欢迎大家分享自己的文档,请点击查阅:分享方法,![]() 如果你喜欢这文章,可以点击文章结尾处百度分享,分享到你的各种社区收藏,或推荐给朋友…… 本文由邓亚运提供 Nginx+https双向验证 说明: 要想实现nginx的https,nginx必须启用http_ssl模块;在编译时加上--with-http_ssl_module参数就ok。另外系统必须安装了openssl;openssl为开源软件,在Linux(或UNIX/Cygwin)下创建一个简单的CA。我们可以利用这个CA进行PKI、数字证书相关的测试。比如,在测试用Tomcat或Apache构建HTTPS双向认证时,我们可以利用自己建立的测试CA来为服务器端颁发服务器数字证书,为客户端(浏览器)生成文件形式的数字证书(可以同时利用openssl生成客户端私钥) 1. 查看系统是否安装了openssl; rpm -qa | grepopenssl ![]() 如果没有,centos系统使用yum install openssl –y 安装就行 2. 查看nginx编译时是否加上了http_ssl模块; /usr/local/webserver/nginx/sbin/nginx–V ![]() 可以看出来已经加载了此模块 3. 服务器-客户端双向验证;创建相关目录,存放相关证书和key,我这里放在/data/ca下面,路径可以自己随意指定,nginx能够找到就行; mkdir -p /data/ca ![]() 其中newcerts子目录将存放CA签署(颁发)过的数字证书(证书备份目录)。而private目录用于存放CA的私钥。目录conf只是用于存放一些简化参数用的配置文件,server存放服务器证书文件。 (1) 在conf目录创建文件openssl.conf配置文件,内容如下: [root@www9 ca]# catconf/openssl.conf [ ca ] default_ca = foo [ foo ] dir = /data/ca database = /data/ca/index.txt new_certs_dir = /data/ca/newcerts certificate = /data/ca/private/ca.crt serial = /data/ca/serial private_key = /data/ca/private/ca.key RANDFILE = /data/ca/private/.rand default_days = 365 default_crl_days= 30 default_md = sha1 这里一定设置sha1,其他教程都是md5,最后导致提示根证书是弱加密,或者是伪造的 unique_subject = no policy = policy_any [ policy_any ] countryName = match #国家;比如cn,代表中国 stateOrProvinceName = match #州或省;guangdong organizationName = match #组织,可以理解为公司;mbook organizationalUnitName = match #组织单位,也可以理解为公司;mbook localityName = optional #城市;guangzhou commonName = supplied #网站域名;*.mbook.cn emailAddress = optional #邮件地址;admin@mbook.cn 注:你也可以直接修改openssl的配置文件,这样的话后面制作证书的代码中就不用引用这个配置文件了。 (2) 使用脚本创建证书,下面的几个脚本都放在/data/ca/目录下,创建一个新的CA根证书。 ![]() catcat.sh #!/bin/sh opensslgenrsa -out private/ca.key opensslreq -new -key private/ca.key -out private/ca.csr openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt echo FACE > serial touch index.txt opensslca -gencrl -out /data/ca/private/ca.crl -crldays 7 -config "/data/ca/conf/openssl.conf" 执行 shca.sh生成新的CA证书:其中有些交互过程;具体如下: ![]() (3) 生成服务器证书的脚本如下: catserver.sh #!/bin/bash opensslgenrsa -out server/server.key opensslreq -new -key server/server.key -out server/server.csr opensslca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "/data/ca/conf/openssl.conf" 执行 shserver.sh生成新服务器的证书;具体交互的过程和上面一致,注意,这里执行脚本过程中需要的参数必须和上面输入的一致,否则整个过程失败;详细如下: ![]() (4)配置 nginx的ssl支持: server { listen 443; server_name zabbix.yayun.cn; index index.html index.htm index.php; root /data/www/wwwroot/blog; ssl on; ssl_certificate /data/ca/server/server.crt; ssl_certificate_key /data/ca/server/server.key; ssl_client_certificate /data/ca/private/ca.crt; ssl_session_timeout 5m; ssl_verify_client on; #开户客户端证书验证 ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; ……………………………. ………………………………. } } 为了能够自动跳转到https,在虚拟主机里面添加如下代码 server { listen 80; server_name zabbix.yayun.cn; rewrite ^(.*) https://$server_name$1 permanent; } 这样能够实现自动跳到https 启动nginx ,等待客户连接,如果此时连接服务器,将提示400 Bad request certification的错误,故还需要生成客户端证书。如下图: ![]() cat user.sh #!/bin/sh base="/data/ca" mkdir -p $base/yayun/ opensslgenrsa -des3 -out $base/yayun/yayun.key 2048 opensslreq -new -key $base/yayun/yayun.key -out $base/yayun/yayun.csr opensslca -in $base/yayun/yayun.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key -out $base/yayun/yayun.crt -config "/data/ca/conf/openssl.conf" openssl pkcs12 -export -clcerts -in $base/yayun/yayun.crt -inkey $base/yayun/yayun.key -out $base/yayun/yayun.p12 (5)执行 shuser.sh生成一个 client证书。 按照提示一步一步来,这里要注意的是客户证书的几个项目要和根证书匹配。 [root@www9 ca]# sh user.sh Generating RSA private key, 2048 bit long modulus ..........+++ ............................................................................................................................+++ e is 65537 (0x10001) Enter pass phrase for /data/ca/yayun/yayun.key:要求输入密码 Verifying - Enter pass phrase for /data/ca/yayun/yayun.key:要求输入密码 Enter pass phrase for /data/ca/yayun/yayun.key:要求输入密码,全部输入一致 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:cn State or Province Name (full name) [Berkshire]:guangdong Locality Name (eg, city) [Newbury]:guangzhou Organization Name (eg, company) [My Company Ltd]:mbook Organizational Unit Name (eg, section) []:mbook Common Name (eg, your name or your server's hostname) []:*.yayun.cn Email Address []:admin@yayun.cn Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /data/ca/conf/openssl.conf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'cn' stateOrProvinceName :PRINTABLE:'guangdong' localityName :PRINTABLE:'guangzhou' organizationName :PRINTABLE:'mbook' organizationalUnitName:PRINTABLE:'mbook' commonName :ASN.1 12:'*.yayun.cn' emailAddress :IA5STRING:'admin@yayun.cn' Certificate is to be certified until Dec 8 16:19:58 2013 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Enter pass phrase for /data/ca/yayun/yayun.key:这里输入的密码是当导入证书需要的密码 Enter Export Password: Verifying - Enter Export Password:同上 最后会在/data/ca/yayun目录下产生用户的证书,也就是需要导入浏览器的 ![]() 从服务器上下载yayun.pl2导入浏览器,Chrome导入证书方法如下 ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() 现在再次访问网站测试; 以上是在chrome下导入证书,如果使用ie,则双击证书,输入证书密码,按提示导入即可。 ![]() ![]() ![]() 最后成功看到页面!!!!!!! 注明: 各位童鞋,自己的证书自己保管好,在公司上网站就需要导入证书,回家需要访问公司某个内部网站,也需要导入证书!!! #!/bin/bash #write by yayun 2013-05-29 #batch add client certificate for nginx https base="/data/nginx/ca" fori in $(awk -F "@" '{print $1}' name.txt) do mkdir -p $base/$i/ opensslgenrsa -out $base/$i/$i.key 2048 Country=cn State=guangdong Locality=guangzhou Organization=mbook Common=*.mbook.cn Passwd=P@ssw0rdmbook.cn888 Email=$i@mbook.cn expect -c " spawnopensslreq -new -key $base/$i/$i.key -out $base/$i/$i.csr expect { \"*XX*\" {send \"$Country\r\"; exp_continue} \"*full name*\" {send \"$State\r\"; exp_continue} \"*Default City*\" {send \"$Locality\r\"; exp_continue} \"Organization*\" {send \"$Organization\r\"; exp_continue} \"Organizational*\" {send \"$Organization\r\"; exp_continue} \"*hostname*\" {send \"$Common\r\"; exp_continue} \"Email*\" {send \"$Email\r\"; exp_continue} \"*password*\" {send \"\r\"; exp_continue} \"*company name*\" {send \"\r\"; exp_continue} } " expect -c " spawnopensslca -in $base/$i/$i.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key -out $base/$i/$i.crt -config "/data/nginx/ca/conf/openssl.conf" expect { \"*certificate?*\" {send \"y\r\"; exp_continue} \"*commit?*\" {send \"y\r\"; exp_continue} } " expect -c " spawnopenssl pkcs12 -export -clcerts -in $base/$i/$i.crt -inkey $base/$i/$i.key -out $base/$i/$i.p12 expect { \"Enter*Password:\" {send \"$Passwd\r\"; exp_continue} \"Verifying*Password:\" {send \"$Passwd\r\"; exp_continue} } " done 其中name.txt记录了用户名,邮箱,脚本自动循环读取。整个过程结束! 转载请注明linux系统运维: |