Configure SSH for nginx

I would like to thank Daniel for sharing the technology. For more information, refer to: NLP.
Configure the environment
System: centos6.5
Nginx: 1.6.2 (Installation via Yum installation, add source, this is stable 'stable version', http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm)
Start Configuration
Nginx configuration file location:
>/Etc/nginx/CONF. d/example_ssl.conf
Modify/etc/nginx/CONF. d/example_ssl.conf
Note:/etc/nginx/CONF. d/example_ssl.conf is a file contained in/etc/nginx. conf.

The content is as follows:

#HTTP-SERVER server {          listen       443;          server_name  localhost;          ssi on;          ssi_silent_errors on;          ssi_types text/shtml;            ssl                  on;          ssl_certificate      /etc/nginx/ca/server/server.crt;          ssl_certificate_key  /etc/nginx/ca/server/server.key;          ssl_client_certificate /etc/nginx/ca/private/ca.crt;            ssl_session_timeout  5m;          ssl_verify_client on;            ssl_protocols  SSLv2 SSLv3 TLSv1;          ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;          ssl_prefer_server_ciphers   on;                location / {           root   /usr/share/nginx/html;           index  index.html index.htm;      } }

The above is a simple configuration, and the following is the work of issuing certificates.

Issue certificate

Create the configuration file/etc/nginx/CA/CONF/OpenSSL. conf

[ ca ]default_ca      = foo                   # The default ca section [ foo ]dir            = /etc/nginx/ca         # top dirdatabase       = /etc/nginx/ca/index.txt          # index file.new_certs_dir  = /etc/nginx/ca/newcerts           # new certs dir certificate    = /etc/nginx/ca/private/ca.crt         # The CA certserial         = /etc/nginx/ca/serial             # serial no fileprivate_key    = /etc/nginx/ca/private/ca.key  # CA private keyRANDFILE       = /etc/nginx/ca/private/.rand      # random number file default_days   = 365                     # how long to certify fordefault_crl_days= 30                     # how long before next CRLdefault_md     = md5                     # message digest method to useunique_subject = no                      # Set to 'no' to allow creation of                                         # several ctificates with same subject.policy         = policy_any              # default policy [ policy_any ]countryName = matchstateOrProvinceName = matchorganizationName = matchorganizationalUnitName = matchlocalityName            = matchcommonName              = matchemailAddress            = match

Create the new_ca.sh file under/etc/Nigeria/CA and run the command to generate the root certificate.

#!/bin/sh# Generate the key.openssl genrsa -out private/ca.key# Generate a certificate request.openssl req -new -key private/ca.key -out private/ca.csr# Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.# I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this# service will never see the light of an unencrypted Internet see the cheap and lazy remark.# So self sign our root key.openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt# Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.echo FACE > serial# Create the CA's key database.touch index.txt# Create a Certificate Revocation list for removing 'user certificates.'openssl ca -gencrl -out /etc/nginx/ca/private/ca.crl -crldays 7 -config "/etc/nginx/ca/conf/openssl.conf"

Create the new_server.sh file under/etc/Nigeria/CA and generate the server certificate.

# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.openssl genrsa -out server/server.key# Take our key and create a Certificate Signing Request for it.openssl req -new -key server/server.key -out server/server.csr# Sign this bastard key with our bastard CA key.openssl ca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "/etc/nginx/ca/conf/openssl.conf"

Create the new_user.sh file under/etc/Nigeria/CA and generate the client certificate.

#!/bin/sh# The base of where our SSL stuff lives.base="/etc/nginx/ca"# Were we would like to store keys... in this case we take the username given to us and store everything there.mkdir -p $base/users/# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.openssl genrsa -des3 -out $base/users/client.key 1024# Create a Certificate Signing Request for said key.openssl req -new -key $base/users/client.key -out $base/users/client.csr# Sign the key with our CA's key and cert and create the user's certificate out of it.openssl ca -in $base/users/client.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key -out $base/users/client.crt -config "/etc/nginx/ca/conf/openssl.conf"# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.# The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.# Take the same precaution with the export password that would take with any other password based authentication scheme.openssl pkcs12 -export -clcerts -in $base/users/client.crt -inkey $base/users/client.key -out $base/users/client.p12

After completing the above work, import the/etc. nginx/CA/user/client. p12 file to your browser.

Configure SSH for nginx