1 Create a Root CA and generate a server certificate, private key, client certificate, and client key.
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=CN/ST=beijing/L=haidianO=changyang/CN=Self-Signed CA"
openssl genrsa -out client.key 4096
openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=beijing/L=haidianO=changyang/CN=client"
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=beijing/L=haidianO=changyang/CN=server"
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt
2 确认nginx编译了ssl模块
nginx version: nginx/1.14.0
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/usr/local/server/nginx --with-cc-opt='-I /usr/include/pcre -I /usr/include/openssl' --with-debug --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module --with-http_ssl_module --with-http_stub_status_module
3 nginx配置
server {
listen 444 ssl;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
ssl on;
ssl_certificate //software/pki/server.crt;
ssl_certificate_key //software/pki/server.key;
ssl_client_certificate //software/pki/ca.crt;
ssl_verify_client on;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
}
4 测试
curl -k --cert client.crt --key client.key
阅读(1330) | 评论(0) | 转发(0) |
