[web][nginx] 初识nginx -- 使用nginx搭建https DPI解码测试环境

环境 CentOS 7 X86

文档：

　　https://nginx.org/en/docs/

安装：　　

[root@dpdk ~]# cat /etc/yum.repos.d/nginx.repo 
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=0
enabled=1
[root@dpdk ~]# 

[root@dpdk ~]# yum install nginx

配置文件: 默认不需要更改

[root@dpdk ~]# vim /etc/nginx/nginx.conf 
[root@dpdk ~]# vim /etc/nginx/conf.d/default.conf

启动：

# nginx
或
# systemctl start nginx

浏览器直接访问即可。

自定义页：拷贝至配置文件指定的目录后，就可以在浏览器中访问了。

[root@dpdk html]# pwd
/usr/share/nginx/html
[root@dpdk html]# ll
total 40
-rw-r--r--. 1 root root   537 Apr 12 23:23 50x.html
-rw-r--r--. 1 root root  2595 May 12 11:37 index_a.html
-rw-r--r--. 1 root root   620 May 12 11:40 index.html
-rw-r--r--. 1 root root 25987 May 12 11:38 lonely.jpg
[root@dpdk html]# 

如： http://192.168.7.4/index_a.html

可以设置反向代理，使用 proxy_pass / fastcgi_pass 命令。参见文档。 https://nginx.org/en/docs/beginners_guide.html 

配置：

文档已跳转至此处 https://www.nginx.com/resources/admin-guide/?_ga=2.110665989.1403939205.1494566587-476641588.1494561559

如何配https：

https://nginx.org/en/docs/http/ngx_http_ssl_module.html

[root@dpdk ~]# cd /etc/nginx/conf.d/
[root@dpdk conf.d]# touch https.conf

自签名证书：[https][openssl] OpenSSL 公钥、私钥以及自签名证书

 生成根证书：

/home/tong/Keys/https [tong@T7] [16:17]
> openssl genrsa -out root.key 2048
/home/tong/Keys/https [tong@T7] [16:44]
> openssl req -new -key root.key -out root.csr -subj "/C=CN/ST=BeiJing/L=BeiJing/O=Tartaglia/CN=TTTrust/emailAddress=ca@tartaglia.org"
/home/tong/Keys/https [tong@T7] [16:46]
> openssl x509 -req -days 30000 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.cer
Signature ok
subject=C = CN, ST = BeiJing, L = BeiJing, O = Tartaglia, CN = TTTrust, emailAddress = ca@tartaglia.org
Getting Private key

用根证书签名服务器证书

/home/tong/Keys/https/test [tong@T7] [16:49]
> openssl genrsa -out server-key.pem 2048
Generating RSA private key, 2048 bit long modulus
..........................................+++
.............................+++
e is 65537 (0x010001)

/home/tong/Keys/https/test [tong@T7] [16:49]
> openssl req -new -key server-key.pem -out server.csr -subj "/C=CN/ST=BeiJing/L=BeiJing/O=Tartaglia/OU=onescorpion/CN=TTTrust/emailAddress=ones@tartaglia.org"
/home/tong/Keys/https/test [tong@T7] [16:51]
> openssl x509 -req -days 3000 -sha1 -extensions v3_req -CA ../root/root.cer -CAkey ../root/root.key -CAserial ca.srl -CAcreateserial -in server.csr -out server.cer
Signature ok
subject=C = CN, ST = BeiJing, L = BeiJing, O = Tartaglia, OU = onescorpion, CN = TTTrust, emailAddress = ones@tartaglia.org
Getting CA Private Key
/home/tong/Keys/https/test [tong@T7] [16:53]
> openssl x509 -outform der -in server.cer -out pulicserver.ccerrificate.der
/home/tong/Keys/https/root [tong@T7] [16:54]
> ll
total 12K
-rw-r--r-- 1 tong tong 1.3K May 12 16:47 root.cer
-rw-r--r-- 1 tong tong 1.1K May 12 16:46 root.csr
-rw------- 1 tong tong 1.7K May 12 16:18 root.key
/home/tong/Keys/https/test [tong@T7] [16:55]
> ll
total 20K
-rw-r--r-- 1 tong tong   17 May 12 16:53 ca.srl
-rw-r--r-- 1 tong tong  905 May 12 16:54 pulicserver.ccerrificate.der
-rw-r--r-- 1 tong tong 1.3K May 12 16:53 server.cer
-rw-r--r-- 1 tong tong 1.1K May 12 16:51 server.csr
-rw------- 1 tong tong 1.7K May 12 16:49 server-key.pem

编辑 https.conf

[root@dpdk conf.d]# cat https.conf 

server {
        listen          1443 ssl;
        ssl_certificate         /etc/nginx/conf.d/server.cer;
        # ssl_certificate_key should be PEM format.
        ssl_certificate_key     /etc/nginx/conf.d/server-key.pem;
        # see 'man ciphers' for detail.
        ssl_ciphers 'DEFAULT:!DHE:!ECDHE:!kDHE:!kECDHE:!ECDH';
        # ssl_ciphers 'RSA:!NULL';

        location / {
                root   /usr/share/nginx/html;
                index  index.html index.htm;
        }
}
[root@dpdk conf.d]# 

----------------  update @ 20170522 (发给同事的邮件)  --------------------

使用如下配置，可以启用nginx的https

[root@dpdk conf.d]# cat https.conf 

server {
        listen          1443 ssl;
        ssl_certificate         /etc/nginx/conf.d/server.cer;
        # ssl_certificate_key should be PEM format.
        ssl_certificate_key     /etc/nginx/conf.d/server-key.pem;
        # see 'man ciphers' for detail.
        ssl_ciphers 'DEFAULT:!DHE:!ECDHE:!kDHE:!kECDHE:!ECDH';
        # ssl_ciphers 'RSA:!NULL';

        location / {
                root   /usr/share/nginx/html;
                index  index.html index.htm;
        }
}
[root@dpdk conf.d]# 

其中，ssl_ciphers 是用来指定加密算法的。

这个选项的参数和语法，是由openssl决定的，默认是 ALL:!COMPLEMENTOFDEFAULT:!eNULL

具体的语法修改，参考手册 man ciphers  里面的 CIPHER STRINGS 章节。

禁用PFS的途径实际上就是禁用PFS算法，一般带ECDHE / DHE 关键字的算法，都是PFS的。通过测试，我选用了如下关键字，你可以多尝试一下：

'DEFAULT:!DHE:!ECDHE:!kDHE:!kECDHE:!ECDH';

另外，使用如下命令，可以查看你的参数，选用了什么算法：

/home/tong/VM/base [tong@T7] [17:39]
> openssl ciphers -v 'ALL:!COMPLEMENTOFDEFAULT:!eNULL'