Heartsuit's Simple Blog

A place to hold mainly reading notes, and some technical stuff occasionally. 这里主要是一些读书笔记、感悟;还有部分技术相关的内容。


Project maintained by heartsuit Hosted on GitHub Pages — Theme by mattgraham

自签SSL证书配置Nginx代理Vue+SpringBoot前后端分离服务

目录[-]

背景

最近的一个小项目,部署在专网中,可是最近等保测评要求整改为HTTPS加密传输。像我们以前的部署在互联网上的项目都购买了域名,并在云服务商那里申请免费的 SSL 证书,然后再配置 Nginx 代理,一气呵成、顺理成章、水到渠成。可是现在在专网中,而且没有域名,甚至没有 DNS 服务器;既然要求通过 HTTPS 传输,那么还有一种办法是自签 SSL 证书,这样在浏览器中会提示证书不安全,用户需要多操作一步添加例外才可以正常访问系统。好在可以满足等保的要求,可行那就开干。

生成证书与秘钥

  1. 生成RSA密钥文件server.key(要设置并记住密码,后面要用到) openssl genrsa -des3 -out server.key 1024

  2. 生成证书的申请文件server.csr openssl req -new -key server.key -out server.csr

  3. 备份密钥文件 cp server.key server.key.bk

  4. 移除文件口令,输出到新的server.key(这时,需要输入第一步设置的密码) openssl rsa -in server.key.bk -out server.key

  5. 生成证书文件server.crt openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

[root@hadoop2 ~]# cd /opt/

# 生成RSA密钥文件server.key(要设置并记住密码,后面要用到)
[root@hadoop2 opt]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..................+++++
.................................................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

# 生成证书的申请文件server.csr
[root@hadoop2 opt]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ShanXi
Locality Name (eg, city) []:TaiYuan
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YourCompany
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:YourEmail

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# 备份密钥文件
[root@hadoop2 opt]# cp server.key server.key.bk

# 移除文件口令,输出到新的server.key(这时,需要输入第一步设置的密码)
[root@hadoop2 opt]# openssl rsa -in server.key.bk -out server.key
Enter pass phrase for server.key.bk:
writing RSA key

# 生成证书文件server.crt
[root@hadoop2 opt]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = CN, ST = ShanXi, L = TaiYuan, O = YourCompany, emailAddress = YourEmail
Getting Private key

Note: 记得将申请文件时填写的 YourCompany , YourEmail 信息改为自己的公司/组织及邮箱。

Enter pass phrase for root.key: <—— 前面设置的密码
Country Name (2 letter code) [AU]:CN <—— 国家代号,中国输入CN
State or Province Name (full name) [Some-State]:ShanXi <—— 省的全名,拼音
Locality Name (eg, city) []:TaiYuan <—— 市的全名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YourCompany <—— 公司英文名
Organizational Unit Name (eg, section) []: <—— 可不填
Common Name (eg, YOUR name) []: <—— 可不填
Email Address []:YourEmail <—— 电子邮箱
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: <—— 可不填
An optional company name []: <—— 可不填

确认Nginx是否安装了SSL模块

[root@hadoop2 ~]# nginx -V
nginx version: nginx/1.20.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --with-http_stub_status_module --with-http_ssl_module

Note:如果一开始在安装 Nginx 时没有安装 SSL 模块,需要重新编译安装 Nginx

Nginx配置SSL证书代理静态资源

确认 Nginx 安装了 SSL 模块后,将前面生产的秘钥及证书放到一个目录中,我这里是 /opt/ssl-cert 。在配置前后端分离的 HTTPS 访问前,我们先通过 Nginx 代理静态资源,以验证证书的有效性。

    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /opt/ssl-cert/server.crt;
        ssl_certificate_key  /opt/ssl-cert/server.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

2022-10-29-NginxSSL.jpg

2022-10-29-SSLStatic.jpg

Nginx配置SSL证书代理前后端服务

开启 HTTP 转发到 HTTPS 的配置如下:

server {
    listen       80;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

以下是一个基于 VueSpringBoot 的前、后端分离的单体架构项目 NginxSSL 的完整配置,最终实现 HTTPS 加密传输。

    server {
        listen       80;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
    }
    
    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /opt/ssl-cert/server.crt;
        ssl_certificate_key  /opt/ssl-cert/server.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        #location / {
        #    root   html;
        #    index  index.html index.htm;
        #}

        location / {
            root       /opt/frontend/dist;
            try_files $uri $uri/ /index.html;
        }

        location /prod-api  {                              # custom prefix: third party API
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            rewrite  ^/prod-api/(.*)$ /$1 break;           # rewrite the URL and redirect
            include  uwsgi_params;
            proxy_pass   http://localhost:8080;   # Third party API URL
        }
    }

2022-10-29-SSLBackend.jpg

Note: 每次修改完 Nginx 配置,记得刷新保证配置生效: nginx -s reload

If you have any questions or any bugs are found, please feel free to contact me.

Your comments and suggestions are welcome!


「说点什么吧😊~~😊」: