nginx安装配置
来源:互联网 发布:美工的岗位职责是哪些 编辑:程序博客网 时间:2024/06/16 15:43
openssl -verify
nginx安装
首先需要安装nginx的依赖包zlib和pcre
header is x-ssl-client-s-dn: /C=CN/ST=SH/O=Ideal/OU=Ideal/L=SH/CN=client/emailAddress=linyiheng123@sina.com
wget http://nginx.org/download/nginx-1.8.0.tar.gz .
tar -zxvf nginx-1.0.3.tar.gz
./configure --prefix=/usr/nginx-1.8.0 --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --user=root --group=root --with-http_ssl_module --with-http_stub_status_module --with-http_flv_module --with-http_gzip_static_module --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/tmp/nginx/client/ --http-proxy-temp-path=/var/tmp/nginx/proxy/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ --with-pcre=../pcre-8.36 --with-zlib=../zlib-1.2.8 --with-openssl=../openssl-1.0.2
配置双向认证
- 在/usr/nginx-1.8.0目录中创建ca,在ca中mkdir client conf newcerts private server
- touch new_ca.sh new_client.sh new_server.sh
openssl.conf
[ ca ]default_ca = foo # The default ca section[ foo ]dir = /usr/nginx-1.8.0/ca # top dirdatabase = /usr/nginx-1.8.0/ca/index.txt # index file.new_certs_dir = /usr/nginx-1.8.0/ca/newcerts # new certs dircertificate = /usr/nginx-1.8.0/ca/private/ca.crt # The CA certserial = /usr/nginx-1.8.0/ca/serial # serial no fileprivate_key = /usr/nginx-1.8.0/ca/private/ca.key # CA private keyRANDFILE =/usr/nginx-1.8.0/ca/private/.rand # random number filedefault_days = 365 # how long to certify fordefault_crl_days= 30 # how long before next CRLdefault_md = md5 # message digest method to useunique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject.policy = policy_any # default policy[ policy_any ]countryName = matchstateOrProvinceName = matchorganizationName = matchorganizationalUnitName = matchlocalityName = optionalcommonName = suppliedemailAddress = optional
new_ca.sh
#!/bin/bash# Generate the key.openssl genrsa -out private/ca.key# Generate a certificate request.openssl req -new -key private/ca.key -out private/ca.csr# Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.# I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this# service will never see the light of an unencrypted Internet see the cheap and lazy remark.# So self sign our root key.openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt# Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.echo FACE > serial# Create the CA's key database.touch index.txt# Create a Certificate Revocation list for removing 'user certificates.'openssl ca -gencrl -out /usr/nginx-1.8.0/ca/private/ca.crl -crldays 7 -config "/usr/nginx-1.8.0/ca/conf/openssl.conf"
new_server.sh
# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.openssl genrsa -out server/server.key# Take our key and create a Certificate Signing Request for it.openssl req -new -key server/server.key -out server/server.csr# Sign this bastard key with our bastard CA key.openssl ca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "/usr/nginx-1.8.0/ca/conf/openssl.conf"
new_client.sh
#!/bin/sh# The base of where our SSL stuff lives.base="/usr/nginx-1.8.0/ca"# Were we would like to store keys... in this case we take the username given to us and store everything there.mkdir -p $base/client/# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.openssl genrsa -des3 -out $base/client/client.key 1024# Create a Certificate Signing Request for said key.openssl req -new -key $base/client/client.key -out $base/client/client.csr# Sign the key with our CA's key and cert and create the user's certificate out of it.openssl ca -in $base/client/client.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key -out $base/client/client.crt -config "/usr/nginx-1.8.0/ca/conf/openssl.conf"# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.# The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.# Take the same precaution with the export password that would take with any other password based authentication scheme.openssl pkcs12 -export -clcerts -in $base/client/client.crt -inkey $base/client/client.key -out $base/client/client.p12
nginx.conf
server { listen 8002 ssl; server_name host.linyiheng.cn; #ssl_certificate /usr/nginx-1.8.0/ca/server/server.crt; #ssl_certificate_key /usr/nginx-1.8.0/ca/server/server.key; ssl_certificate /usr/nginx-1.8.0/cert/server/1_host.linyiheng.cn_bundle.crt; ssl_certificate_key /usr/nginx-1.8.0/cert/server/2_host.linyiheng.cn.key; ssl_client_certificate /usr/nginx-1.8.0/ca/private/ca.crt;# ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_verify_client on;# ssl_ciphers HIGH:!aNULL:!MD5;# ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } location = /EnrollmentServer/MDMHandler{ proxy_set_header X-SSL-Client-S-DN $ssl_client_s_dn; proxy_pass http://localhost/EnrollmentServer/MDMHandler; }}
0 0
- centos 安装nginx 配置nginx
- Nginx 安装配置
- nginx安装与配置
- Nginx的安装配置
- Nginx安装配置
- nginx 安装,配置
- nginx 安装及配置
- Nginx安装与配置
- Nginx基本安装配置
- nginx安装与配置
- 安装 配置 Nginx
- Nginx安装配置备忘
- awstats+nginx 安装配置
- Nginx 安装与配置
- nginx安装配置
- nginx 安装与配置
- nginx安装和配置
- nginx安装配置
- Eclipse 安装Properties Editor插件
- Java-Write Once,Run Anywhere
- c#中delegate和事件
- 常见的命令行操作
- 地理定位跟踪
- nginx安装配置
- 一起talk C栗子吧(第一百四十一回:C语言实例--文件操作:基于文件指针一)
- hdoj 5677 ztr loves substring 【Manacher + 多重背包】
- redis安装
- 2016年4月14日--4月30日(12小时,剩3009小时)
- Android Studio 2.+使用分享——关于未签名Apk第一次运行黑屏or白屏
- 找到一款好用的移动端弹层组件,很实用,分享给大家
- PowerShell调用WMI
- std::ref 有什么用