1. 加装SSL模块
# 1.需要用到的依赖包
apt install openssl libssl-dev
# 2.在原来的nginx接压缩包中,添加ssl模块
cd /usr/local/src/nginx_1.6.0
./configure
./configure --with-http_ssl_module
make # 这里只能make,不能make install 否则会被覆盖
# 备份nginx并用新的nginx文件替换
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
cp -rfp objs/nginx /usr/local/nginx/sbin/nginx
# 此时如果 ./nginx -s reload 你会发现没有生效;我们需要将原来的服务停了,重新启动
./nginx -V
# 可以查看到新添加的模块TLS SNI support enabled configure arguments: --with-http_ssl_module
2. 制作证书
# 在hosts文件中添加一个域名,这样就能够保证多台服务器的证书相一致
sudo vi /etc/hosts
172.26.1.240 https://success.me
# 1.添加依赖
apt install -y openssl
# 2.在nginx的安装目录下,新增ca的文件夹
cd /usr/local/nginx
makedir ca && cd ca
mkdir newcerts conf private server users
# newcerts 子目录将用于存放 CA 签署过的数字证书(证书备份目录);private 用于存放 CA 的私钥;conf 目录用于存放一些简化参数用的配置文件;server 存放服务器证书文件;users用来存在用户浏览器添加的证书。
# 3.在新创建的conf下,新建openssl.conf文件
[ ca ]
default_ca = foo # The default ca section
[ foo ]
dir = /usr/local/nginx/ca/ # top dir
database = /usr/local/nginx/ca/index.txt # index file.
new_certs_dir = /usr/local/nginx/ca/newcerts # new certs dir
certificate = /usr/local/nginx/ca/private/ca.crt # The CA cert
serial = /usr/local/nginx/ca/serial # serial no file
private_key = /usr/local/nginx/ca/private/ca.key # CA private key
RANDFILE = /usr/local/nginx/ca/private/.rnd # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha1 # message digest method to use
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
policy = policy_any # default policy
[ policy_any ]
countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
localityName = optional
commonName = supplied
emailAddress = optional
# A.生成私钥
openssl genrsa -out private/ca.key 2048
openssl req -new -key private/ca.key -out private/ca.csr #这里需要填写地区、公司、密码等
openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
# 为key设置起始序列号和CA键库
echo FACE > serial #可以是任意四个字符
touch index.txt
# "用户证书"移除创建一个证书撤销列表
openssl ca -gencrl -out private/ca.crl -crldays 7 -config "conf/openssl.conf"
# B.服务器证书生成
openssl genrsa -out server/server.key 2048
openssl req -new -key server/server.key -out server/server.csr #需要填写信息
openssl ca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "conf/openssl.conf"
# C.浏览器的配置
openssl genrsa -des3 -out users/client.key 2048
openssl req -new -key users/client.key -out users/client.csr #填写信息
openssl ca -in users/client.csr -cert private/ca.crt -keyfile private/ca.key -out users/client.crt -config "conf/openssl.conf"
openssl pkcs12 -export -clcerts -in users/client.crt -inkey users/client.key -out users/client.p12 #这个提供给用户,用在浏览器上面
3. 配置nginx.conf
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 9;
gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php application/javascript application/json;
gzip_disable "MSIE [1-6]\.";
gzip_vary on;
client_max_body_size 10240m;
keepalive_requests 10240;
client_header_buffer_size 8k;
open_file_cache max=102400 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 1;
client_header_timeout 15;
client_body_timeout 15;
reset_timedout_connection on;
send_timeout 15;
server {
listen 443 ssl;
server_name localhost;
ssi on;
ssi_silent_errors on;
ssi_types text/shtml;
ssl_certificate /usr/local/nginx/ca/server/server.crt;
ssl_certificate_key /usr/local/nginx/ca/server/server.key;
ssl_client_certificate /usr/local/nginx/ca/private/ca.crt;
ssl_session_timeout 5m;
ssl_verify_client on; #开户客户端证书验证
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDH:AES:HIGH:!aNULL:!MD5:!ADH:!DH;
ssl_prefer_server_ciphers on;
charset utf-8;
location ~ .*.(htm|html|GIF|JPG|JPEG|PNG|BMP|SWF|gif|jpg|jpeg|png|bmp|swf|ioc|rar|zip|txt|flv|mid|doc|ppt|pdf|xls|mp3|wma|js|css|woff|otf|svg|json|ttf|TTF|woff2|unity3d|unityweb|assetbundle)$ {
expires 7d;
log_not_found off;
access_log off;
root /usr/local/dsa5200/web;
index index.html;
}
location /admin {
proxy_pass http://127.0.0.1:10010;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
4. 设置nginx的准备切换
方案: 采用nginx+keepalived的方式进行主从切换!
# 1. 安装keepalived
sudo apt install -y keepalived
#检查IP地址情况
ip addr # 查看ip地址、ens(eno1)
# 主机配置
vi /etc/keepalived/keepalived.conf
! Configuration File for keepalived
#global_defs { # 配置报警邮箱 可以不配置
# notification_email {
# acassen@firewall.loc
# failover@firewall.loc
# sysadmin@firewall.loc
# }
# notification_email_from Alexandre.Cassen@firewall.loc
# smtp_server 192.168.200.1
# smtp_connect_timeout 30
# router_id LVS_DEVEL
# vrrp_skip_check_adv_addr
# vrrp_strict
# vrrp_garp_interval 0
# vrrp_gna_interval 0
#}
vrrp_script chk_nginx {
script "/etc/keepalived/nginx_check.sh"
interval 2
weight -20
}
vrrp_instance VI_1 {
state MASTER # 标识为主服务
interface ens33 #绑定虚拟机的IP 与主机的ens相同
virtual_router_id 11 # 虚拟路由id,和从机保持一致
#mcast_src_ip 192.168.125.129 #本机ip
priority 100 #权重,需要高于从机
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_nginx ## 执行 Nginx 监控的服务
}
virtual_ipaddress {
192.168.125.99 #/32 brd 255.255.255.0 dev ens33 label ens33:vip #虚拟IP地址
}
}
# 从机配置
! Configuration File for keepalived
#global_defs {
# notification_email {
# acassen@firewall.loc
# failover@firewall.loc
# sysadmin@firewall.loc
# }
# notification_email_from Alexandre.Cassen@firewall.loc
# smtp_server 192.168.200.1
# smtp_connect_timeout 30
# router_id dreamer1
# vrrp_skip_check_adv_addr
# vrrp_strict
# vrrp_garp_interval 0
# vrrp_gna_interval 0
#}
vrrp_script chk_nginx {
script "/etc/keepalived/nginx_check.sh" ## 检测 nginx 状态的脚本路径
interval 2 ## 检测时间间隔
weight -20 ## 如果条件成立,权重-20
}
vrrp_instance VI_1 {
state BACKUP
interface ens33 # 与本地的ens相同
virtual_router_id 51
#mcast_src_ip 192.168.125.128 ## 本机 IP 地址
priority 90
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
chk_nginx ## 执行 Nginx 监控的服务
}
virtual_ipaddress {
192.168.125.99
}
}
# nginx_check 用来检查nginx是否存活
#!/bin/sh
nginxPidNum=`ps-C nginx --no-header |wc -l`
keepalivedPidNum=`ps-C keepalived --no-header |wc -l`
if [$nginxPidNum -eq 0 ];then
killall keepalived
elif [$keepalivedPidNum -eq 0 ];then
service keepalived start
fi
# 添加权限
chmod +x /etc/keepalived/nginx_check.sh
#启动服务:
service keepalived start # 启动keepalived
service keepalived stop # 停止keepalived
service keepalived restart # 重新启动keepalived
OpenSSL版本更改加密方式: 错误信息: SSL_CTX_use_certificate(“/etc/nginx/ca/server/server.crt”) failed (SSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak)
- OpenSSL的版本是”OpenSSL 1.1.1”在这个版本中OpenSSL去掉了对“MD5”加密算法的支持(MD5早已经不安全了,目前sha1也是不安全的,sha1正在向sha2过度)。
- OpenSSL版本是”OpenSSL 1.0.2”(144环境),老版本还支持MD5加密。
参考文章: