blog.zhuohua.store's Archiver

admin 发表于 2020-1-22 12:42

Nginx反向代理+Tomcat+JDK+SSL

笺注:实验是在 [url=http://blog.zhuohua.store/viewthread.php?tid=58&extra=page%3D1]Nginx反向代理+Tomcat+JDK[/url] 的基础上做的




检测Nginx是否支持SSL
[root@localhost ~]# nginx -V
nginx version: nginx/1.10.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module[color=Purple] --with-http_ssl_module[/color]




插入防火墙规则:(TCP 443)
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables-save > /etc/sysconfig/iptables




####################
####################
生成一对自定义的SSL证书

[root@localhost ~]# [color=Blue]cd /usr/local/nginx/conf/[/color]
[root@localhost conf]# [color=Blue]openssl genrsa -des3 -out tmp.key[/color]
Generating RSA private key, 1024 bit long modulus
......++++++
................++++++
e is 65537 (0x10001)
Enter pass phrase for tmp.key: [color=DarkRed]#输入自定义的密码[/color]
Verifying - Enter pass phrase for tmp.key: [color=DarkRed]#重复输入自定义的密码[/color]


把tmp.key转换成zhuohua.key:
[root@localhost conf]# [color=Blue]openssl rsa -in tmp.key -out zhuohua.key[/color]
Enter pass phrase for tmp.key: [color=DarkRed]#输入自定义的密码[/color]
writing RSA key


[root@localhost conf]# [color=Blue]rm -rf tmp.key[/color]


生成CSR文件:
[root@localhost conf]# [color=Blue]openssl req -new -key zhuohua.key -out zhuohua.csr[/color]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:[color=Blue]zhuohua[/color]
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[color=Blue]123456[/color]
An optional company name []:


生成CRT证书文件:
[root@localhost conf]# [color=Blue]openssl x509 -req -days 365 -in zhuohua.csr  -signkey zhuohua.key -out zhuohua.crt[/color]
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=zhuohua
Getting Private key


查看生成的密钥对文件:
[attach]9980[/attach]








######

Nginx的默认网站使用SSL

[root@localhost ~]# vi /usr/local/nginx/conf/nginx.conf
加入以下命令行:(记得把listen 80修改为 listen [color=Red]443[/color] )
ssl on;
ssl_certificate zhuohua.crt;
ssl_certificate_key zhuohua.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
[attach]9981[/attach]


[attach]9982[/attach]




重启Nginx服务:
[root@localhost ~]# service nginx restart


现在防火墙不需要打开TCP 80 端口了:
sed -i '/80/d' /etc/sysconfig/iptables
service iptables restart



iptables -nL --line
[attach]9983[/attach]





修改一下Nginx的默认网站的默认首页的内容:
[root@localhost ~]# vi /usr/local/nginx/html/index.html

<html>
<head>
<meta http-equiv="Content-Language" content="zh-CN">
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312">
<meta http-equiv="refresh" content="0.1;url=[color=Red]https[/color]://192.168.168.131/index.jsp">
<title></title>
</head>
<body>
</body>
</html>






测试:(动态、静态网页都可以使用SSL的)

[color=Red]https[/color]://192.168.168.131/

备注:这是因为此证书是自己制作的,并没有得到浏览器的认可。但不影响访问和加密。

[attach]9984[/attach]

[attach]9985[/attach]


[color=Red]https[/color]://192.168.168.131/qq.jsp
[attach]9986[/attach]


[color=Red]https[/color]://192.168.168.131/666.html
[attach]9987[/attach]




相关文章:
[url=http://blog.zhuohua.store/viewthread.php?tid=293&extra=page%3D1]Nginx配置SSL[/url]




#################################
#################################
[url=https://weidian.com/?userid=823531601&wfr=wx&sfr=app&source=shop]亲,学习研究也要劳逸结合哦,来我微店逛逛,买点东西好好犒劳犒劳自己和家人吧^_^^_^[/url]

[url=https://weidian.com/item.html?itemID=905482571143072712221&wfr=wx&sfr=app&source=goods_home]FaSoLa户外便携吊床秋千室内单双人大学生宿舍家用成人儿童睡觉椅[/url]
[url=https://weidian.com/item.html?itemID=905482571143072712221&wfr=wx&sfr=app&source=goods_home][attach]4061[/attach][/url]

[url=https://weidian.com/item.html?itemID=905482571143388419032&wfr=wx&sfr=app&source=goods_home]FaSoLa 旅行晾衣架 旅游便携式折叠衣架出差多功能衣挂小撑子晾晒[/url]
[url=https://weidian.com/item.html?itemID=905482571143388419032&wfr=wx&sfr=app&source=goods_home][attach]4063[/attach][/url]

页: [1]

Powered by Discuz! Archiver 7.2  © 2001-2009 Comsenz Inc.