SSL certificate configuration for Nginx
1. Use OpenSSL to realize Certificate center
because you are using OpenSSL to set up a private certificate center, make sure that the following fields are the same in Certificate Center certificates, server side certificates, client certificates
Country name
or province name
locality name
organization Name
organizational unit name
Country name
or province name
locality name
organization Name
organizational unit name
Edit Certificate Center Profile
Vim/etc/pki/tls/openssl.cnf
[Ca_default] dir =/etc/pki/ca certs = $dir/certs # Where The issued certs are kept = $dir Crl_dir #
Where the issued CRL are kept database = $dir/index.txt # database index file.
#unique_subject = no # Set to ' no ' to allow creation of # several ctificates with same subject.
New_certs_dir = $dir/newcerts # Default place for new certs. Certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number Crlnumber = $ Dir/crlnumber # The current CRL number # must is commented out to leave a V1 CRL CRL = $dir/crl.pem # the Current CRL Private_key = $dir/private/cakey.pem# the private key randfile = $dir/private/.rand # private Random Numbe R file [req_distinguished_name] countryname = Country name (2 letter code) Countryname_default = CN Countrynam E_min = 2 Countryname_max = 2 Stateorprovincename = State or province name (full Name) stateorprovincename_d Efault = FJ LocaLityname = locality name (eg, city) Localityname_default = FZ 0.organizationName = Organization name (eg, compa NY) 0.organizationname_default = Zdz Organizationalunitname = organizational unit Name (eg, section) Organizationalu
Nitname_default = Zdz
Create Certificate private key
(Umask 077;openssl genrsa-out CAKEY.PEM 2048
)
Generate self-signed certificate
cd/etc/pki/ca/
OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days=3655
2. Create server Certificate
Mkdir/usr/local/nginx/ssl
Cd/usr/local/nginx/ssl
(umask 077;openssl genrsa-out nginx.key 1024)
OpenSSL req-new-key nginx.key-out nginx.csr OpenSSL ca-in nginx.csr-out nginx.crt-days=3650
3. Create a client browser certificate
(umask 077;openssl genrsa-out client.key 1024)
OpenSSL req-new-key client.key-out client.csr OpenSSL ca-in client.csr-out client.crt-days=3650
Convert a certificate in text format to a certificate that can be imported into a browser
OpenSSL pkcs12-export-clcerts-in Client.crt-inkey client.key-out client.p12
4. Configure Nginx Server Authentication
Vim/usr/local/nginx/conf/nginx.conf
SSL on;
Ssl_certificate /usr/local/nginx/ssl/nginx.crt;
Ssl_certificate_key /usr/local/nginx/ssl/nginx.key;
Ssl_client_certificate/usr/local/nginx/ssl/cacert.pem;
Ssl_session_timeout 5m;
#ssl_verify_client on ; The server authenticates the client, temporarily does not open, lets the client which does not have the certificate to be able to access, completes the one-way verification
ssl_protocols SSLv2 SSLv3 TLSv1 first;
SSL Reverse Proxy
1. Modify NGINX.CONF Configuration
server {
listen 443 SSL;
server_name www.jb51.net;
Ssl_certificate ssl/www.jb51.net.crt;
Ssl_certificate_key Ssl/www.jb51.net.key;
Ssl_prefer_server_ciphers on;
Keepalive_timeout;
Ssl_session_cache shared:ssl:10m;
Ssl_session_timeout 10m;
Location/{
Proxy_pass http://www.jb51.net;
Proxy_next_upstream Error timeout Invalid_header http_500 http_502 http_503;
Proxy_set_header accept-encoding "";
Proxy_set_header Host $host;
Proxy_set_header x-real-ip $remote _addr;
Proxy_set_header x-forwarded-for $proxy _add_x_forwarded_for;
Proxy_set_header X-forwarded-proto $scheme;
Add_header Front-end-https on;
Proxy_redirect off ;
}
2. Restart Service
#/usr/local/nginx/sbin/nginx-t
#/usr/local/nginx/sbin/nginx-s Reload