admin';?>

首页 / 工作日志

使用ssl加密VPS与后端服务器(upstream servers)之间的流量

By admin  •  2021-12-05 23:34:03  •  41次点击
永久外链: https://i.otherhill.com/static/c68721ce55e011ecb666809b202ce664.html

nginx做为一款优秀的反向代理软件,最常见的架构是:

客户 <---> vps服务器(反向代理) <---> 后端服务器(upstream servers)


vps 服务器:
#这个证书是从Let's encrypt申请的认证证书.
ssl_certificate     /opt/ssl/otherhill.com/fullchain.pem;
ssl_certificate_key /opt/ssl/otherhill.com/privkey.pem;

ssl_protocols SSLv3 SSLv2 TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers  'TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5';

ssl_prefer_server_ciphers on;

ssl_session_cache shared:tashan_SSL:30m;
ssl_session_timeout 4h;

proxy_ssl_certificate_key     /opt/ssl/househost/nginx-selfsigned.key;
proxy_ssl_trusted_certificate /opt/ssl/househost/CACert.pem;
proxy_ssl_verify        on;

proxy_ssl_verify_depth  2;
proxy_ssl_session_reuse on;


后端服务器(upstream servers):
ssl_certificate       /opt/ssl/nginx-selfsigned/nginx-selfsigned.crt;
ssl_certificate_key   /opt/ssl/nginx-selfsigned/nginx-selfsigned.key;

proxy_ssl_session_reuse on;

ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;

ssl_session_cache shared:tashan_SSL:100m;
ssl_session_timeout 4h;
ssl_prefer_server_ciphers on;


自签名证书生成方法:
1.生成公钥和私钥
openssl genrsa -out nginx-selfsigned.key 2048
openssl req -new -key nginx-selfsigned.key -out nginx-selfsigned.req
openssl req -new -key nginx-selfsigned.key -days 3650 -out nginx-selfsigned_ca.crt -x509 -extensions v3_ca
openssl x509 -req -in nginx-selfsigned.req -days 3650 -out nginx-selfsigned.crt -CA nginx-selfsigned_ca.crt -CAkey nginx-selfsigned.key -CAcreateserial

2.生成私钥和证书请求文件csr
openssl req -new -sha256 -key nginx-selfsigned.key -out nginx-selfsigned.csr

3.生成CA私钥:
openssl genrsa -out CAKey.pem 2048

4.生成CA证书:
openssl req -x509 -sha256 -new -nodes -key CAKey.pem -days 3650 -out CACert.pem
查看CA证书详细信息:
openssl x509 -in CACert.pem -text

5.使用CA签发证书:
openssl x509 -req -CA CACert.pem -CAkey CAKey.pem  -CAcreateserial -in nginx-selfsigned.csr -out nginx-selfsigned.crt -days 3650 -sha256

将以上生成的CACert.pem,  nginx-selfsigned.crt,  nginx-selfsigned.key 三个文件,拷贝到/opt/ssl/househost目录中.
cd  /opt/ssl/househost
sudo chown root:root  ./*
sudo chmod 400 ./*

诸如 proxy_ssl_certificate_key 之类的指令,在旧版的nginx上可能并不支持,可以下载并安装我们编译好的2021最新稳定版 nginx v1.20.1, 开箱即用, 可运行于几乎所有Linux x64系统. see more:

参考:
1. 使用ssl加密Nginx与uptream servers之间的流量
2. 如何使用自签名 CA 和证书来保护个人在公网上的内容
0 回复 | 直到2022-01-29 18:44添加回复

回复

最新贴子

生成图片 生成二维码 私信给我
生成密码 清空