Linux—— 配置ssl安全证书

一、实验设计

二、实验配置过程

[student@bogon ~]$ su - root
Password:
[root@bogon ~]# dnf -y install nginx
[root@bogon ~]# vim /etc/selinux/config
[root@bogon ~]# setenforce 0
[root@bogon ~]# systemctl stop firewalld
清空防火墙规则
[root@bogon ~]# iptables -F ^C // 9之前
[root@bogon ~]# nft flush ruleset //9之后
[root@bogon ~]# systemctl disable firewalld
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@bogon ~]# systemctl ea
[root@bogon ~]# systemctl enable --now nginx.service
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service →
/usr/lib/systemd/system/nginx.service.
[root@bogon ~]# ps -elf | grep nginx
1 S root 7870 1 0 80 0 - 2810 sigsus 16:37 ?
00:00:00 nginx: master process /usr/sbin/nginx
5 S nginx 7871 7870 0 80 0 - 3891 ep_pol 16:37 ?
00:00:00 nginx: worker process
5 S nginx 7872 7870 0 80 0 - 3891 ep_pol 16:37 ?
00:00:00 nginx: worker process
0 R root 7874 6985 0 80 0 - 55450 - 16:38 pts/0
00:00:00 grep --color=auto nginx
[root@bogon ~]# cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_$(date +%s)
[root@bogon ~]# vim /etc/nginx/nginx.conf
[root@bogon ~]# nginx -T

添加服务名称

生成日志文件和错误日志文件

[root@bogon ~]# ps -elf | grep nginx
1 S root 7870 1 0 80 0 - 2810 sigsus 16:37 ?
00:00:00 nginx: master process /usr/sbin/nginx
5 S nginx 7871 7870 0 80 0 - 3891 ep_pol 16:37 ?
00:00:00 nginx: worker process
5 S nginx 7872 7870 0 80 0 - 3891 ep_pol 16:37 ?
00:00:00 nginx: worker process
0 S root 8063 6985 0 80 0 - 55417 pipe_r 17:00 pts/0
00:00:00 grep --color=auto nginx
[root@bogon ~]# ps -elf | grep sshd
4 S root 1048 1 0 80 0 - 4181 do_sel 14:48 ?
00:00:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
0 S root 8091 6985 0 80 0 - 55450 pipe_r 17:04 pts/0
00:00:00 grep --color=auto sshd
[root@bogon ~]# systemctl restart sshd
[root@bogon ~]# ps -elf | grep sshd
4 S root 8095 1 0 80 0 - 4181 do_sel 17:04 ?
00:00:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
0 S root 8097 6985 0 80 0 - 55417 pipe_r 17:04 pts/0
00:00:00 grep --color=auto sshd
[root@bogon ~]# systemctl reload nginx
[root@bogon ~]# ps -elf | grep nginx
1 S root 7870 1 0 80 0 - 2842 sigsus 16:37 ?
00:00:00 nginx: master process /usr/sbin/nginx
5 S nginx 8103 7870 0 80 0 - 3927 ep_pol 17:05 ?
00:00:00 nginx: worker process
5 S nginx 8104 7870 0 80 0 - 3927 ep_pol 17:05 ?
00:00:00 nginx: worker process
0 S root 8106 6985 0 80 0 - 55417 pipe_r 17:05 pts/0
00:00:00 grep --color=auto nginx
[root@bogon ~]# echo "stuff for everyone" >> /usr/share/nginx/html/a.txt
[root@bogon ~]# echo "stuff not for everyone" >> /usr/share/nginx/html/b.txt
[root@bogon ~]# ll /usr/share/nginx/html/
total 20
-rw-r--r--. 1 root root 3971 Oct 17 2023 404.html
-rw-r--r--. 1 root root 4020 Oct 17 2023 50x.html
-rw-r--r--. 1 root root 19 Aug 26 17:08 a.txt
-rw-r--r--. 1 root root 23 Aug 26 17:08 b.txt
drwxr-xr-x. 2 root root 27 Aug 26 16:12 icons
lrwxrwxrwx. 1 root root 25 Oct 17 2023 index.html ->
../../testpage/index.html
-rw-r--r--. 1 root root 368 Oct 17 2023 nginx-logo.png
lrwxrwxrwx. 1 root root 14 Oct 17 2023 poweredby.png -> nginx-logo.png
lrwxrwxrwx. 1 root root 37 Oct 17 2023 system_noindex_logo.png ->
../../pixmaps/system-noindex-logo.png
[root@bogon ~]# curl -I http://127.0.0.1/a.txt
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Mon, 26 Aug 2024 09:09:40 GMT
Content-Type: text/plain
Content-Length: 19
Last-Modified: Mon, 26 Aug 2024 09:08:45 GMT
Connection: keep-alive
ETag: "66cc461d-13"
Accept-Ranges: bytes
[root@bogon ~]# curl http://127.0.0.1/a.txt
stuff for everyone
[root@bogon ~]# curl -I http://127.0.0.1/b.txt
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Mon, 26 Aug 2024 09:09:59 GMT
Content-Type: text/plain
Content-Length: 23
Last-Modified: Mon, 26 Aug 2024 09:08:54 GMT
Connection: keep-alive
ETag: "66cc4626-17"
Accept-Ranges: bytes
[root@bogon ~]# curl http://127.0.0.1/b.txt
stuff not for everyone
[root@bogon ~]# chmod a-r /usr/share/nginx/html/b.txt
[root@bogon ~]# ll /usr/share/nginx/html/*.txt
-rw-r--r--. 1 root root 19 Aug 26 17:08 /usr/share/nginx/html/a.txt
--w-------. 1 root root 23 Aug 26 17:08 /usr/share/nginx/html/b.txt
[root@bogon ~]# curl http://127.0.0.1/a.txt
stuff for everyone
[root@bogon ~]# curl http://127.0.0.1/b.txt
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html>
[root@bogon ~]# chmod o+r /usr/share/nginx/html/b.txt
[root@bogon ~]# curl http://127.0.0.1/b.txt
stuff not for everyone
  1. 配置自签证书,加固安全访问
    生成CA根秘钥

    openssl genrsa -des3 -out ca.key.pem 4096

生成CA证书

openssl req -key ca.key.pem -new -x509 -days 3650 -sha256 -out ca.crt

生成服务器秘钥文件

openssl genpkey -out server.key -outpubkey server.pub -algorithm RSA -pkeyopt rsa_keygen_bits:2048 

生成服务器证书签名申请文件

openssl req -sha256 -new -key server.key -out server.csr

生成服务器证书

openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key.pem -CAcreateserial -in server.csr -out server.crt

查看服务器证书文件

openssl x509 -noout -text -in server.crt

自签证书的核心指令:
man openssl-req

三、实验过程整理

修改配置文件

[root@bogon ~]# mkdir -p /etc/pki/nginx
[root@bogon ~]# cd /etc/pki/nginx/
[root@bogon nginx]# mkdir private
[root@bogon nginx]# mkdir ca
[root@bogon nginx]# openssl genrsa -des3 -out ca/ca.key.pem 4096
省略输出
[root@bogon nginx]# openssl req -key ca/ca.key.pem -new -x509 -days 3650 -sha256 -out ca/ca.crt
省略输出
[root@bogon nginx]# openssl genpkey -out private/server.key -outpubkey private/server.pub -algorithm RSA -pkeyopt rsa_keygen_bits:2048
省略输出
[root@bogon nginx]# openssl req -sha256 -new -key private/server.key -out server.csr
省略输出
[root@bogon nginx]# openssl x509 -req -days 3650 -CA ca/ca.crt -CAkey ca/ca.key.pem -CAcreateserial -in server.csr -out server.crt
省略输出
[root@bogon nginx]# ls server.crt private/server.key
private/server.key server.crt
[root@bogon nginx]# chmod 400 private/server.key
[root@bogon nginx]# chown nginx private/server.key
[root@bogon nginx]# ll private/server.key
-r--------. 1 nginx root 1704 Aug 27 09:04 private/server.key
[root@bogon nginx]# systemctl reload nginx
[root@bogon nginx]# ss -anput | grep 443
tcp LISTEN 0 511 0.0.0.0:443 0.0.0.0:*
users:(("nginx",pid=2979,fd=17),("nginx",pid=2978,fd=17),
("nginx",pid=1022,fd=17))
[root@bogon nginx]# tail -f /var/log/nginx/error.log
2024/08/26 17:05:32 [notice] 8101#8101: signal process started
2024/08/27 09:10:18 [notice] 2977#2977: signal process started

nginx关于ssl 安全加固相关配置说明:

Configuring HTTPS servershttps://nginx.org/en/docs/http/configuring_https_servers.html

Nginx 配置文件中如何启用ssl 加固http服务

  1. 启用ssl listen 配置的端口号后面增加ssl 参数即可
  2. 启用ssl 后一定要配置证书和秘钥路径,否则在重启或者加载配置文件时会报错

3.ssl_protocols ssl_cipher 协议版本和秘钥强度要求 示例配置文件展示的是默认值,一般不做配置

server {

listen 443 ssl;

server_name www.example.com;

ssl_certificate www.example.com.crt;

ssl_certificate_key www.example.com.key;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

ssl_ciphers HIGH:!aNULL:!MD5;

...

}

nginx https 优化

  1. 增加工作进程数,工作进程数不能超过逻辑核心数量
  2. 增加ssl 连接的有效时间或者复用ssl 会话

worker_processes auto;

http {

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;

server {

listen 443 ssl;

server_name www.example.com;

keepalive_timeout 70;

ssl_certificate www.example.com.crt;

ssl_certificate_key www.example.com.key;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

ssl_ciphers HIGH:!aNULL:!MD5;

...

在配置基于同一IP地址端口号但是不同主机名的https时,nginx容易因为不同的虚拟主机使用相同的端口号和ip地址,而导致证书应用错误的情况出现吗,解决方案如下:

  1. 使用不同的IP地址运营不用的虚拟主机
  2. 可以配置不同的主机名的虚拟主机使用相同的证书
    1. 在申请证书时,提交一个域名和多个别名
    2. 再申请正式时,在主机名中使用通配符
  3. 启用SNI 功能也可以避免,需要注意的是,sni的使用取决于ssl的动态库中,是否有关的支持,因此出现如下提示代表nginx不支持SNI

nginx was built with SNI support, however, now it is linked

dynamically to an OpenSSL library which has no tlsext support,

therefore SNI is not available

阿里云服务器如何申请ssl证书说明:

产品概述_数字证书管理服务(原SSL证书)(SSL Certificate)-阿里云帮助中心https://help.aliyun.com/zh/ssl-certificate/product-overview/?spm=a2c4g.11186623.0.0.4c993799RnLJat

相关推荐
良许Linux10 分钟前
0.96寸OLED显示屏详解
linux·服务器·后端·互联网
蜜獾云21 分钟前
docker 安装雷池WAF防火墙 守护Web服务器
linux·运维·服务器·网络·网络安全·docker·容器
小屁不止是运维22 分钟前
麒麟操作系统服务架构保姆级教程(五)NGINX中间件详解
linux·运维·服务器·nginx·中间件·架构
Hacker_Oldv27 分钟前
WPS 认证机制
运维·服务器·wps
bitcsljl35 分钟前
Linux 命令行快捷键
linux·运维·服务器
ac.char38 分钟前
在 Ubuntu 下使用 Tauri 打包 EXE 应用
linux·运维·ubuntu
Cachel wood1 小时前
python round四舍五入和decimal库精确四舍五入
java·linux·前端·数据库·vue.js·python·前端框架
Youkiup1 小时前
【linux 常用命令】
linux·运维·服务器
qq_297504611 小时前
【解决】Linux更新系统内核后Nvidia-smi has failed...
linux·运维·服务器
虹科数字化与AR1 小时前
安宝特应用 | 美国OSHA扩展Vuzix AR眼镜应用,强化劳动安全与效率
安全·ar·远程协助