[root@iZ23dastruaZ ~]# mkdir test_ngx_https [root@iZ23dastruaZ ~]# cd test_ngx_https/ [root@iZ23dastruaZ test_ngx_https]# mkdir certs private [root@iZ23dastruaZ test_ngx_https]# touch index.txt && echo 01 1>serial [root@iZ23dastruaZ test_ngx_https]# vim openssl.cnf 1 [ ca ] 2 default_ca = root_ca 3 4 [ root_ca ] 5 dir = . 6 certificate = $dir/cacert.pem 7 database = $dir/index.txt 8 new_certs_dir = $dir/certs 9 private_key = $dir/private/cakey.pem 10 serial = $dir/serial 11 12 default_crl_days = 7 13 default_days = 365 14 default_md = sha256 15 16 policy = root_ca_policy 17 x509_extensions = certificate_extensions 18 19 [ root_ca_policy ] 20 commonName = supplied 21 stateOrProvinceName = supplied 22 countryName = supplied 23 emailAddress = supplied 24 organizationName= supplied 25 organizationalUnitName = optional 26 27 [ certificate_extensions ] 28 basicConstraints= CA:false 29 30 [ req ] 31 default_bits = 2048 32 default_keyfile = ./private/cakey.pem 33 default_md = sha256 34 prompt = no 35 distinguished_name = root_ca_distinguished_name 36 x509_extensions = root_ca_extensions 37 38 [ root_ca_distinguished_name ] 39 commonName = TIMD ROOT CA 40 stateOrProvinceName = BJ 41 countryName = CN 42 emailAddress = root_ca@timd.cn 43 organizationName = Root Certification Authority 44 45 [ root_ca_extensions ] 46 basicConstraints = CA:true 47 [root@iZ23dastruaZ test_ngx_https]# openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 365 -config openssl.cnf Generating a 2048 bit RSA private key ......+++ .....................................................................................................+++ writing new private key to '/var/root_ca/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----
记住加密私钥的密码。
[root@iZ23dastruaZ test_ngx_https]# openssl genrsa -out private/testcert.key.pem 2048 Generating RSA private key, 2048 bit long modulus .............................................+++ ......................................................+++ e is 65537 (0x10001) [root@iZ23dastruaZ test_ngx_https]# openssl req -new -key private/testcert.key.pem -out testcert.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Changping Organization Name (eg, company) [Default Company Ltd]:TIMD.CN Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.timd.cn Email Address []:testcert@timd.cn Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
注意:Common Name,应该是域名;因为是测试所以私钥没用密码进行保护。
openssl ca -in testcert.csr -config openssl.cnf -out certs/testcert.pem
[root@iZ23dastruaZ test_ngx_https]# vim nginx.conf
1 worker_processes auto;
2
3 events {
4 worker_connections 1024;
5 }
6
7 http {
8 include /usr/local/openresty/nginx/conf/mime.types;
9 default_type application/octet-stream;
10 keepalive_timeout 60;
11 tcp_nodelay on;
12
13 server {
14 listen 9191 ssl;
15 server_name www.timd.cn;
16
17 ssl_buffer_size 4k;
18 ssl_certificate certs/testcert.pem;
19 ssl_certificate_key private/testcert.key.pem;
20 ssl_ciphers HIGH:!aNULL:!MD5;
21 #ssl_password_file password.file;
22 ssl_prefer_server_ciphers on;
23 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
24 ssl_session_cache shared:SSL_CACHE:10m;
25 ssl_session_timeout 10m;
26
27 location / {
28 autoindex on;
29 autoindex_exact_size off;
30 autoindex_localtime on;
31
32 root .;
33 }
34 }
35 }
36
[root@iZ23dastruaZ test_ngx_https]# mkdir -p logs [root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p .
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("https://www.timd.cn:9191/")
Traceback (most recent call last):
File "", line 1, in
File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/api.py", line 69, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/api.py", line 50, in request
response = session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/sessions.py", line 468, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.6/site-packages/requests-2.8.1-py2.6.egg/requests/adapters.py", line 433, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [Errno 1] _ssl.c:492: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
>>> requests.get("https://www.timd.cn:9191/", verify="cacert.pem")
>>>
* 创建客户端证书,并使用自建CA给其签名 [root@iZ23dastruaZ test_ngx_https]# openssl genrsa -out private/client.key.pem 2048 Generating RSA private key, 2048 bit long modulus ............................................................................................................+++ ....+++ e is 65537 (0x10001) [root@iZ23dastruaZ test_ngx_https]# openssl req -new -key private/client.key.pem -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Changping Organization Name (eg, company) [Default Company Ltd]:TIMD.CN Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www.timd.cn Email Address []:clientcert@timd.cn Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@iZ23dastruaZ test_ngx_https]# openssl ca -in client.csr -config openssl.cnf -out certs/client.pem Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :ASN.1 12:'Beijing' localityName :ASN.1 12:'Changping' organizationName :ASN.1 12:'TIMD.CN' commonName :ASN.1 12:'www.timd.cn' emailAddress :IA5STRING:'clientcert@timd.cn' Certificate is to be certified until Jul 2 17:11:05 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
[root@iZ23dastruaZ test_ngx_https]# vim nginx.conf
1 worker_processes auto;
2
3 events {
4 worker_connections 1024;
5 }
6
7 http {
8 include /usr/local/openresty/nginx/conf/mime.types;
9 default_type application/octet-stream;
10 keepalive_timeout 60;
11 tcp_nodelay on;
12
13 server {
14 listen 9191 ssl;
15 server_name www.timd.cn;
16
17 ssl_buffer_size 4k;
18 ssl_certificate certs/testcert.pem;
19 ssl_certificate_key private/testcert.key.pem;
20 ssl_ciphers HIGH:!aNULL:!MD5;
21 #ssl_password_file password.file;
22 ssl_prefer_server_ciphers on;
23 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
24 ssl_session_cache shared:SSL_CACHE:10m;
25 ssl_session_timeout 10m;
26
27 #ssl_crl ``file``;
28 #ssl_trusted_certificate ``file``;
29 ssl_client_certificate cacert.pem;
30 ssl_verify_client on;
31 ssl_verify_depth 1;
32
33 location / {
34 autoindex on;
35 autoindex_exact_size off;
36 autoindex_localtime on;
37
38 root .;
39 }
40 }
41 }
42
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p . -s reload
1 worker_processes 4;
2
3 events {
4 worker_connections 1024;
5 }
6
7 http {
8 include /usr/local/openresty/nginx/conf/mime.types;
9 default_type application/octet-stream;
10 keepalive_timeout 60;
11 tcp_nodelay on;
12
13 server {
14 listen 9191 ssl;
15 server_name www.timd.cn;
16
17 ssl_buffer_size 4k;
18 ssl_certificate certs/testcert.pem;
19 ssl_certificate_key private/testcert.key.pem;
20 ssl_ciphers HIGH:!aNULL:!MD5;
21 #ssl_password_file password.file;
22 ssl_prefer_server_ciphers on;
23 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
24 ssl_session_cache shared:SSL_CACHE:10m;
25 ssl_session_timeout 10m;
26
27 ##ssl_crl ``file``;
28 ##ssl_trusted_certificate ``file``;
29 #ssl_client_certificate cacert.pem;
30 #ssl_verify_client on;
31 #ssl_verify_depth 1;
32
33 location / {
34 autoindex on;
35 autoindex_exact_size off;
36 autoindex_localtime on;
37
38 root .;
39 }
40 }
41
42 server {
43 listen 9292;
44 server_name www.timd.cn;
45 location / {
46 proxy_pass https://www.timd.cn:9191;
47 proxy_set_header Host $host;
48 proxy_redirect off;
49 proxy_set_header X-Forwared-For $remote_addr;
50
51 proxy_ssl_ciphers HIGH:!aNULL:!MD5;
52 #proxy_ssl_crl ``file``;
53 proxy_ssl_server_name on;
54 proxy_ssl_session_reuse on;
55 proxy_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
56 proxy_ssl_trusted_certificate ./cacert.pem;
57 proxy_ssl_verify on;
58 proxy_ssl_verify_depth 1;
59 }
60 }
61 }
62
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p . -s reload
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("http://www.timd.cn:9292/")
>>>
首先测试一种失败的情况
[root@iZ23dastruaZ test_ngx_https]# vim nginx.conf
1 worker_processes 4;
2
3 events {
4 worker_connections 1024;
5 }
6
7 http {
8 include /usr/local/openresty/nginx/conf/mime.types;
9 default_type application/octet-stream;
10 keepalive_timeout 60;
11 tcp_nodelay on;
12
13 server {
14 listen 9191 ssl;
15 server_name www.timd.cn;
16
17 ssl_buffer_size 4k;
18 ssl_certificate certs/testcert.pem;
19 ssl_certificate_key private/testcert.key.pem;
20 ssl_ciphers HIGH:!aNULL:!MD5;
21 #ssl_password_file password.file;
22 ssl_prefer_server_ciphers on;
23 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
24 ssl_session_cache shared:SSL_CACHE:10m;
25 ssl_session_timeout 10m;
26
27 #ssl_crl ``file``;
28 #ssl_trusted_certificate ``file``;
29 ssl_client_certificate cacert.pem;
30 ssl_verify_client on;
31 ssl_verify_depth 1;
32
33 location / {
34 autoindex on;
35 autoindex_exact_size off;
36 autoindex_localtime on;
37
38 root .;
39 }
40 }
41
42 server {
43 listen 9292;
44 server_name www.timd.cn;
45 location / {
46 proxy_pass https://www.timd.cn:9191;
47 proxy_set_header Host $host;
48 proxy_redirect off;
49 proxy_set_header X-Forwared-For $remote_addr;
50
51 proxy_ssl_ciphers HIGH:!aNULL:!MD5;
52 #proxy_ssl_crl ``file``;
53 proxy_ssl_server_name on;
54 proxy_ssl_session_reuse on;
55 proxy_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
56 proxy_ssl_trusted_certificate ./cacert.pem;
57 proxy_ssl_verify on;
58 proxy_ssl_verify_depth 1;
59 }
60 }
61 }
62
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p . -s reload
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("http://www.timd.cn:9292/")
>>>
下面是能够成功代理双向HTTPS的配置
[root@iZ23dastruaZ test_ngx_https]# vim nginx.conf
1 worker_processes 4;
2
3 events {
4 worker_connections 1024;
5 }
6
7 http {
8 include /usr/local/openresty/nginx/conf/mime.types;
9 default_type application/octet-stream;
10 keepalive_timeout 60;
11 tcp_nodelay on;
12
13 server {
14 listen 9191 ssl;
15 server_name www.timd.cn;
16
17 ssl_buffer_size 4k;
18 ssl_certificate certs/testcert.pem;
19 ssl_certificate_key private/testcert.key.pem;
20 ssl_ciphers HIGH:!aNULL:!MD5;
21 #ssl_password_file password.file;
22 ssl_prefer_server_ciphers on;
23 ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
24 ssl_session_cache shared:SSL_CACHE:10m;
25 ssl_session_timeout 10m;
26
27 #ssl_crl ``file``;
28 #ssl_trusted_certificate ``file``;
29 ssl_client_certificate cacert.pem;
30 ssl_verify_client on;
31 ssl_verify_depth 1;
32
33 location / {
34 autoindex on;
35 autoindex_exact_size off;
36 autoindex_localtime on;
37
38 root .;
39 }
40 }
41
42 server {
43 listen 9292;
44 server_name www.timd.cn;
45 location / {
46 proxy_pass https://www.timd.cn:9191;
47 proxy_set_header Host $host;
48 proxy_redirect off;
49 proxy_set_header X-Forwared-For $remote_addr;
50
51 proxy_ssl_ciphers HIGH:!aNULL:!MD5;
52 #proxy_ssl_crl ``file``;
53 proxy_ssl_server_name on;
54 proxy_ssl_session_reuse on;
55 proxy_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
56 proxy_ssl_trusted_certificate ./cacert.pem;
57 proxy_ssl_verify on;
58 proxy_ssl_verify_depth 1;
59
60 proxy_ssl_certificate certs/client.pem;
61 proxy_ssl_certificate_key private/client.key.pem;
62 }
63 }
64 }
65
[root@iZ23dastruaZ test_ngx_https]# /usr/local/openresty/nginx/sbin/nginx -c nginx.conf -p . -s reload
[root@iZ23dastruaZ test_ngx_https]# python
Python 2.6.6 (r266:84292, Jul 23 2015, 15:22:56)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("http://www.timd.cn:9292/")
>>>