一、实验设计
二、实验配置过程
[student@bogon ~]$ su - root
Password:
[root@bogon ~]# dnf -y install nginx
[root@bogon ~]# vim /etc/selinux/config
[root@bogon ~]# setenforce 0
[root@bogon ~]# systemctl stop firewalld
清空防火墙规则
[root@bogon ~]# iptables -F ^C // 9之前
[root@bogon ~]# nft flush ruleset //9之后
[root@bogon ~]# systemctl disable firewalld
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@bogon ~]# systemctl ea
[root@bogon ~]# systemctl enable --now nginx.service
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service →
/usr/lib/systemd/system/nginx.service.
[root@bogon ~]# ps -elf | grep nginx
1 S root 7870 1 0 80 0 - 2810 sigsus 16:37 ?
00:00:00 nginx: master process /usr/sbin/nginx
5 S nginx 7871 7870 0 80 0 - 3891 ep_pol 16:37 ?
00:00:00 nginx: worker process
5 S nginx 7872 7870 0 80 0 - 3891 ep_pol 16:37 ?
00:00:00 nginx: worker process
0 R root 7874 6985 0 80 0 - 55450 - 16:38 pts/0
00:00:00 grep --color=auto nginx
[root@bogon ~]# cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_$(date +%s)
[root@bogon ~]# vim /etc/nginx/nginx.conf
[root@bogon ~]# nginx -T
、
添加服务名称
生成日志文件和错误日志文件
[root@bogon ~]# ps -elf | grep nginx
1 S root 7870 1 0 80 0 - 2810 sigsus 16:37 ?
00:00:00 nginx: master process /usr/sbin/nginx
5 S nginx 7871 7870 0 80 0 - 3891 ep_pol 16:37 ?
00:00:00 nginx: worker process
5 S nginx 7872 7870 0 80 0 - 3891 ep_pol 16:37 ?
00:00:00 nginx: worker process
0 S root 8063 6985 0 80 0 - 55417 pipe_r 17:00 pts/0
00:00:00 grep --color=auto nginx
[root@bogon ~]# ps -elf | grep sshd
4 S root 1048 1 0 80 0 - 4181 do_sel 14:48 ?
00:00:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
0 S root 8091 6985 0 80 0 - 55450 pipe_r 17:04 pts/0
00:00:00 grep --color=auto sshd
[root@bogon ~]# systemctl restart sshd
[root@bogon ~]# ps -elf | grep sshd
4 S root 8095 1 0 80 0 - 4181 do_sel 17:04 ?
00:00:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
0 S root 8097 6985 0 80 0 - 55417 pipe_r 17:04 pts/0
00:00:00 grep --color=auto sshd
[root@bogon ~]# systemctl reload nginx
[root@bogon ~]# ps -elf | grep nginx
1 S root 7870 1 0 80 0 - 2842 sigsus 16:37 ?
00:00:00 nginx: master process /usr/sbin/nginx
5 S nginx 8103 7870 0 80 0 - 3927 ep_pol 17:05 ?
00:00:00 nginx: worker process
5 S nginx 8104 7870 0 80 0 - 3927 ep_pol 17:05 ?
00:00:00 nginx: worker process
0 S root 8106 6985 0 80 0 - 55417 pipe_r 17:05 pts/0
00:00:00 grep --color=auto nginx
[root@bogon ~]# echo "stuff for everyone" >> /usr/share/nginx/html/a.txt
[root@bogon ~]# echo "stuff not for everyone" >> /usr/share/nginx/html/b.txt
[root@bogon ~]# ll /usr/share/nginx/html/
total 20
-rw-r--r--. 1 root root 3971 Oct 17 2023 404.html
-rw-r--r--. 1 root root 4020 Oct 17 2023 50x.html
-rw-r--r--. 1 root root 19 Aug 26 17:08 a.txt
-rw-r--r--. 1 root root 23 Aug 26 17:08 b.txt
drwxr-xr-x. 2 root root 27 Aug 26 16:12 icons
lrwxrwxrwx. 1 root root 25 Oct 17 2023 index.html ->
../../testpage/index.html
-rw-r--r--. 1 root root 368 Oct 17 2023 nginx-logo.png
lrwxrwxrwx. 1 root root 14 Oct 17 2023 poweredby.png -> nginx-logo.png
lrwxrwxrwx. 1 root root 37 Oct 17 2023 system_noindex_logo.png ->
../../pixmaps/system-noindex-logo.png
[root@bogon ~]# curl -I http://127.0.0.1/a.txt
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Mon, 26 Aug 2024 09:09:40 GMT
Content-Type: text/plain
Content-Length: 19
Last-Modified: Mon, 26 Aug 2024 09:08:45 GMT
Connection: keep-alive
ETag: "66cc461d-13"
Accept-Ranges: bytes
[root@bogon ~]# curl http://127.0.0.1/a.txt
stuff for everyone
[root@bogon ~]# curl -I http://127.0.0.1/b.txt
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Mon, 26 Aug 2024 09:09:59 GMT
Content-Type: text/plain
Content-Length: 23
Last-Modified: Mon, 26 Aug 2024 09:08:54 GMT
Connection: keep-alive
ETag: "66cc4626-17"
Accept-Ranges: bytes
[root@bogon ~]# curl http://127.0.0.1/b.txt
stuff not for everyone
[root@bogon ~]# chmod a-r /usr/share/nginx/html/b.txt
[root@bogon ~]# ll /usr/share/nginx/html/*.txt
-rw-r--r--. 1 root root 19 Aug 26 17:08 /usr/share/nginx/html/a.txt
--w-------. 1 root root 23 Aug 26 17:08 /usr/share/nginx/html/b.txt
[root@bogon ~]# curl http://127.0.0.1/a.txt
stuff for everyone
[root@bogon ~]# curl http://127.0.0.1/b.txt
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html>
[root@bogon ~]# chmod o+r /usr/share/nginx/html/b.txt
[root@bogon ~]# curl http://127.0.0.1/b.txt
stuff not for everyone
-
配置自签证书,加固安全访问
生成CA根秘钥openssl genrsa -des3 -out ca.key.pem 4096
生成CA证书
openssl req -key ca.key.pem -new -x509 -days 3650 -sha256 -out ca.crt
生成服务器秘钥文件
openssl genpkey -out server.key -outpubkey server.pub -algorithm RSA -pkeyopt rsa_keygen_bits:2048
生成服务器证书签名申请文件
openssl req -sha256 -new -key server.key -out server.csr
生成服务器证书
openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key.pem -CAcreateserial -in server.csr -out server.crt
查看服务器证书文件
openssl x509 -noout -text -in server.crt
自签证书的核心指令:
man openssl-req
三、实验过程整理
修改配置文件
[root@bogon ~]# mkdir -p /etc/pki/nginx
[root@bogon ~]# cd /etc/pki/nginx/
[root@bogon nginx]# mkdir private
[root@bogon nginx]# mkdir ca
[root@bogon nginx]# openssl genrsa -des3 -out ca/ca.key.pem 4096
省略输出
[root@bogon nginx]# openssl req -key ca/ca.key.pem -new -x509 -days 3650 -sha256 -out ca/ca.crt
省略输出
[root@bogon nginx]# openssl genpkey -out private/server.key -outpubkey private/server.pub -algorithm RSA -pkeyopt rsa_keygen_bits:2048
省略输出
[root@bogon nginx]# openssl req -sha256 -new -key private/server.key -out server.csr
省略输出
[root@bogon nginx]# openssl x509 -req -days 3650 -CA ca/ca.crt -CAkey ca/ca.key.pem -CAcreateserial -in server.csr -out server.crt
省略输出
[root@bogon nginx]# ls server.crt private/server.key
private/server.key server.crt
[root@bogon nginx]# chmod 400 private/server.key
[root@bogon nginx]# chown nginx private/server.key
[root@bogon nginx]# ll private/server.key
-r--------. 1 nginx root 1704 Aug 27 09:04 private/server.key
[root@bogon nginx]# systemctl reload nginx
[root@bogon nginx]# ss -anput | grep 443
tcp LISTEN 0 511 0.0.0.0:443 0.0.0.0:*
users:(("nginx",pid=2979,fd=17),("nginx",pid=2978,fd=17),
("nginx",pid=1022,fd=17))
[root@bogon nginx]# tail -f /var/log/nginx/error.log
2024/08/26 17:05:32 [notice] 8101#8101: signal process started
2024/08/27 09:10:18 [notice] 2977#2977: signal process started
nginx关于ssl 安全加固相关配置说明:
Configuring HTTPS servers
https://nginx.org/en/docs/http/configuring_https_servers.html
Nginx 配置文件中如何启用ssl 加固http服务
- 启用ssl listen 配置的端口号后面增加ssl 参数即可
- 启用ssl 后一定要配置证书和秘钥路径,否则在重启或者加载配置文件时会报错
3.ssl_protocols ssl_cipher 协议版本和秘钥强度要求 示例配置文件展示的是默认值,一般不做配置
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
...
}
nginx https 优化
- 增加工作进程数,工作进程数不能超过逻辑核心数量
- 增加ssl 连接的有效时间或者复用ssl 会话
worker_processes auto;
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server {
listen 443 ssl;
server_name www.example.com;
keepalive_timeout 70;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
...
在配置基于同一IP地址端口号但是不同主机名的https时,nginx容易因为不同的虚拟主机使用相同的端口号和ip地址,而导致证书应用错误的情况出现吗,解决方案如下:
- 使用不同的IP地址运营不用的虚拟主机
- 可以配置不同的主机名的虚拟主机使用相同的证书
- 在申请证书时,提交一个域名和多个别名
- 再申请正式时,在主机名中使用通配符
- 启用SNI 功能也可以避免,需要注意的是,sni的使用取决于ssl的动态库中,是否有关的支持,因此出现如下提示代表nginx不支持SNI
nginx was built with SNI support, however, now it is linked
dynamically to an OpenSSL library which has no tlsext support,
therefore SNI is not available
阿里云服务器如何申请ssl证书说明: