1. 安装 nginx1.1 nginx 包及其依赖包下载出于模块的依赖性,Nginx 依赖以下三个包:分别下载它们的最新稳定版(截至本文最新稳定版分别是 zlib-1.2.8.tar.gz、pcre-8.36.tar.gz、openssl-fips-2.0.9.tar.gz),最后下载 Nginx 最新()稳定版(截至本文最新稳定版是 nginx-1.7.10.tar.gz)。依赖包安装次序为:openssl、zlib、pcre,最后安装 Nginx 包。1.2 nginx 包及其依赖包安装1.2.1 安装 openssl$ tar -zxvf openssl-fips-2.0.9.tar.gz$ cd openssl-fips-2.0.9$ ./config$ make$ sudo make install1.2.2 安装 zlib$ tar -zxvf zlib-1.2.8.tar.gz$ cd zlib-1.2.8$ ./configure$ make$ sudo make install1.2.3 安装 pcre$ tar -zxvf pcre-8.36.tar.gz$ cd pcre-8.36$ ./configure$ make$ sudo make install1.2.4 安装 nginx$ tar -zxvf nginx-1.7.10.tar.gz$ cd nginx-1.7.10$ ./configure –with-pcre=../pcre-8.36 –with-zlib=../zlib-1.2.8 –with-openssl=../openssl-fips-2.0.9$ make$ sudo make installnginx 被默认安装在 /usr/local/nginx 目录。1.3 验证 Nginx 是否安装成功$ sudo /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
证明 Nginx 安装成功。
2. SSL 服务器 / 客户端双向验证证书的生成2.1 创建一个新的 CA 根证书在 nginx 安装目录下新建 ca 文件夹,进入 ca,创建几个子文件夹:$ sudo mkdir ca$ cd ca$ sudo mkdir newcerts private conf servernewcerts 子目录将用于存放 CA 签署过的数字证书(证书备份目录);private 用于存放 CA 的私钥;conf 目录用于存放一些简化参数用的配置文件;server 存放服务器证书文件。2.1.1 conf 目录新建 openssl.conf 文件编辑其内容如下:[ ca ]default_ca= foo# The default ca section [ foo ]dir= /usr/local/nginx/ca# top dirdatabase= /usr/local/nginx/ca/index.txt# index file.new_certs_dir = /usr/local/nginx/ca/newcerts# new certs dir certificate = /usr/local/nginx/ca/private/ca.crt# The CA certserial= /usr/local/nginx/ca/serial# serial no fileprivate_key = /usr/local/nginx/ca/private/ca.key # CA private keyRANDFILE= /usr/local/nginx/ca/private/.rand# random number file default_days = 365# how long to certify fordefault_crl_days= 30# how long before next CRLdefault_md= md5# message digest method to useunique_subject = no# Set to ‘no’ to allow creation of# several ctificates with same subject.policy= policy_any# default policy [ policy_any ]countryName = matchstateOrProvinceName = matchorganizationName = matchorganizationalUnitName = matchlocalityName= optionalcommonName= suppliedemailAddress= optional2.1.2 生成私钥 key 文件$ cd /usr/local/nginx/ca$ sudo openssl genrsa -out private/ca.key输出Generating RSA private key, 512 bit long modulus..++++++++++++.++++++++++++e is 65537 (0x10001)private 目录下有 ca.key 文件生成。2.1.3 生成证书请求 csr 文件$ sudo openssl req -new -key private/ca.key -out private/ca.csr
提示输入 Country Name,输入 CN 并回车后:
提示输入 State or Province Name (full name),输入 Shanghai 并回车后:
提示输入 Locality Name,输入 Shanghai 并回车后:
提示输入 Organization Name,输入 Defonds 并回车后:
提示输入 Organizational Unit Name,输入 Dev 并回车后:
提示输入 Common Name,如果没有域名的话,输入 localhost 并回车后:
提示输入 Email Address,输入 defonds@163.com 并回车后:
却坐在不足一平米的椅子上。
