SSL certificate configuration for the Nginx server and reverse proxy configuration for SSL _nginx

Source: Internet
Author: User
Tags openssl nginx server ssl certificate

SSL certificate configuration for Nginx
1. Use OpenSSL to realize Certificate center
because you are using OpenSSL to set up a private certificate center, make sure that the following fields are the same in Certificate Center certificates, server side certificates, client certificates

Country name
 or province name
 locality name
 organization Name
 organizational unit name

Country name
 or province name
 locality name
 organization Name
 organizational unit name


Edit Certificate Center Profile

Vim/etc/pki/tls/openssl.cnf
[Ca_default] dir =/etc/pki/ca certs = $dir/certs # Where The issued certs are kept = $dir Crl_dir #
 Where the issued CRL are kept database = $dir/index.txt # database index file.
 #unique_subject = no # Set to ' no ' to allow creation of # several ctificates with same subject.
 New_certs_dir = $dir/newcerts # Default place for new certs. Certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number Crlnumber = $ Dir/crlnumber # The current CRL number # must is commented out to leave a V1 CRL CRL = $dir/crl.pem # the Current CRL Private_key = $dir/private/cakey.pem# the private key randfile = $dir/private/.rand # private Random Numbe R file [req_distinguished_name] countryname = Country name (2 letter code) Countryname_default = CN Countrynam E_min = 2 Countryname_max = 2 Stateorprovincename = State or province name (full Name) stateorprovincename_d Efault = FJ LocaLityname = locality name (eg, city) Localityname_default = FZ 0.organizationName = Organization name (eg, compa NY) 0.organizationname_default = Zdz Organizationalunitname = organizational unit Name (eg, section) Organizationalu
 Nitname_default = Zdz

Create Certificate private key

Cd/etc/pki/ca/private
 (Umask 077;openssl genrsa-out CAKEY.PEM 2048

)
Generate self-signed certificate

cd/etc/pki/ca/

 OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days=3655

2. Create server Certificate
Mkdir/usr/local/nginx/ssl
 Cd/usr/local/nginx/ssl
 (umask 077;openssl genrsa-out nginx.key 1024)
 OpenSSL req-new-key nginx.key-out nginx.csr OpenSSL ca-in nginx.csr-out nginx.crt-days=3650
 

3. Create a client browser certificate

(umask 077;openssl genrsa-out client.key 1024)
 OpenSSL req-new-key client.key-out client.csr OpenSSL ca-in client.csr-out client.crt-days=3650
 

Convert a certificate in text format to a certificate that can be imported into a browser

 OpenSSL pkcs12-export-clcerts-in Client.crt-inkey client.key-out client.p12

4. Configure Nginx Server Authentication

Vim/usr/local/nginx/conf/nginx.conf
 SSL on;
 Ssl_certificate   /usr/local/nginx/ssl/nginx.crt;
 Ssl_certificate_key  /usr/local/nginx/ssl/nginx.key;
 Ssl_client_certificate/usr/local/nginx/ssl/cacert.pem;
 Ssl_session_timeout  5m;
 #ssl_verify_client on  ;       The server authenticates the client, temporarily does not open, lets the client which does not have the certificate to be able to access, completes the one-way verification
 ssl_protocols   SSLv2 SSLv3 TLSv1 first;

SSL Reverse Proxy
1. Modify NGINX.CONF Configuration

server {
  listen   443 SSL;
  server_name  www.jb51.net;
 
  Ssl_certificate  ssl/www.jb51.net.crt;
  Ssl_certificate_key Ssl/www.jb51.net.key;
  Ssl_prefer_server_ciphers on;
  Keepalive_timeout;
 Ssl_session_cache shared:ssl:10m;
  Ssl_session_timeout 10m;
 
  Location/{
   Proxy_pass http://www.jb51.net;
   Proxy_next_upstream Error timeout Invalid_header http_500 http_502 http_503;
    Proxy_set_header  accept-encoding "";
   Proxy_set_header  Host   $host;
   Proxy_set_header  x-real-ip  $remote _addr;
   Proxy_set_header  x-forwarded-for $proxy _add_x_forwarded_for;
   Proxy_set_header  X-forwarded-proto $scheme;
 Add_header    Front-end-https on;
   Proxy_redirect off  ;
  }

2. Restart Service

#/usr/local/nginx/sbin/nginx-t
#/usr/local/nginx/sbin/nginx-s Reload

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.