背景
最近的一个小项目,部署在专网中,可是最近等保测评要求整改为HTTPS加密传输。像我们以前的部署在互联网上的项目都购买了域名,并在云服务商那里申请免费的 SSL
证书,然后再配置 Nginx
代理,一气呵成、顺理成章、水到渠成。可是现在在专网中,而且没有域名,甚至没有 DNS
服务器;既然要求通过 HTTPS
传输,那么还有一种办法是自签 SSL
证书,这样在浏览器中会提示证书不安全,用户需要多操作一步添加例外才可以正常访问系统。好在可以满足等保的要求,可行那就开干。
生成证书与秘钥
- 生成RSA密钥文件server.key(要设置并记住密码,后面要用到) openssl genrsa -des3 -out server.key 1024
- 生成证书的申请文件server.csr openssl req -new -key server.key -out server.csr
- 备份密钥文件 cp server.key server.key.bk
- 移除文件口令,输出到新的server.key(这时,需要输入第一步设置的密码) openssl rsa -in server.key.bk -out server.key
- 生成证书文件server.crt openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
[root@hadoop2 ~]# cd /opt/ # 生成RSA密钥文件server.key(要设置并记住密码,后面要用到) [root@hadoop2 opt]# openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus (2 primes) ..................+++++ .................................................+++++ e is 65537 (0x010001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: # 生成证书的申请文件server.csr [root@hadoop2 opt]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:ShanXi Locality Name (eg, city) []:TaiYuan Organization Name (eg, company) [Internet Widgits Pty Ltd]:YourCompany Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []:YourEmail Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: # 备份密钥文件 [root@hadoop2 opt]# cp server.key server.key.bk # 移除文件口令,输出到新的server.key(这时,需要输入第一步设置的密码) [root@hadoop2 opt]# openssl rsa -in server.key.bk -out server.key Enter pass phrase for server.key.bk: writing RSA key # 生成证书文件server.crt [root@hadoop2 opt]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=C = CN, ST = ShanXi, L = TaiYuan, O = YourCompany, emailAddress = YourEmail Getting Private key
Note: 记得将申请文件时填写的 YourCompany
, YourEmail
信息改为自己的公司/组织及邮箱。
Enter pass phrase for root.key: <—— 前面设置的密码 Country Name (2 letter code) [AU]:CN <—— 国家代号,中国输入CN State or Province Name (full name) [Some-State]:ShanXi <—— 省的全名,拼音 Locality Name (eg, city) []:TaiYuan <—— 市的全名,拼音 Organization Name (eg, company) [Internet Widgits Pty Ltd]:YourCompany <—— 公司英文名 Organizational Unit Name (eg, section) []: <—— 可不填 Common Name (eg, YOUR name) []: <—— 可不填 Email Address []:YourEmail <—— 电子邮箱 Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: <—— 可不填 An optional company name []: <—— 可不填
确认Nginx是否安装了SSL模块
[root@hadoop2 ~]# nginx -V nginx version: nginx/1.20.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --with-http_stub_status_module --with-http_ssl_module Note:如果一开始在安装 Nginx 时没有安装 SSL 模块,需要重新编译安装 Nginx 。
Nginx配置SSL证书代理静态资源
确认 Nginx
安装了 SSL
模块后,将前面生产的秘钥及证书放到一个目录中,我这里是 /opt/ssl-cert
。在配置前后端分离的 HTTPS
访问前,我们先通过 Nginx
代理静态资源,以验证证书的有效性。
# HTTPS server # server { listen 443 ssl; server_name localhost; ssl_certificate /opt/ssl-cert/server.crt; ssl_certificate_key /opt/ssl-cert/server.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } }
Nginx配置SSL证书代理前后端服务
以下是一个基于 Vue
与 SpringBoot
的前、后端分离的单体架构项目 Nginx
中 SSL
的完整配置,最终实现 HTTPS
加密传输。
# HTTPS server # server { listen 443 ssl; server_name localhost; ssl_certificate /opt/ssl-cert/server.crt; ssl_certificate_key /opt/ssl-cert/server.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; #location / { # root html; # index index.html index.htm; #} location / { root /opt/frontend/dist; try_files $uri $uri/ /index.html; } location /prod-api { # custom prefix: third party API proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; rewrite ^/prod-api/(.*)$ /$1 break; # rewrite the URL and redirect include uwsgi_params; proxy_pass http://localhost:8080; # Third party API URL } }
Note: 每次修改完Nginx
配置,记得刷新保证配置生效:nginx -s reload
。
If you have any questions or any bugs are found, please feel free to contact me.
Your comments and suggestions are welcome!