Ubunt 18.04 为 Nginx 配置自签名的 HTTPS

在测试环境或一些内部环境中，我们经常使用自签名的证书来配置 HTTPS 的环境。

在本次实验中，假设需要制作的证书对应的网站为: example.com

安装 openssl

通常可以使用 openssl 来生成自签名证书。 因此，首先验证一下系统中有没安装 openssl, 执行:

openssl version

正常显示应该是:

OpenSSL 1.1.1  11 Sep 2018

如果还没有安装，可以执行:

sudo apt-get install openssl

生成证书和密钥

执行:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/example.com.key -out /etc/ssl/certs/example.com.pem

系统显示:

Can't load /home/st/.rnd into RNG
140177583677888:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/st/.rnd
Generating a RSA private key
..............................+++++
........................................................................................................+++++
writing new private key to '/etc/ssl/private/example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:example
Organizational Unit Name (eg, section) []:DV
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:abc@example.com

可以看到，openssl 为我们生成了密钥，保存在 /etc/ssl/private 目录中，实际上，它还生成了对应的证书，保存在 /etc/ssl/certs 目录中，这两个文件都是后面配置需要用到的。

然后，我们在为密钥交换建立一个 Diffie-Hellman。 执行:

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

配置 Nginx

在 Ubunt 18.04 中安装 Nginx 一文中，我们描述过 nginx 的配置目录结构及用处， 在本次配置中，我们就按该结构来编制、保存相关的配置信息。

1. 在 snippets 目录中新建一个名为 self-signed-example-com.conf 文件。 因为你可能会在多个 Nginx 虚拟站点（端口不同）中用到这套证书，所以我们把相关的配置放在 snippets 中，以便于复用:

sudo vi /etc/nginx/snippets/self-signed-example-com.conf

在文件中加入以下两行:

ssl_certificate /etc/ssl/certs/example.com.pem;
ssl_certificate_key /etc/ssl/private/example.com.key;

指定在 SSL 中要使用的密钥和证书。

2. 在 snippets 目录中新建一个名为: ssl-params.conf 的文件， 指明 SSL 证书交换中要使用的参数:

sudo vi /etc/nginx/snippets/ssl-params.conf

在文件中加入以下内容:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling off;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

3. 在 /etc/nginx/sites-available 中新建名为 example.com.conf 的配置文件， 内容如下:

server {
        listen 6443 ssl http2;

        server_name example.com;

         proxy_read_timeout 720s;
        proxy_connect_timeout 720s;
        proxy_send_timeout 720s;

        client_max_body_size 50m;


        # Proxy headers
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;


        include snippets/self-signed-example-com.conf;
        include snippets/ssl-params.conf;

        # log files
        access_log /var/log/nginx/example-com-access.log;
        error_log /var/log/nginx/example-com-error.log;

        # Handle request
        location / {
                proxy_redirect off;
                proxy_pass http://127.0.0.1:8362;
        }

}

在案例中是配置了一个反向代理。如果你需要的是静态完整，增加 root 选择，修改 locaiton 选择即可。

4. 为 example.com.conf 文件在 sites-enabled 目录中添加要给链接， 在 sites-enabled 目录中执行:

sudo ln -s ../sites-available/example.com.conf example.com.conf

5. 重启或重新加载 nginx

sudo systemctl restart nginx