在CentOS 7上安装适用于nginx的SSL

2 年 ago
宇, 华
4 minutes

前提

    OS : CentOS Linux release 7.4 (Core)

1. 安装Nginx并进行防火墙设置。

    サーバーからNginxパッケージにアクセスするために、EPEL (extra packages for Enterprise Linux) リポジトリをインストールする必要がある
$ sudo yum install epel-release
    Nginxをインストールする
$ sudo yum install nginx
    Nginxサービスを起動する
$ sudo systemctl start nginx
    Nginxのステータスを確認する
$ systemctl status nginx

● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2018-07-15 14:13:27 CST; 40s ago
  Process: 31362 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 31359 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 31357 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 31364 (nginx)
   CGroup: /system.slice/nginx.service
           ├─31364 nginx: master process /usr/sbin/nginx
           ├─31365 nginx: worker process
           └─31366 nginx: worker process

Jul 15 14:13:27 greenlist systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jul 15 14:13:27 greenlist nginx[31359]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jul 15 14:13:27 greenlist nginx[31359]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jul 15 14:13:27 greenlist systemd[1]: Started The nginx HTTP and reverse proxy server.
    サーバ起動時、Nginxも同時に起動させる
$ sudo systemctl enable nginx

Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
    iptables ファイアウォル設定により、HTTP と HTTPS のアクセス可能にする
$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

2. 創建SSL證書

$ sudo mkdir /etc/ssl/private
$ sudo chmod 700 /etc/ssl/private

$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

Generating a 2048 bit RSA private key
......................................+++
............................+++
writing new private key to '/etc/ssl/private/nginx-selfsigned.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:TOKYO
Locality Name (eg, city) [Default City]:TOKYO
Organization Name (eg, company) [Default Company Ltd]:Greenlist INC.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:greenlist
Email Address []:xx@xxx.co.jp

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

使用SSL来配置Nginx。

    TLS/SSL サーバ設定の作成
$ sudo vi /etc/nginx/conf.d/ssl.conf

server {
    listen 443 http2 ssl;
    listen [::]:443 http2 ssl;

    server_name server_IP_address;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ########################################################################
    # from https://cipherli.st/                                            #
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
    ########################################################################

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    ##################################
    # END https://cipherli.st/ BLOCK #
    ##################################

    root /usr/share/nginx/html;

    location / {
    }

    error_page 404 /404.html;
    location = /404.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}
    HTTPからHTTPSへ転送設定の作成
$ sudo vi /etc/nginx/default.d/ssl-redirect.conf

return 301 https://$host$request_uri/;

启用Nginx配置

    Nginx設定を確認する
$ sudo nginx -t

nginx: [warn] "ssl_stapling" ignored, issuer certificate not found
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
    Nginxを再起動する
$ sudo systemctl restart nginx

5. 测试加密的网站

https://server_domain_or_IP

请参考网站digitalocean.com。

bannerAds