao Wenrong" blog, declined reprint!
Centos7+nginx issuing and configuring SSL services through Windows CA