1. 加装SSL模块

  1. # 1.需要用到的依赖包
  2. apt install openssl libssl-dev
  3. # 2.在原来的nginx接压缩包中,添加ssl模块
  4. cd /usr/local/src/nginx_1.6.0
  5. ./configure
  6. ./configure --with-http_ssl_module
  7. make # 这里只能make,不能make install 否则会被覆盖
  8. # 备份nginx并用新的nginx文件替换
  9. cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
  10. cp -rfp objs/nginx /usr/local/nginx/sbin/nginx
  11. # 此时如果 ./nginx -s reload 你会发现没有生效;我们需要将原来的服务停了,重新启动
  12. ./nginx -V
  13. # 可以查看到新添加的模块TLS SNI support enabled configure arguments: --with-http_ssl_module

2. 制作证书

  1. # 在hosts文件中添加一个域名,这样就能够保证多台服务器的证书相一致
  2. sudo vi /etc/hosts
  3. 172.26.1.240 https://success.me
  1. # 1.添加依赖
  2. apt install -y openssl
  3. # 2.在nginx的安装目录下,新增ca的文件夹
  4. cd /usr/local/nginx
  5. makedir ca && cd ca
  6. mkdir newcerts conf private server users
  7. # newcerts 子目录将用于存放 CA 签署过的数字证书(证书备份目录);private 用于存放 CA 的私钥;conf 目录用于存放一些简化参数用的配置文件;server 存放服务器证书文件;users用来存在用户浏览器添加的证书。
  1. # 3.在新创建的conf下,新建openssl.conf文件
  2. [ ca ]
  3. default_ca = foo # The default ca section
  4. [ foo ]
  5. dir = /usr/local/nginx/ca/ # top dir
  6. database = /usr/local/nginx/ca/index.txt # index file.
  7. new_certs_dir = /usr/local/nginx/ca/newcerts # new certs dir
  8. certificate = /usr/local/nginx/ca/private/ca.crt # The CA cert
  9. serial = /usr/local/nginx/ca/serial # serial no file
  10. private_key = /usr/local/nginx/ca/private/ca.key # CA private key
  11. RANDFILE = /usr/local/nginx/ca/private/.rnd # random number file
  12. default_days = 365 # how long to certify for
  13. default_crl_days= 30 # how long before next CRL
  14. default_md = sha1 # message digest method to use
  15. unique_subject = no # Set to 'no' to allow creation of
  16. # several ctificates with same subject.
  17. policy = policy_any # default policy
  18. [ policy_any ]
  19. countryName = match
  20. stateOrProvinceName = optional
  21. organizationName = match
  22. organizationalUnitName = optional
  23. localityName = optional
  24. commonName = supplied
  25. emailAddress = optional
  1. # A.生成私钥
  2. openssl genrsa -out private/ca.key 2048
  3. openssl req -new -key private/ca.key -out private/ca.csr #这里需要填写地区、公司、密码等
  4. openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
  1. # 为key设置起始序列号和CA键库
  2. echo FACE > serial #可以是任意四个字符
  3. touch index.txt
  1. # "用户证书"移除创建一个证书撤销列表
  2. openssl ca -gencrl -out private/ca.crl -crldays 7 -config "conf/openssl.conf"
  1. # B.服务器证书生成
  2. openssl genrsa -out server/server.key 2048
  3. openssl req -new -key server/server.key -out server/server.csr #需要填写信息
  4. openssl ca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "conf/openssl.conf"
  1. # C.浏览器的配置
  2. openssl genrsa -des3 -out users/client.key 2048
  3. openssl req -new -key users/client.key -out users/client.csr #填写信息
  4. openssl ca -in users/client.csr -cert private/ca.crt -keyfile private/ca.key -out users/client.crt -config "conf/openssl.conf"
  5. openssl pkcs12 -export -clcerts -in users/client.crt -inkey users/client.key -out users/client.p12 #这个提供给用户,用在浏览器上面

3. 配置nginx.conf

  1. http {
  2. include mime.types;
  3. default_type application/octet-stream;
  4. sendfile on;
  5. tcp_nopush on;
  6. keepalive_timeout 65;
  7. gzip on;
  8. gzip_min_length 1k;
  9. gzip_buffers 4 16k;
  10. gzip_http_version 1.1;
  11. gzip_comp_level 9;
  12. gzip_types text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php application/javascript application/json;
  13. gzip_disable "MSIE [1-6]\.";
  14. gzip_vary on;
  15. client_max_body_size 10240m;
  16. keepalive_requests 10240;
  17. client_header_buffer_size 8k;
  18. open_file_cache max=102400 inactive=20s;
  19. open_file_cache_valid 30s;
  20. open_file_cache_min_uses 1;
  21. client_header_timeout 15;
  22. client_body_timeout 15;
  23. reset_timedout_connection on;
  24. send_timeout 15;
  25. server {
  26. listen 443 ssl;
  27. server_name localhost;
  28. ssi on;
  29. ssi_silent_errors on;
  30. ssi_types text/shtml;
  31. ssl_certificate /usr/local/nginx/ca/server/server.crt;
  32. ssl_certificate_key /usr/local/nginx/ca/server/server.key;
  33. ssl_client_certificate /usr/local/nginx/ca/private/ca.crt;
  34. ssl_session_timeout 5m;
  35. ssl_verify_client on; #开户客户端证书验证
  36. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  37. ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDH:AES:HIGH:!aNULL:!MD5:!ADH:!DH;
  38. ssl_prefer_server_ciphers on;
  39. charset utf-8;
  40. location ~ .*.(htm|html|GIF|JPG|JPEG|PNG|BMP|SWF|gif|jpg|jpeg|png|bmp|swf|ioc|rar|zip|txt|flv|mid|doc|ppt|pdf|xls|mp3|wma|js|css|woff|otf|svg|json|ttf|TTF|woff2|unity3d|unityweb|assetbundle)$ {
  41. expires 7d;
  42. log_not_found off;
  43. access_log off;
  44. root /usr/local/dsa5200/web;
  45. index index.html;
  46. }
  47. location /admin {
  48. proxy_pass http://127.0.0.1:10010;
  49. }
  50. #error_page 404 /404.html;
  51. # redirect server error pages to the static page /50x.html
  52. error_page 500 502 503 504 /50x.html;
  53. location = /50x.html {
  54. root html;
  55. }
  56. }

4. 设置nginx的准备切换

方案: 采用nginx+keepalived的方式进行主从切换!

  1. # 1. 安装keepalived
  2. sudo apt install -y keepalived
  3. #检查IP地址情况
  4. ip addr # 查看ip地址、ens(eno1)
  1. # 主机配置
  2. vi /etc/keepalived/keepalived.conf
  3. ! Configuration File for keepalived
  4. #global_defs { # 配置报警邮箱 可以不配置
  5. # notification_email {
  6. # acassen@firewall.loc
  7. # failover@firewall.loc
  8. # sysadmin@firewall.loc
  9. # }
  10. # notification_email_from Alexandre.Cassen@firewall.loc
  11. # smtp_server 192.168.200.1
  12. # smtp_connect_timeout 30
  13. # router_id LVS_DEVEL
  14. # vrrp_skip_check_adv_addr
  15. # vrrp_strict
  16. # vrrp_garp_interval 0
  17. # vrrp_gna_interval 0
  18. #}
  19. vrrp_script chk_nginx {
  20. script "/etc/keepalived/nginx_check.sh"
  21. interval 2
  22. weight -20
  23. }
  24. vrrp_instance VI_1 {
  25. state MASTER # 标识为主服务
  26. interface ens33 #绑定虚拟机的IP 与主机的ens相同
  27. virtual_router_id 11 # 虚拟路由id,和从机保持一致
  28. #mcast_src_ip 192.168.125.129 #本机ip
  29. priority 100 #权重,需要高于从机
  30. advert_int 1
  31. authentication {
  32. auth_type PASS
  33. auth_pass 1111
  34. }
  35. track_script {
  36. chk_nginx ## 执行 Nginx 监控的服务
  37. }
  38. virtual_ipaddress {
  39. 192.168.125.99 #/32 brd 255.255.255.0 dev ens33 label ens33:vip #虚拟IP地址
  40. }
  41. }
  1. # 从机配置
  2. ! Configuration File for keepalived
  3. #global_defs {
  4. # notification_email {
  5. # acassen@firewall.loc
  6. # failover@firewall.loc
  7. # sysadmin@firewall.loc
  8. # }
  9. # notification_email_from Alexandre.Cassen@firewall.loc
  10. # smtp_server 192.168.200.1
  11. # smtp_connect_timeout 30
  12. # router_id dreamer1
  13. # vrrp_skip_check_adv_addr
  14. # vrrp_strict
  15. # vrrp_garp_interval 0
  16. # vrrp_gna_interval 0
  17. #}
  18. vrrp_script chk_nginx {
  19. script "/etc/keepalived/nginx_check.sh" ## 检测 nginx 状态的脚本路径
  20. interval 2 ## 检测时间间隔
  21. weight -20 ## 如果条件成立,权重-20
  22. }
  23. vrrp_instance VI_1 {
  24. state BACKUP
  25. interface ens33 # 与本地的ens相同
  26. virtual_router_id 51
  27. #mcast_src_ip 192.168.125.128 ## 本机 IP 地址
  28. priority 90
  29. advert_int 1
  30. authentication {
  31. auth_type PASS
  32. auth_pass 1111
  33. }
  34. track_script {
  35. chk_nginx ## 执行 Nginx 监控的服务
  36. }
  37. virtual_ipaddress {
  38. 192.168.125.99
  39. }
  40. }
  1. # nginx_check 用来检查nginx是否存活
  2. #!/bin/sh
  3. nginxPidNum=`ps-C nginx --no-header |wc -l`
  4. keepalivedPidNum=`ps-C keepalived --no-header |wc -l`
  5. if [$nginxPidNum -eq 0 ];then
  6. killall keepalived
  7. elif [$keepalivedPidNum -eq 0 ];then
  8. service keepalived start
  9. fi
  1. # 添加权限
  2. chmod +x /etc/keepalived/nginx_check.sh
  3. #启动服务:
  4. service keepalived start # 启动keepalived
  5. service keepalived stop # 停止keepalived
  6. service keepalived restart # 重新启动keepalived

OpenSSL版本更改加密方式: 错误信息: SSL_CTX_use_certificate(“/etc/nginx/ca/server/server.crt”) failed (SSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak)

  1. OpenSSL的版本是”OpenSSL 1.1.1”在这个版本中OpenSSL去掉了对“MD5”加密算法的支持(MD5早已经不安全了,目前sha1也是不安全的,sha1正在向sha2过度)。
  2. OpenSSL版本是”OpenSSL 1.0.2”(144环境),老版本还支持MD5加密。

参考文章:

  1. https://blog.imdst.com/nginx-ssl-shuang-xiang-ren-zheng-key-sheng-cheng-he-pei-zhi/ #生成秘钥
  2. https://www.cnblogs.com/xiaoxia722/articles/11692671.html #keepalived配置使用
  3. https://blog.csdn.net/lzn948055097/article/details/110494904 #openssl的版本跟加密方式有差别