PHP程序员玩转Linux系列 Nginx中的HTTPS详解
<p>PHP程序员玩转Linux系列文章:</p>
<p>
1.PHP程序员玩转Linux系列-怎么安装使用CentOS</p>
<p>
2.PHP程序员玩转Linux系列-lnmp环境的搭建</p>
<p>
3.PHP程序员玩转Linux系列-搭建FTP代码开发环境</p>
<p>
4.PHP程序员玩转Linux系列-备份还原MySQL</p>
<p>
5.PHP程序员玩转Linux系列-自动备份与SVN</p>
<p>
6.PHP程序员玩转Linux系列-Linux和Windows安装nginx</p>
<p>
7.PHP程序员玩转Linux系列-nginx初学者引导</p>
<p>
<strong>创建一个HTTPS服务器</strong></p>
<p>
在nginx.conf配置文件中,在server块里面通过listen指令指定ssl的参数,设置好服务器证书和私钥文件的路径</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_178710">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">server {</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash spaces"> </code><code class="bash plain">listen 443 ssl;</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash spaces"> </code><code class="bash plain">server_name www.example.com;</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash spaces"> </code><code class="bash plain">ssl_certificate www.example.com.crt;</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash spaces"> </code><code class="bash plain">ssl_certificate_key www.example.com.key;</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash spaces"> </code><code class="bash plain">ssl_protocols TLSv1 TLSv1.1 TLSv1.2;</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash spaces"> </code><code class="bash plain">ssl_ciphers HIGH:!aNULL:!MD5;</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash spaces"> </code><code class="bash plain">...</code>
</div>
<div class="line number9 index8 alt2">
<code class="bash plain">}</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
服务器证书是一个公开实体,它会被发送给每一个连接过来的客户端.私钥是一个安全实体,它应该被存储在一个限制权限的文件中.但是nginx的master进程必须能够读到该私钥文件. 私钥也可以和证书放在一个文件里面.</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_59617">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">ssl_certificate www.example.com.cert;</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">ssl_certificate_key www.example.com.cert;</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
在这个例子里面,文件的访问权限应该被限制.尽管证书和私钥在一个文件里面,只有证书会被发送给客户端.</p>
<p>
<span>ssl_protocols</span> 和<span>ssl_ciphers</span> 指令可以被用来限制连接,只包含高版本的TLS和SSL/TLS的密码</p>
<p>
从nginx 1.0.5版本开始,nginx默认使用<span>ssl_protocols SSLv3 TLSv1</span>和<span>ssl_ciphers HIGH:!aNULL:!MD5.</span>从nginx 1.1.13 和 1.0.12 版本开始,默认更新成了<span> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 </span></p>
<p>
<strong>一个单一的HTTP和HTTPS服务</strong></p>
<p>
可以配置一个服务同时支持HTTP和HTTPS请求, 在虚拟主机中使用listen指令,一个带着ssl参数,一个不带参数.</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_201979">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">server {</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash spaces"> </code><code class="bash plain">listen 80;</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash spaces"> </code><code class="bash plain">listen 443 ssl;</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash spaces"> </code><code class="bash plain">server_name www.example.com;</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash spaces"> </code><code class="bash plain">ssl_certificate www.example.com.crt;</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash spaces"> </code><code class="bash plain">ssl_certificate_key www.example.com.key;</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash spaces"> </code><code class="bash plain">...</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash plain">}</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
在nginx 0.7.13和更早的版本中,SSL不能被单独设置监听socket.只能通过ssl指令为全部server开启SSL,才能实现HTTP/HTTPS同时支持.为了解决这一问题,为listen指令添加了ssl参数.因此在0.7.14和之后的版本中,ssl指令不能再用了. </p>
<p>
<strong>基于名称的HTTPS服务</strong></p>
<p>
一个很普遍的问题出现了,那就是解决当在一个ip地址配置监听两个或多个HTTPS服务.</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_433869">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">server {</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash spaces"> </code><code class="bash plain">listen 443 ssl;</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash spaces"> </code><code class="bash plain">server_name www.example.com;</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash spaces"> </code><code class="bash plain">ssl_certificate www.example.com.crt;</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash spaces"> </code><code class="bash plain">...</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">}</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash spaces"> </code>
</div>
<div class="line number8 index7 alt1">
<code class="bash plain">server {</code>
</div>
<div class="line number9 index8 alt2">
<code class="bash spaces"> </code><code class="bash plain">listen 443 ssl;</code>
</div>
<div class="line number10 index9 alt1">
<code class="bash spaces"> </code><code class="bash plain">server_name www.example.org;</code>
</div>
<div class="line number11 index10 alt2">
<code class="bash spaces"> </code><code class="bash plain">ssl_certificate www.example.org.crt;</code>
</div>
<div class="line number12 index11 alt1">
<code class="bash spaces"> </code><code class="bash plain">...</code>
</div>
<div class="line number13 index12 alt2">
<code class="bash plain">}</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
使用这个配置,浏览器只能接收到默认的证书,在这个例子中就是<span>www.example.com</span>证书.这个是因为SSL协议本身造成的.SSL的连接是在浏览器发送HTTP请求之前建立的,因此nginx不知道请求的名称.所以它只能提供默认服务的证书.</p>
<p>
解决这一问题最好的方式是分配不同的IP地址给每一个HTTPS服务</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_471496">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">server {</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash spaces"> </code><code class="bash plain">listen 192.168.1.1:443 ssl;</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash spaces"> </code><code class="bash plain">server_name www.example.com;</code>
</div>
<div class="line number4 index3 alt1">
<code class="bash spaces"> </code><code class="bash plain">ssl_certificate www.example.com.crt;</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash spaces"> </code><code class="bash plain">...</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash plain">}</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash spaces"> </code>
</div>
<div class="line number8 index7 alt1">
<code class="bash plain">server {</code>
</div>
<div class="line number9 index8 alt2">
<code class="bash spaces"> </code><code class="bash plain">listen 192.168.1.2:443 ssl;</code>
</div>
<div class="line number10 index9 alt1">
<code class="bash spaces"> </code><code class="bash plain">server_name www.example.org;</code>
</div>
<div class="line number11 index10 alt2">
<code class="bash spaces"> </code><code class="bash plain">ssl_certificate www.example.org.crt;</code>
</div>
<div class="line number12 index11 alt1">
<code class="bash spaces"> </code><code class="bash plain">...</code>
</div>
<div class="line number13 index12 alt2">
<code class="bash plain">}</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>使用多个名称生成SSL证书</strong></p>
<p>
这里有其他的方式解决上面的问题,但是每一种都有各自的缺点.一种方式是生成证书的时候更改SubjectAltName字段,比如: <span>www.example.com</span> 和<span> www.example.org </span>两个,但是这个字段有长度限制.</p>
<p>
另一种方式是证书名称那里使用通配符,比如:<span> *.example.org</span>,但是 通配符名称只能用在一级子域名上.这个名称可以匹配<span>www.example.org </span>,但是不能匹配<span>example.org</span>或 <span>www.sub.example.org </span></p>
<p>
这两种方式可以结合起来,在<span>SubjectAltName</span>字段里填上<span> example.org </span>和 <span>*.example.org</span></p>
<p>
最好把多域名证书和私钥放在配置http块中,这样所有的服务都可以继承这个配置</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterbash" id="highlighter_648749">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="bash plain">ssl_certificate common.crt;</code>
</div>
<div class="line number2 index1 alt1">
<code class="bash plain">ssl_certificate_key common.key;</code>
</div>
<div class="line number3 index2 alt2">
<code class="bash spaces"> </code>
</div>
<div class="line number4 index3 alt1">
<code class="bash plain">server {</code>
</div>
<div class="line number5 index4 alt2">
<code class="bash spaces"> </code><code class="bash plain">listen 443 ssl;</code>
</div>
<div class="line number6 index5 alt1">
<code class="bash spaces"> </code><code class="bash plain">server_name www.example.com;</code>
</div>
<div class="line number7 index6 alt2">
<code class="bash spaces"> </code><code class="bash plain">...</code>
</div>
<div class="line number8 index7 alt1">
<code class="bash plain">}</code>
</div>
<div class="line number9 index8 alt2">
<code class="bash spaces"> </code>
</div>
<div class="line number10 index9 alt1">
<code class="bash plain">server {</code>
</div>
<div class="line number11 index10 alt2">
<code class="bash spaces"> </code><code class="bash plain">listen 443 ssl;</code>
</div>
<div class="line number12 index11 alt1">
<code class="bash spaces"> </code><code class="bash plain">server_name www.example.org;</code>
</div>
<div class="line number13 index12 alt2">
<code class="bash spaces"> </code><code class="bash plain">...</code>
</div>
<div class="line number14 index13 alt1">
<code class="bash plain">}</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持。</p>
<p>
原文链接:http://www.cnblogs.com/taoshihan/p/6678246.html</p>
頁:
[1]