1. 加装SSL模块

  1. # 1.需要用到的依赖包
  2. apt install openssl libssl-dev
  4. # 2.在原来的nginx接压缩包中,添加ssl模块
  5. cd /usr/local/src/nginx_1.6.0
  6. ./configure
  7. ./configure --with-http_ssl_module
  8. make    # 这里只能make,不能make install 否则会被覆盖
  10. # 备份nginx并用新的nginx文件替换
  11. cp /usr/local/nginx/sbin/nginx  /usr/local/nginx/sbin/nginx.bak
  13. cp -rfp objs/nginx /usr/local/nginx/sbin/nginx
  15. # 此时如果 ./nginx -s reload  你会发现没有生效;我们需要将原来的服务停了,重新启动
  16. ./nginx -V   
  17. # 可以查看到新添加的模块TLS SNI support enabled   configure arguments: --with-http_ssl_module

2. 制作证书

  1. # 在hosts文件中添加一个域名,这样就能够保证多台服务器的证书相一致
  2. sudo vi /etc/hosts
  3. 172.26.1.240     https://success.me
  1. # 1.添加依赖
  2. apt install -y openssl
  4. # 2.在nginx的安装目录下,新增ca的文件夹
  5. cd /usr/local/nginx
  6. makedir ca && cd ca
  7. mkdir newcerts conf private server users
  8. # newcerts 子目录将用于存放 CA 签署过的数字证书(证书备份目录);private 用于存放 CA 的私钥;conf 目录用于存放一些简化参数用的配置文件;server 存放服务器证书文件;users用来存在用户浏览器添加的证书。
  1. # 3.在新创建的conf下,新建openssl.conf文件
  2. [ ca ]
  3. default_ca      = foo                  # The default ca section
  5. [ foo ]
  6. dir            = /usr/local/nginx/ca/                   # top dir
  7. database       = /usr/local/nginx/ca/index.txt          # index file.
  8. new_certs_dir  = /usr/local/nginx/ca/newcerts           # new certs dir
  10. certificate    = /usr/local/nginx/ca/private/ca.crt     # The CA cert
  11. serial         = /usr/local/nginx/ca/serial             # serial no file
  12. private_key    = /usr/local/nginx/ca/private/ca.key     # CA private key
  13. RANDFILE       = /usr/local/nginx/ca/private/.rnd       # random number file
  15. default_days   = 365                     # how long to certify for
  16. default_crl_days= 30                     # how long before next CRL
  17. default_md     = sha1                    # message digest method to use
  18. unique_subject = no                      # Set to 'no' to allow creation of
  19.                                          # several ctificates with same subject.
  20. policy         = policy_any              # default policy
  22. [ policy_any ]
  23. countryName = match  
  24. stateOrProvinceName = optional  
  25. organizationName = match  
  26. organizationalUnitName = optional  
  27. localityName            = optional  
  28. commonName              = supplied  
  29. emailAddress            = optional
  1. # A.生成私钥
  2. openssl genrsa -out private/ca.key 2048
  3. openssl req -new -key private/ca.key -out private/ca.csr  #这里需要填写地区、公司、密码等
  4. openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
  1. # 为key设置起始序列号和CA键库
  2. echo FACE > serial   #可以是任意四个字符
  3. touch index.txt
  1. # "用户证书"移除创建一个证书撤销列表
  2. openssl ca -gencrl -out private/ca.crl -crldays 7 -config "conf/openssl.conf"
  1. # B.服务器证书生成
  2. openssl genrsa -out server/server.key 2048
  3. openssl req -new -key server/server.key -out server/server.csr  #需要填写信息
  4. openssl ca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "conf/openssl.conf"
  1. # C.浏览器的配置
  2. openssl genrsa -des3 -out users/client.key 2048
  3. openssl req -new -key users/client.key -out users/client.csr  #填写信息
  4. openssl ca -in users/client.csr -cert private/ca.crt -keyfile private/ca.key -out users/client.crt -config "conf/openssl.conf"
  5. openssl pkcs12 -export -clcerts -in users/client.crt -inkey users/client.key -out users/client.p12   #这个提供给用户,用在浏览器上面

3. 配置nginx.conf

  1. http {
  2.     include       mime.types;
  3.     default_type  application/octet-stream;
  4.     sendfile        on;
  5.     tcp_nopush     on;
  7.     keepalive_timeout  65;
  9.     gzip  on;
  10.     gzip_min_length  1k;
  11.     gzip_buffers     4 16k;
  12.     gzip_http_version 1.1;
  13.     gzip_comp_level 9;
  14.     gzip_types       text/plain application/x-javascript text/css application/xml text/javascript application/x-httpd-php application/javascript application/json;
  15.     gzip_disable "MSIE [1-6]\.";
  16.     gzip_vary on;
  18.     client_max_body_size 10240m;
  19.     keepalive_requests 10240;
  20.     client_header_buffer_size 8k;
  21.     open_file_cache max=102400 inactive=20s;
  22.     open_file_cache_valid 30s;
  23.     open_file_cache_min_uses 1;
  24.     client_header_timeout 15;
  25.     client_body_timeout 15;
  26.     reset_timedout_connection on;
  27.     send_timeout 15;
  30.     server {
  31.         listen       443  ssl;
  32.         server_name  localhost;
  33.         ssi on;
  34.         ssi_silent_errors on;
  35.         ssi_types text/shtml;
  37.         ssl_certificate      /usr/local/nginx/ca/server/server.crt;
  38.         ssl_certificate_key  /usr/local/nginx/ca/server/server.key;
  39.         ssl_client_certificate /usr/local/nginx/ca/private/ca.crt;
  41.         ssl_session_timeout  5m;
  42.         ssl_verify_client on;  #开户客户端证书验证
  43.         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  44.         ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDH:AES:HIGH:!aNULL:!MD5:!ADH:!DH;
  45.         ssl_prefer_server_ciphers   on;
  47.         charset utf-8;
  48.         location ~ .*.(htm|html|GIF|JPG|JPEG|PNG|BMP|SWF|gif|jpg|jpeg|png|bmp|swf|ioc|rar|zip|txt|flv|mid|doc|ppt|pdf|xls|mp3|wma|js|css|woff|otf|svg|json|ttf|TTF|woff2|unity3d|unityweb|assetbundle)$ {
  49.             expires 7d;
  50.             log_not_found off;
  51.             access_log off;
  52.             root   /usr/local/dsa5200/web;
  53.             index index.html;
  54.         }
  56.         location /admin {
  57.             proxy_pass http://127.0.0.1:10010;
  58.         }
  60.         #error_page  404              /404.html;
  61.         # redirect server error pages to the static page /50x.html
  62.         error_page   500 502 503 504  /50x.html;
  63.         location = /50x.html {
  64.             root   html;
  65.         }
  66. }

4. 设置nginx的准备切换

方案: 采用nginx+keepalived的方式进行主从切换!

  1. # 1. 安装keepalived
  2. sudo apt install -y keepalived
  4. #检查IP地址情况
  5. ip addr   # 查看ip地址、ens(eno1)
  1. # 主机配置
  2. vi /etc/keepalived/keepalived.conf
  4. ! Configuration File for keepalived
  6. #global_defs {    # 配置报警邮箱 可以不配置
  7.  #  notification_email {
  8.  #    acassen@firewall.loc
  9.  #    failover@firewall.loc
  10.  #    sysadmin@firewall.loc
  11.  #  }
  12.  #  notification_email_from        Alexandre.Cassen@firewall.loc
  13.  #  smtp_server 192.168.200.1
  14.  #  smtp_connect_timeout 30
  15.  #  router_id LVS_DEVEL
  16.  #  vrrp_skip_check_adv_addr
  17.  #  vrrp_strict
  18.  #  vrrp_garp_interval 0
  19.  #  vrrp_gna_interval 0
  20. #}
  21. vrrp_script chk_nginx {
  22.         script "/etc/keepalived/nginx_check.sh"
  23.         interval 2
  24.         weight -20
  25. }
  26. vrrp_instance VI_1 {
  27.     state MASTER # 标识为主服务
  28.     interface ens33 #绑定虚拟机的IP  与主机的ens相同
  29.     virtual_router_id 11 # 虚拟路由id,和从机保持一致
  30.     #mcast_src_ip 192.168.125.129 #本机ip
  31.     priority 100 #权重,需要高于从机
  32.     advert_int 1
  33.     authentication {
  34.         auth_type PASS
  35.         auth_pass 1111
  36.     }
  37.    track_script {
  38.                 chk_nginx ## 执行 Nginx 监控的服务
  39.         }
  40.     virtual_ipaddress {
  41.         192.168.125.99  #/32 brd 255.255.255.0 dev ens33 label ens33:vip #虚拟IP地址
  42.     }
  43. }
  1. # 从机配置
  2. ! Configuration File for keepalived
  4. #global_defs {
  5. #   notification_email {
  6. #     acassen@firewall.loc
  7. #     failover@firewall.loc
  8. #     sysadmin@firewall.loc
  9. #   }
  10. #   notification_email_from Alexandre.Cassen@firewall.loc
  11. #   smtp_server 192.168.200.1
  12. #   smtp_connect_timeout 30
  13. #   router_id dreamer1
  14. #   vrrp_skip_check_adv_addr
  15. #   vrrp_strict
  16. #   vrrp_garp_interval 0
  17. #   vrrp_gna_interval 0
  18. #}
  19. vrrp_script chk_nginx {
  20.         script "/etc/keepalived/nginx_check.sh" ## 检测 nginx 状态的脚本路径
  21.         interval 2 ## 检测时间间隔
  22.         weight -20 ## 如果条件成立,权重-20
  23. }
  25. vrrp_instance VI_1 {
  26.     state BACKUP
  27.     interface ens33  # 与本地的ens相同
  28.     virtual_router_id 51
  29.     #mcast_src_ip 192.168.125.128 ## 本机 IP 地址 
  30.     priority 90
  31.     advert_int 1
  32.     authentication {
  33.         auth_type PASS
  34.         auth_pass 1111
  35.     }
  36.         track_script {
  37.                 chk_nginx ## 执行 Nginx 监控的服务
  38.         }
  39.     virtual_ipaddress {
  40.         192.168.125.99
  41.     }
  42. }
  1. # nginx_check 用来检查nginx是否存活
  2. #!/bin/sh
  3. nginxPidNum=`ps-C nginx --no-header |wc -l`
  4. keepalivedPidNum=`ps-C keepalived --no-header |wc -l`
  5. if [$nginxPidNum -eq 0 ];then
  6.     killall keepalived
  7. elif [$keepalivedPidNum -eq 0 ];then
  8.     service keepalived start
  9. fi
  1. # 添加权限
  2. chmod +x /etc/keepalived/nginx_check.sh
  4. #启动服务:
  5. service keepalived start    # 启动keepalived
  6. service keepalived stop     # 停止keepalived
  7. service keepalived restart  # 重新启动keepalived

OpenSSL版本更改加密方式: 错误信息: SSL_CTX_use_certificate(“/etc/nginx/ca/server/server.crt”) failed (SSL: error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak)

  1. OpenSSL的版本是”OpenSSL 1.1.1”在这个版本中OpenSSL去掉了对“MD5”加密算法的支持(MD5早已经不安全了,目前sha1也是不安全的,sha1正在向sha2过度)。
  2. OpenSSL版本是”OpenSSL 1.0.2”(144环境),老版本还支持MD5加密。

参考文章:

  1. https://blog.imdst.com/nginx-ssl-shuang-xiang-ren-zheng-key-sheng-cheng-he-pei-zhi/ #生成秘钥
  2. https://www.cnblogs.com/xiaoxia722/articles/11692671.html #keepalived配置使用
  3. https://blog.csdn.net/lzn948055097/article/details/110494904 #openssl的版本跟加密方式有差别