Chinaunix首页 | 论坛 | 博客

小原blog

首页 |  博文目录 |  关于我

china-yuan

  • 博客访问: 101784
  • 博文数量: 42
  • 博客积分: 1445
  • 博客等级: 上尉
  • 技术积分: 380
  • 用 户 组: 普通用户
  • 注册时间: 2009-08-28 13:57
文章分类

全部博文(42)

文章存档

2010年(10)

2009年(32)

我的朋友
最近访客
推荐博文
相关博文
nginx的ssl

分类: 系统运维

2009-09-15 15:14:12

  server {
        listen      8000;
    #    listen       192.168.0.100:8080;
      
        ssl  on;
        ssl_certificate  /server/nginx/conf/server.csr;
--->这个是并没有签名的证书,不能公开使用,不过可以自己玩
        ssl_certificate_key  /server/nginx/conf/server.key;
--->这个就是key

        location / {
            root   /web;
            index  index.html index.htm;
        }
    }





1.首先要生成服务器端的私钥(key文件):
openssl genrsa -des3 -out server.key 1024

去除key文件口令的命令:
openssl rsa -in server.key -out server.key

2.openssl req -new -key server.key -out server.csr
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.

3.对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr

4.CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱,何不自己做CA呢.
  openssl req -new -x509 -keyout ca.key -out ca.crt


5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名:
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
现在我们所需的全部文件便生成了.

另:
client使用的文件有:ca.crt,client.crt,client.key
server使用的文件有:ca.crt,server.crt,server.key
.crt文件和.key可以合到一个文件里面,本人把2个文件合成了一个.pem文件(直接拷贝过去就行了) (openssl新的版本已经放到demoCA/newcerts目录下了)




如果不想用ca公证处的话,可以这么
cd /usr/local/nginx/conf
$ openssl genrsa -des3 -out server.key 1024
$ openssl req -new -key server.key -out server.csr
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt




#server { # listen 443;

# server_name localhost;

# ssl on; --->打开ssl,前提你安装上openssl

# ssl_certificate cert.pem; --->ssl 证书 Indicates file w ith the certificate in PEM format for this virtual server. The same file can contain other certificates, and also secret key in PEM format 这个证书是pem格式的,同样的文件包含了其他的证书,不过加密key也是pem格式的

# ssl_certificate_key cert.key; --->ssl的证书key


# ssl_session_timeout 5m; Assigns the time during w hich the client can repeatedly use the parameters of the session, w hich is stored in the cache. 一定时间内的会话 可以反复使用(虽然证书也有时间限制,这个也做限制了,估计安全一点吧)


# ssl_protocols SSLv2 SSLv3 TLSv1; -->就是支持的协议


# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; Directive describes the permitted ciphers. Ciphers are assigned in the formats supported by OpenSSL 指令描述允许使用的加密方式,不过都是在openssl的支持下

root@yuan:~# /server/openssl/bin/openssl ciphers

DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:IDEA-CBC-MD5:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5


# ssl_prefer_server_ciphers on;


# ssl_session_cache --直接翻译,飘过

  The cache types are:

off -- Hard off: nginx says explicitly to a client that sessions can not reused. 不能被重用

none -- Soft off: nginx says to a client that session can be resued, but nginx actually never reuses them. This is w orkaround for some mail clients as ssl_session_cache may be used in mail proxy as w ell as in HTTP server.限制于mail proxy 被重用

builtin -- the OpenSSL builtin cache, is used inside one worker process only. The cache size is assigned in the number of the sessions. Note: there appears to be a memory fragmentation issue using this method, please take that into consideration w hen using this. See "References" below .内建缓存 尽显一个worker process里面

shared -- the cache is shared betw een all w orker processes. The size of cache is assigned in the bytes, 1 MB cache can contain about 4000 sessions. Each shared cache must have arbitrary name. Cache w ith the same name can be used in several virtual servers. 共享,在所有的worker process里面,1MB的缓存大约有4000个会话


It is possible to use both types of cache simultaneously, for example: ssl_session_cache builtin:1000 shared:SSL:10m;


How ever, the only shared cache usage w ithout that builtin should be more effective. 无论如何,内建缓存比共享缓存更有用 }

阅读(1191) | 评论(0) | 转发(0) |
0

上一篇:nginx.conf解释(常用)

下一篇:Linux I/O scheduler queue size and MyISAM performa

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6