【nginx】配置nginx支持sni
概述
传统的每个SSL证书签发,每个证书都需要独立ip,假如你编译openssl和nginx时候开启TLS SNI (Server Name Identification) 支持,这样你可以安装多个SSL,绑定不同的域名,可以共享同一个ip。nginx支持TLS协议的SNI扩展(Server Name Indication,简单地说这个扩展使得在同一个IP上可以以不同的证书serv不同的域名;较早前唯一的办法是签署一个通配证书,即 CNAME 中为 *.delphij.net 这样的证书)
目的
使用https://ssl.15099.net和https://selfssl.15099.net 使用同一ip,可以配置https,测试环境:美国VPS+CentOS编译openssl支持TLS SNI
cd /usr/src/ wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz tar zxvf ./openssl-0.9.8l.tar.gz cd ./openssl-0.9.8l ./config enable-tlsext make make install cd ..
编译nginx支持TLS SNI
cd /usr/src/ wget http://nginx.org/download/nginx-0.7.67.tar.gz tar zxvf nginx-0.7.67.tar.gz cd nginx-0.7.67 ./configure \ --prefix=/usr \ --sbin-path=/usr/sbin/nginx \ --conf-path=/etc/nginx/nginx.conf \ --error-log-path=/var/log/nginx/error.log \ --http-log-path=/var/log/nginx/access.log \ --pid-path=/var/run/nginx.pid \ --lock-path=/var/lock/nginx.lock \ --user=nobody\ --group=nobody\ --with-http_stub_status_module\ --with-http_ssl_module \ --with-http_flv_module \ --with-http_gzip_static_module \ --http-client-body-temp-path=/var/tmp/nginx/client_temp/ \ --http-proxy-temp-path=/var/tmp/nginx/proxy_temp/ \ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi_temp/ \ --with-openssl=../openssl-0.9.8l/ make make install查看现在nginx是不是支持了TLS SNI
[root@www ~]# nginx -V nginx version: nginx/0.7.67 built by gcc 4.1.2 20080704 (Red Hat 4.1.2-48) TLS SNI support enabled configure arguments: --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=nobody --group=nobody --with-http_stub_status_module --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client_temp/ --http-proxy-temp-path=/var/tmp/nginx/proxy_temp/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi_temp/ --with-openssl=../openssl-0.9.8l/ [root@www ~]#
生成自签发的证书
ssl.15099.net证书签发cd /etc/nginx/ openssl genrsa -des3 -out ssl.15099.net.key 1024 openssl req -new -key ssl.15099.net.key -out ssl.15099.net.csr openssl rsa -in ssl.15099.net.key -out ssl.15099.net_nopass.key openssl x509 -req -days 365 -in ssl.15099.net.csr -signkey ssl.15099.net.key -out ssl.15099.net.crt mkdir -p /usr/share/nginx/15099.net/ssl.15099.net echo "selfssl test 1" > /usr/share/nginx/15099.net/ssl.15099.net/index.html下面是上述命令的详细输出
[root@www nginx]# cd /etc/nginx/ [root@www nginx]# openssl genrsa -des3 -out ssl.15099.net.key 1024 #创建私钥文件 Generating RSA private key, 1024 bit long modulus .......................................++++++ ...............++++++ e is 65537 (0x10001) Enter pass phrase for ssl.15099.net.key: #输入密码 Verifying - Enter pass phrase for ssl.15099.net.key: #重复输入密码 [root@www nginx]# openssl req -new -key ssl.15099.net.key -out ssl.15099.net.csr #创建证书签名请求文件 Enter pass phrase for ssl.15099.net.key: #输入刚才设置的密码 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN #国家 State or Province Name (full name) [Berkshire]:Guangdong #省份 Locality Name (eg, city) [Newbury]:Guangzhou #城市 Organization Name (eg, company) [My Company Ltd]:15099.NAT #组织机构或单位名称 Organizational Unit Name (eg, section) []:15099.NET #部门 Common Name (eg, your name or your server's hostname) []:ssl.15099.net #域名,你需要绑定ssl的域名 Email Address []:admin@15099.net #邮箱,如何需要申请认证的证书,这个邮箱很重要。不要写错 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #直接按回车 An optional company name []: #直接按回车 [root@www nginx]# openssl rsa -in ssl.15099.net.key -out ssl.15099.net_nopass.key #生成不需要密码的私人钥文件 Enter pass phrase for ssl.15099.net.key: #输入刚才设置的密码 writing RSA key [root@www nginx]# openssl x509 -req -days 365 -in ssl.15099.net.csr -signkey ssl.15099.net.key -out ssl.15099.net.crt #生成自签署的CA证书 Signature ok subject=/C=CN/ST=Guangdong/L=Guangzhou/O=15099.NAT/OU=15099.NET/CN=ssl.15099.net/emailAddress=admin@15099.net Getting Private key Enter pass phrase for ssl.15099.net.key: [root@www nginx]#相关备注:
在您生成CSR时,公用名(Common Name)是必须填写的,公用名(Common Name) 是您的主机名+域名,比如:ssl.15099.net美国VPS服务器证书是颁发给某一台主机的,而不是一个域,您的公用名(Common Name)必须与您要使用服务器证书的主机的全名完全相同,因为www.domain.com与domain.com是不同的。
selfssl.15099.net证书签发
cd /etc/nginx/ openssl genrsa -des3 -out selfssl.15099.net.key 1024 openssl req -new -key selfssl.15099.net.key -out selfssl.15099.net.csr openssl rsa -in selfssl.15099.net.key -out selfssl.15099.net_nopass.key openssl x509 -req -days 365 -in selfssl.15099.net.csr -signkey selfssl.15099.net.key -out selfssl.15099.net.crt mkdir -p /usr/share/nginx/15099.net/selfssl.15099.net echo "selfssl test 2" > /usr/share/nginx/15099.net/selfssl.15099.net/index.html
添加nginx虚拟主机 配置文件
vi /etc/nginx/conf.d/15099.net.conf内容如下:
server {
server_name ssl.15099.net;
listen 443;
index index.html index.htm index.php;
root /usr/share/nginx/15099.net/ssl.15099.net;
ssl on;
ssl_certificate ssl.15099.net.crt;
ssl_certificate_key ssl.15099.net_nopass.key;
}
server {
server_name selfssl.15099.net;
listen 443;
index index.html index.htm index.php;
root /usr/share/nginx/15099.net/selfssl.15099.net;
ssl on;
ssl_certificate selfssl.15099.net.crt;
ssl_certificate_key selfssl.15099.net_nopass.key;
}
测试
重启nginx,就可以使用https://ssl.15099.net和https://selfssl.15099.net访问了。参考资料:
http://kbeezie.com/view/configuring-sni-with-nginx/
https://blog.delphij.net/2010/07/nginxtlsssl.html#comments
150伍零999