Nginx配置Https单向、双向认证

96
M醉逍遥
2017.03.25 15:16* 字数 404

SSL相关概念及原料请参考OpenSSL 与 SSL 数字证书概念贴SSL/TLS原理详解
为了便于理解,我们将CA服务器与Nginx服务器部署在两台不同的机器上:
CA: 192.168.1.100
Nginx: 192.168.1.101

1. 在两台CentOS服务器上安装OpenSSL软件

# 安装命令
[root@cd-dev01 ~]# yum install openssl openssl-devel
# 更新命令
[root@cd-dev01 ~]# yum update openssl openssl-devel

2. 配置CA服务器(192.168.1.100)

生成自签署证书的密钥

# 进入证书目录(安装了OpenSSL软件就会存在该目录)
[root@cd-dev01 ~]# cd /etc/pki/CA/
# 使用rsa加密算法生成自签署证书的密钥(此处指定密钥长度为2048)
[root@cd-dev01 CA]# openssl genrsa -out private/cakey.pem 2048
# 修改权限,增加安全性
[root@cd-dev01 CA]# chmod 600 private/cakey.pem

利用密钥生成CA服务器的证书文件, 为了方便,首先在OpenSSL配置文件中设置一些默认值

# 编辑配置文件
[root@cd-dev01 CA]# vim /etc/pki/tls/openssl.cnf

修改内容如下(部分内容):

# 找到如下部分,在签署证书时证书中会写入如下内容(大概128行)
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
# 配置默认国家
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
# 默认省份名称
stateOrProvinceName_default    = SiChuan

localityName                    = Locality Name (eg, city)
# 默认城市名称
localityName_default            = ChengDu

0.organizationName              = Organization Name (eg, company)
# 默认公司名称
0.organizationName_default      = SkyGuard

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
# 默认组织单位名称
organizationalUnitName_default = BigData

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

生成自签署证书:

#用刚刚生成的密钥文件生成一个有效期为10年的证书
[root@cd-dev01 CA]# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#以下几项使用刚刚配置的默认值,所有直接回车
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [SkyGuard]:
Organizational Unit Name (eg, section) [BigData]:
# 此处配置CA服务器名字,建议使用DNS上能查找到的域名(测试可随便指定)
Common Name (eg, your name or your server's hostname) []:ca.skyguard.com.cn
# 此处设置管理员邮箱(测试可随便指定)
Email Address []:ca@skyguard.com.cn

创建如下两个文件

# 创建存放颁发证书的数据库文件
[root@cd-dev01 CA]# touch index.txt
# 当前颁发证书的序列号文件,颁发下一个证书时会自动加1
[root@cd-dev01 CA]# echo "00" > serial

3. 配置Nginx服务器(192.168.1.101)Https单向认证

编译安装Nginx服务器

[root@cd-dev02 ~]# wget http://nginx.org/download/nginx-1.11.12.tar.gz
[root@cd-dev02 ~]# tar -zvxf nginx-1.11.12.tar.gz
[root@cd-dev02 ~]# cd nginx-1.11.12
#一定要将ssl模块编译进去
[root@cd-dev02 nginx-1.11.12]# ./configure --with-http_ssl_module
[root@cd-dev02 nginx-1.11.12]# make
[root@cd-dev02 nginx-1.11.12]# make install
# 进入到Nginx目录
[root@cd-dev02 nginx-1.11.12]# cd /usr/local/nginx

配置Nginx服务器支持ssl

# 创建存放ssl先关的目录,并进入目录
[root@cd-dev02 nginx]# mkdir ssl
[root@cd-dev02 nginx]# cd ssl
# 生成本地密钥
[root@cd-dev02 ssl]# openssl genrsa 2048 > httpd.key
# 修改权限,增加安全性
[root@cd-dev02 ssl]# chmod 600 httpd.key
# 生成证书申请文件,以便传入CA服务器申请证书
[root@cd-dev02 ssl]# openssl req -new -key httpd.key -out httpd.crq
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#以下几项与CA服务器信息保持一致
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SiChuan
Locality Name (eg, city) [Default City]:ChengDu
Organization Name (eg, company) [Default Company Ltd]:SkyGuard
Organizational Unit Name (eg, section) []:BigData
# Nginx中虚拟主机名,只对该虚拟主机的请求加密
Common Name (eg, your name or your server's hostname) []:nginx.skyguard.com.cn
# 管理员邮箱
Email Address []:nginx@skyguard.com.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
# 设置单独密码,忽略即可
A challenge password []:
An optional company name []
# 将证书申请文件传输到CA服务器,
[root@cd-dev02 ssl]# scp httpd.crq 192.168.1.100:/tmp/

登录到CA服务器(192.168.1.100)对证书进行签署,切换到CA目录

[root@cd-dev01 CA]# openssl ca -in /tmp/httpd.crq -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Mar 25 05:25:03 2017 GMT
            Not After : Mar 23 05:25:03 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = SiChuan
            organizationName          = SkyGuard
            organizationalUnitName    = BigData
            commonName                = nginx.skyguard.com.cn
            emailAddress              = nginx@skyguard.com.cn
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F2:09:FE:0E:53:0D:00:1C:DB:FA:0D:B0:2F:76:A4:4E:5E:23:18:3C
            X509v3 Authority Key Identifier: 
                keyid:C2:C4:46:FB:37:A8:8E:CF:38:E7:72:2F:E1:7B:35:0F:22:23:19:1D

Certificate is to be certified until Mar 23 05:25:03 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 将证书传回Nginx服务器的ssl目录中
[root@cd-dev01 CA]# scp /tmp/httpd.crt 192.168.1.101:/usr/local/nginx/ssl/
# 删除CA服务器上的crq与crt文件
[root@cd-dev01 CA]# rm -rf /tmp/httpd.crq /tmp/httpd.crt

登录到Nginx服务器(192.168.1.101)配置Nginx

[root@cd-dev02 nginx]# vim conf/nginx.conf
# 增加如下虚拟主机
server {
        listen 443 ssl;
        server_name nginx.skyguard.com.cn;

        ssl on;
        ssl_certificate ../ssl/httpd.crt;
        ssl_certificate_key ../ssl/httpd.key;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers on;
        location / {
                root   html;
                index  index.html index.htm;
         }
}
# 启动Nginx服务器
[root@cd-dev02 nginx]# ./sbin/nginx

然后用浏览器打开https://192.168.1.101

4. 配置Nginx服务器(192.168.1.101)Httpss双向认证

在CA服务器(192.168.1.100)上生成客户端证书

[root@cd-dev01 CA]# mkdir users
[root@cd-dev01 CA]# openssl genrsa 2048 > users/client.key
Generating RSA private key, 2048 bit long modulus
.............+++
......................+++
e is 65537 (0x10001)
[root@cd-dev01 CA]# openssl req -new -key ./users/client.key -out ./users/client.crq
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [SkyGuard]:
Organizational Unit Name (eg, section) [BigData]:
Common Name (eg, your name or your server's hostname) []:client.skyguard.com.cn
Email Address []:client@skyguard.com.cn

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cd-dev01 CA]# openssl ca -in ./users/client.crq -out ./users/client.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 25 06:17:27 2017 GMT
            Not After : Mar 23 06:17:27 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = SiChuan
            organizationName          = SkyGuard
            organizationalUnitName    = BigData
            commonName                = client.skyguard.com.cn
            emailAddress              = client@skyguard.com.cn
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                C9:00:A4:37:14:80:FC:30:DC:7A:88:D4:03:09:7C:90:34:91:F5:7C
            X509v3 Authority Key Identifier: 
                keyid:C2:C4:46:FB:37:A8:8E:CF:38:E7:72:2F:E1:7B:35:0F:22:23:19:1D

Certificate is to be certified until Mar 23 06:17:27 2027 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Update
# 导出浏览器识别的证书格式
[root@cd-dev01 CA]# openssl pkcs12 -export -clcerts -in ./users/client.crt -inkey ./users/client.key -out ./users/client.p12
# 无密码直接回车
Enter Export Password:
Verifying - Enter Export Password:
# 将CA自签署证书复杂到Nginx服务器
[root@cd-dev01 CA]# scp cacert.pem 192.168.1.101:/usr/local/nginx/ssl/

在Nginx服务器(192.168.1.101)配置开启双向认证

[root@cd-dev02 nginx]# vim conf/nginx.conf
#修改单项认证虚拟主机
server {
        listen 443 ssl;
        server_name nginx.skyguard.com.cn;

        ssl on;
        ssl_certificate ../ssl/httpd.crt;
        ssl_certificate_key ../ssl/httpd.key;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        ssl_prefer_server_ciphers on;

        # 开启客户端认证
        ssl_client_certificate ../ssl/cacert.pem;
        ssl_verify_client on;

        location / {
                root   html;
                index  index.html index.htm;
         }
}
# 启动Nginx服务器
[root@cd-dev02 nginx]# ./sbin/nginx

5. Chrome浏览器中访问双向认证服务器

修改Windows的hosts文件(C:\Windows\System32\drivers\etc\hosts),加入如下一行数据

192.168.1.101       nginx.skyguard.com.cn

向浏览器导入证书,进入:设置=>显示高级设置=>管理证书

Paste_Image.png

点击导入证书

Paste_Image.png
Paste_Image.png

然后一直下一步完成即可,然后在浏览器中输入:

Paste_Image.png
Nginx