網頁

2023/10/5

Nginx 設定HTTPS加密連線

Nginx設定HTTPS連線的方式如下。


事前要求

參考「CentOS 安裝Nginx」安裝Nginx。


建立自簽憑證

在Nginx所在主機的/etc/nginx目錄,也就是Nginx預設的配置檔目錄,建立一個ssl目錄,待會要用來存放自簽憑證(Self-signed TLS)與憑證金鑰。

接著利用OpenSSL來產生自簽憑證。在命令列輸入sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt產生自簽憑證與金鑰在剛建立的/etc/nginx/ssl目錄。

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+...+....+.....+......+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+......+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+......+...+...........+.+.....+.............+...........+...+.+......+...........+...+.......+..............+.........+......+....+.....+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+..........+...........+......+....+..+....+.....+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.....+.........+.+...+...........+...............+....+.....+.+..+....+.........+......+......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----

建立過程中會要求填入下面資料:

  • Country Name - 填入兩碼國家代碼,例如"TW"。
  • State or Province Name - 填入州或省名,例如"Taiwan"。
  • Locality Name - 填入城市名稱,例如"Taipei"。
  • Organization Name - 組織名稱,填入公司名,亂填即可。
  • Organizational Unit Name - 填入組織部門名稱,亂填即可。
  • Common Name - 填入主機名稱或域名,沒有就填入IP。
  • Email Address - 填入簽發人員email,亂填即可。

Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Taipei
Organization Name (eg, company) [Default Company Ltd]:ABC Inc.
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:54.238.246.85
Email Address []:admin@abc.com.tw

查看/etc/nginx/ssl目錄,可看到生成的憑證檔nginx.crt和金鑰nginx.key

$ ls /etc/nginx/ssl
nginx.crt  nginx.key


設定HTTPS

開啟Nginx預設配置檔etc/nginx/nginx.conf,在預設的server區塊新增HTTPS設定如下。

  • listen 443 ssl default_server - 開啟監聽443 port為SSL port (IPv4)。
  • listen [::]:443 default_server - 開啟監聽443 port為SSL port (IPv6)。
  • ssl_certificate /etc/nginx/ssl/nginx.crt - 指定憑證檔的檔案位置。
  • ssl_certificate_key /etc/nginx/ssl/nginx.key - 指定憑證金鑰的檔案位置。
listen 443 ssl default_server;
listen [::]:443 default_server;

ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

設定好後的nginx.conf內容如下(已刪除註解部分):

/etc/nginx/nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80;
        listen       [::]:80;

        listen 443 ssl default_server;
        listen [::]:443 default_server;

        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;

        server_name  _;
        root         /usr/share/nginx/html;

        include /etc/nginx/default.d/*.conf;

        error_page 404 /404.html;
        location = /404.html {
        }

        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
        }
    }
}

存檔離開,然後輸入sudo service nginx restart重新啟動Nginx。


測試

在瀏覽器輸入Nginx主機位址,以https://開頭,例如https://54.238.246.85,顯示如下。

由於主機瀏覽器不信任自簽憑證,所以正常會出現「你的連線不是私人連線」NET::ERR_CERT_AUTHORITY_INVALID錯誤。



點選網址列旁的警示符號,顯示憑證資訊如下。





沒有留言:

張貼留言