Shulou(Shulou.com)06/02 Report--

Nginx configuration SSL

Https://coding.net/u/aminglinux/p/nginx/git/blob/master/ssl/nginx.md

Nginx configuration SSL

Sample Nginx configuration (one-way)

Cp / etc/pki/ca_test/server/server.* / usr/local/nginx/conf/

{

Listen 443 ssl

Server_name www.aminglinux.com

Index index.html index.php

Root/ data/wwwroot/aminglinux.com

Ssl on

Ssl_certificate server.crt

Ssl_certificate_key server.key

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2

"ssl_ciphers all", "DH", "export,"RC4,"Higg,"high,"Medu,"Med,"null."

Ssl_prefer_server_ciphers on

...

}

Configuration description

Port 443 is a ssl listening port. Ssl on means to turn on ssl support. Ssl_certificate specifies the path where the crt file is located, and if you write a relative path, you must put the file and the nginx.conf file in the same directory. Ssl_certificate_key specifies the path where the key file is located. Ssl_protocols specifies the SSL protocol. Ssl_ciphers configuration ssl encryption algorithm, multiple algorithms with: separation, ALL represents all algorithms,! Indicates that the algorithm is not enabled, and + means that the algorithm is placed at the end of the list. If ssl_prefer_server_ciphers is not specified as off by default, when on is specified, the server encryption algorithm will be better than the client encryption algorithm when using SSLv3 and TLS protocols.

Problems after completion of configuration

After looking up the information, you can comment out the ssl on (related to the new version of nginx)

The second error is as follows

It was found that the .crt file problem was regenerated. The process of the crt file encountered the following problems in the previous section

Then sed-I 's/unique_subject = yes/unique_subject = no/' / etc/pki/ca_test/index.txt.attr

The .crt file was regenerated successfully

Restart nginx successfully

Access to https succeeded

Nginx configure two-way authentication

Cp / etc/pki/ca_test/root/ca.crt / usr/local/nginx/conf/

Example configuration:

{

Listen 443 ssl

Server_name www.aminglinux.com

Index index.html index.php

Root/ data/wwwroot/aminglinux.com

Ssl on

Ssl_certificate server.crt

Ssl_certificate_key server.key

Ssl_protocols TLSv1 TLSv1.1 TLSv1.2

"ssl_ciphers all", "DH", "export,"RC4,"Higg,"high,"Medu,"Med,"null."

Ssl_prefer_server_ciphers on

Ssl_client_certificate ca.crt; / / ca.crt here is the root certificate public key file

Ssl_verify_client on

...

}

Client (browser) operation

The browser will have a 400 error if you do not do the following. 400 Bad Request (No required SSL certificate was sent)

First, you need to convert client.key to pfx (p12) format.

Cd / etc/pki/ca_test/clientopenssl pkcs12-export-inkey client.key-in client.crt-out client.pfx / / this step requires entering a custom password, which you will need to use when installing on windows. You need to make a note of it.

Then copy the client.pfx to windows and double-click to install it.

You can also test curl directly:

Curl-k-- cert / etc/pki/ca_test/client/client.crt-- key / etc/pki/ca_test/client/client.key https://www.aminglinux.com/index.html

The configuration is as follows

Reload the nginx browser to visit the following

Import client certificate

Two-way configuration completed

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.