搭建https+nginx的服务器,主要是安装ngnix和使用openssl生成自签证书,并在nginx中配置的过程
一、安装环境
1.安装opnssl(ssl支持)
2.安装pcre(支持rewrite重定向功能)
3.安装zlib(解压,因为我下载的pcre是zip文件)
4.安装nginx
以上软件的安装方法(有的可以通过yum直接安装):
1.直接在网上找下载地址,然后下载到linux服务器下:wget http://xxxx.tar.gz
2.解压下载的安装包:tar -zxf xxx.tar.gz
3.进入解压后的文件夹:cd xxx
4.对将要安装的软件进行配置(配置的--prefix是安装路径):./configure --prefix=/usr/local/xxx
5.对源代码进行编译:make
6.安装:make install
说明:ngnix安装时的配置命令为./configure --prefix=/usr/local/nginx-1.5.1 --with-http_ssl_module --with-http_spdy_module --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.38 --with-openssl=/opt/soft/openssl-1.0.1s
因为ngnix需要后面的依赖,所以后面需要加--with,具体软件后面的是依赖的软件目录
安装时遇到的问题如下:
1.安装zlib时遇到的问题
1.解压时报错,使用tar -zxvf zlib命令
[root@bjdhj-125-218 zlib-1.2.8]# tar -zxvf zlib
tar (child): zlib: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar (child): zlib: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now
解决方法:
用命令 tar -xf filename.tar.gz
2.安装nginx时出现的问题:
此时的./configure为./configure --prefix=/usr/local/nginx-1.5.1 --with-http_ssl_module --with-http_spdy_module --with-http_stub_status_module --with-pcre=/usr/local/pcre --with-openssl=/usr/local/ssl
问题一:
cd /usr/local/pcre /
&& if [ -f Makefile ]; then make distclean; fi /
&& CC="gcc" CFLAGS="-O2 -fomit-frame-pointer -pipe " /
./configure –disable-shared
/bin/sh: line 2: ./configure: No such file or directory
make[1]: *** [/usr/local/pcre/Makefile] Error 127
make[1]: Leaving directory `/usr/local/src/nginx-0.8.54′
&& if [ -f Makefile ]; then make distclean; fi /
&& CC="gcc" CFLAGS="-O2 -fomit-frame-pointer -pipe " /
./configure –disable-shared
/bin/sh: line 2: ./configure: No such file or directory
make[1]: *** [/usr/local/pcre/Makefile] Error 127
make[1]: Leaving directory `/usr/local/src/nginx-0.8.54′
make: *** [build] Error 2
解决方法:将--with-pcre=的路径改为下载pcre的源码路径
问题二:与问题一类似,改好问题一后才暴漏出来
cd /usr/local/ssl
&& if [ -f Makefile ]; then make clean; fi
&& ./config --prefix=/usr/local/ssl/.openssl no-shared no-threads
&& make
&& make install LIBDIR=lib
/bin/sh: line 2: ./config: No such file or directory
make[1]: *** [/usr/local/ssl/.openssl/include/openssl/ssl.h] Error 127
make[1]: Leaving directory `/opt/soft/nginx-1.6.3'
&& if [ -f Makefile ]; then make clean; fi
&& ./config --prefix=/usr/local/ssl/.openssl no-shared no-threads
&& make
&& make install LIBDIR=lib
/bin/sh: line 2: ./config: No such file or directory
make[1]: *** [/usr/local/ssl/.openssl/include/openssl/ssl.h] Error 127
make[1]: Leaving directory `/opt/soft/nginx-1.6.3'
make: *** [build] Error 2
将配置的的--with-openssl路径改为源码的下载路径
所以最后的配置如下:
./configure --prefix=/usr/local/nginx-1.5.1 --with-http_ssl_module --with-http_spdy_module --with-http_stub_status_module --with-pcre=/opt/soft/pcre-8.38 --with-openssl=/opt/soft/openssl-1.0.1s
二、生成双向证书
使用openssl生成私有证书,要保证证书中心、服务端、客户端证书中的以下内容相同:
Country Name:CA所在国家名字(CN)
State or Province Name:CA所在省(BJ)
Localty Name:CA所在市区(BJ)
Organization Name:CA的名字
Organizational Unit:CA的部门
Common Name
Email Address
Country Name CN
State or Province Name BJ
Locality Name BJ
Organization Name 58
Organizational Unit Name zhuanzhuan
Common Name qa
Email Address sunmin06@58ganji.com
具体步骤如下:
1.编辑证书中心配置文件:vi /etc/pki/tls/openssl.cnf
2.创建证书私钥cakey.pem文件
cd /etc/pki/CA/private
umask 077;openssl genrsa -out cakey.pem 2048
3.生成自签证书cacert.pem
cd /etc/pki/CA/
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
4.创建服务器
mkdir /usr/local/nginx/ssl
cd/usr/local/nginx/ssl
umask 007;openssl genrsa -out nginx.key 1024
openssl req -new -key nginx.key -out nginx.csr
opensll ca -in nginx.csr -out nginx.crt -days 3650
说明:
1.nginx.key是生成私钥文件
2.nginx.csr是提取刚生成的私钥文件生成请求证书文件
3.将请求证书提交给证书颁发机构,CA,生成证书文件nginx.crt
5.创建客户端浏览器证书
umask 007;openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
opensll ca -in client.csr -out client.crt -days 3650
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
说明:基本步骤与创建服务关的证书一致,只是最后多了一个将文本格式的证书转换成可以导入浏览器的证书client.p12
6.配置nginx的服务器验证
vi /usr/local/nginx-1.5.1/conf/nginx.conf
ssl on;
ssl_certificate /usr/local/nginx/ssl/nginx.crt;
ssl_certificate_key /usr/local/nginx/ssl/nginx.key;
ssl_client_certificate /usr/local/nginx/ssl/cacert.pem;
ssl_session_timeout 5m;
#ssl_verify_client on; 服务器验证客户端,暂时不开启,让没有证书的客户端可以访问,先完成单向验证
ssl_protocols SSLv2 SSLv3 TLSv1;
说明:更改的是nginx.conf中监听443端口的server{}内容。https的端口默认是443。
配置时遇到的问题:
1.生成客户端证书时提示找不到文件:
文件1:
[root@bjdhj-125-218 ssl]# openssl ca -in client.csr -out client.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140196223215432:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r')
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140196223215432:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r')
140196223215432:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
解决方法:
直接手动创建该文件
cd /etc/pki/CA/
touch index.txt
文件2:
[root@bjdhj-125-218 ssl]# openssl ca -in client.csr -out client.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140284298094408:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/serial','r')
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140284298094408:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/serial','r')
140284298094408:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
解决方法与上面一致。手动创建
touch serial
echo "00" >serial
注意:一定要将00重定向到serial文件,否则会报下面的错误:
[root@bjdhj-125-218 ssl]# openssl ca -in client.csr -out client.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
unable to load number from /etc/pki/CA/serial
error while loading serial number
Using configuration from /etc/pki/tls/openssl.cnf
unable to load number from /etc/pki/CA/serial
error while loading serial number
140584495503176:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
感谢这篇文章,让我弄好了!
三、实验配置好的nginx
nginx的根目录下主要有以下目录:
conf:配置文件
html:配置文件默认根目录访问的内容(在./conf/nginx.conf中有配置。root html)
sbin:nginx文件所在地,通过命令./nginx启动nginx,./nginx -s reload重启nginx
进入sbin,启动nginx,然后通过浏览器访问https://192.168.125.218来查看页面,看到以下页面即为成功,实际就是./html/index.html文件的内容(ip为nginx安装机器的ip地址)
备注:如果更改了nginx的配置文件。需要重启一下nginx配置才会生效,nginx -s reload