Nginx add SSL 证书 基础配置

1） 查看证书信息

openssl x509 -noout -text -in ca.crt

2）证书配置：

a:基础配置信息

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ...
}

ssl_certificate:服务端公有的证书，会被发送到客户端。

ssl_certificate_key ：是服务端的私钥，被存储在一个文件中，需要被nginx的master进程访问。

ssl_protocols 和ssl_ciphers是用来限制connection到指定的SSL/TLS的版本，ssl_protocols 和ssl_ciphers 是nginx的默认值，也可以不配。

b:Https 服务优化

SSL握手是CPU密集型操作，每次SSL握手操作都会消耗CPU.对于每个客户端有两种方式来减少SSL握手操作：

 1）设置keepalive_timeout值，确保每个连接能够发送多个请求。

2）重用SSL session,避免SSL握手操作。这些共享的SSL session是被存储在在多个work进程之间共享的SSL session cache中

   它由 ssl_session_cache 指示符来配置。默认1M的缓存空间可以存储4000个sessions.每个session缓存的默认失效时间是5minute.它可以通过 ssl_session_timeout  修改

worker_processes auto;

http {
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;

    server {
        listen              443 ssl;
        server_name         www.example.com;
        keepalive_timeout   70;

        ssl_certificate     www.example.com.crt;
        ssl_certificate_key www.example.com.key;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        ...

3. SSL证书链接

当服务器的证书是中间证书时候，则需要将从该证书到根证书的所有证书文件-称为证书链，一起合并到服务器证书中。合并的顺序是，

 服务器的证书-》证书链

$ cat www.example.com.crt bundle.crt > www.example.com.chained.crt

 合并成的新证书文件 则会被配置到ssl_certificate 中。

server {
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.chained.crt;
    ssl_certificate_key www.example.com.key;
    ...
}

如何合并的时候顺序搞错，Nginx 启动的时候则会报：

SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed
   (SSL: error:0B080074:x509 certificate routines:
    X509_check_private_key:key values mismatch)

因为nginx 是对该服务器证书链的第一部分使用private key,这从而导致出错。

如何查看服务端发送出了所有的证书链，

$ openssl s_client -connect payment.celcomescape.com:443

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
verify return:1
depth=0 C = MY, ST = Kuala Lumpur, L = Kuala Lumpur, O = Escape Axiata Sdn Bhd, OU = Escape Axiata, CN = *.celcomescape.com
verify return:1
---
Certificate chain
0 s:/C=MY/ST=Kuala Lumpur/L=Kuala Lumpur/O=Escape Axiata Sdn Bhd/OU=Escape Axiata/CN=*.celcomescape.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---

4.配置一个单一的Http/Https 服务器

配置一个单一的Http/Https 服务器

server {
    listen              80;
    listen              443 ssl;
    server_name         www.example.com;
    ssl_certificate     www.example.com.crt;
    ssl_certificate_key www.example.com.key;
    ...
}

6.同一个Ip地址，不同域名

1）只能是一个证书，即使配置了多个证书，则会取default server 对应的那个证书。这是因为在SSL 握手中不含有domain信息。

ssl_certificate     common.crt;
ssl_certificate_key common.key;

server {
    listen          443 ssl;
    server_name     www.example.com;
    ...
}

server {
    listen          443 ssl;
    server_name     www.example.org;
    ...
}

2）如果一定要使用，则需要添加TLS Server Name Indication extension (SNI, RFC 6066)，允许浏览器在SSL握手阶段传入domain.

    前置条件：nginx 编译支持SNI

            openssl编译支持SNI. “--enable-tlsext”

             浏览器需要支持可以传入域名。目前如下浏览器可以支持：

Opera 8.0;
MSIE 7.0 (but only on Windows Vista or higher);
Firefox 2.0 and other browsers using Mozilla Platform rv:1.8.1;
Safari 3.2.1 (Windows version supports SNI on Vista or higher);
and Chrome (Windows version supports SNI on Vista or higher, too).

7.版本匹配特性            

The SNI support status has been shown by the “-V” switch since 0.8.21 and 0.7.62.
The ssl parameter of the listen directive has been supported since 0.7.14. Prior to 0.8.21 it could only be specified along with the default parameter.
SNI has been supported since 0.5.32.
The shared SSL session cache has been supported since 0.5.6.
Version 1.9.1 and later: the default SSL protocols are TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
Version 0.7.65, 0.8.19 and later: the default SSL protocols are SSLv3, TLSv1, TLSv1.1, and TLSv1.2 (if supported by the OpenSSL library).
Version 0.7.64, 0.8.18 and earlier: the default SSL protocols are SSLv2, SSLv3, and TLSv1.
Version 1.0.5 and later: the default SSL ciphers are “HIGH:!aNULL:!MD5”.
Version 0.7.65, 0.8.20 and later: the default SSL ciphers are “HIGH:!ADH:!MD5”.
Version 0.8.19: the default SSL ciphers are “ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM”.
Version 0.7.64, 0.8.18 and earlier: the default SSL ciphers are
“ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP”.

8.参考文档

http://nginx.org/en/docs/http/configuring_https_servers.html