TLS termineerimine nginx abil: Difference between revisions
(5 intermediate revisions by 3 users not shown) | |||
Line 12: | Line 12: | ||
*Näites kasutatakse saidina www.mesilane.mm | *Näites kasutatakse saidina www.mesilane.mm | ||
= Apache seadistamine = | |||
Kui kasutate Nginx serverit TLS terminaatorina apache serveri ees, siis keelake ssl virtuaalsed hostid ja ssl moodul apache serveril. | |||
<pre> | |||
a2dissite sinu-virtualhosti-konfifail | |||
a2dismod ssl | |||
</pre> | |||
= Nginx seadistamine = | = Nginx seadistamine = | ||
==Paigaldamine== | |||
<pre>sudo -s | |||
nginx=stable # use nginx=development for latest development version | |||
add-apt-repository ppa:nginx/$nginx | |||
apt-get update | |||
apt-get install nginx</pre> | |||
==Sertifikaat== | |||
Looge sertifikaat, privaatvõti ja eraldi kaust: | |||
<pre> | |||
sudo mkdir /usr/local/nginx | |||
sudo mkdir /usr/local/nginx/conf | |||
cd /usr/local/nginx/conf | |||
openssl req -nodes -new -keyout server.key -newkey rsa:1024 > server.csr | |||
</pre> | |||
Tuleb vastata küsimustele: | |||
<pre> | |||
Country Name (2 letter code) [AU]:EE | |||
State or Province Name (full name) [Some-State]:Tallinn | |||
Locality Name (eg, city) []:Tallinn | |||
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mesilane | |||
Organizational Unit Name (eg, section) []: | |||
Common Name (eg, YOUR name) []:www.mesilane.mm | |||
Email Address []: | |||
A challenge password []: | |||
An optional company name []: | |||
</pre> | |||
Loome ja allkirjastame sertifikaadi: | |||
<pre> | <pre> | ||
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt | |||
</pre> | |||
==Konfiguratsioon== | |||
Looge kausta /etc/nginx/sites-enabled/ oma saidi nimeline tekstifail ning muutke seda vastavalt: | Looge kausta /etc/nginx/sites-enabled/ oma saidi nimeline tekstifail ning muutke seda vastavalt: | ||
Line 25: | Line 70: | ||
<pre> | <pre> | ||
server { | |||
listen 443 default_server; | listen 443 default_server; | ||
Line 38: | Line 84: | ||
ssl_session_cache shared:SSL:10m; | ssl_session_cache shared:SSL:10m; | ||
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | |||
ssl_prefer_server_ciphers on; | |||
ssl_ciphers HIGH:!aNULL:!MD5; | |||
Line 58: | Line 108: | ||
</pre> | </pre> | ||
= Kasutatud kirjandus = | |||
https://wiki.itcollege.ee/index.php/Nginx | |||
http://chase-seibert.github.com/blog/2011/12/21/nginx-ssl-reverse-proxy-tutorial.html | |||
https://wiki.itcollege.ee/index.php/Veebiserver_labor_2#SSL_keskkonna_loomine | |||
==Autorid== | |||
Sander Arnus | Sander Arnus | ||
Sander Saveli | Sander Saveli | ||
Latest revision as of 09:50, 24 April 2014
Ülesehitus
Lahenduse mõtteks on kasutada nginx veebiserverit proxyna teenindamaks https päringuid pordi 443 pihta. Antud näite puhul ei saa suunata https päringuid otse Apache veebiserveri pihta, kuna veebilehtede cachimiseks kasutatakse varnishit. Nginxi ülesandeks jääb võtta vastu https päringud pordi 443 poole, muuta need http päringuteks ja suunata edasi varnishi pihta.
Eeldused
- Antud näide on tehtud Ubuntu Server 12.04.1 peal
- Konfigureeritud ja töötav apache 2 veebiserver.
- Konfigureeritud ja töötav varnish.
- Näites kasutatakse saidina www.mesilane.mm
Apache seadistamine
Kui kasutate Nginx serverit TLS terminaatorina apache serveri ees, siis keelake ssl virtuaalsed hostid ja ssl moodul apache serveril.
a2dissite sinu-virtualhosti-konfifail a2dismod ssl
Nginx seadistamine
Paigaldamine
sudo -s nginx=stable # use nginx=development for latest development version add-apt-repository ppa:nginx/$nginx apt-get update apt-get install nginx
Sertifikaat
Looge sertifikaat, privaatvõti ja eraldi kaust:
sudo mkdir /usr/local/nginx sudo mkdir /usr/local/nginx/conf cd /usr/local/nginx/conf openssl req -nodes -new -keyout server.key -newkey rsa:1024 > server.csr
Tuleb vastata küsimustele:
Country Name (2 letter code) [AU]:EE State or Province Name (full name) [Some-State]:Tallinn Locality Name (eg, city) []:Tallinn Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mesilane Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:www.mesilane.mm Email Address []: A challenge password []: An optional company name []:
Loome ja allkirjastame sertifikaadi:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Konfiguratsioon
Looge kausta /etc/nginx/sites-enabled/ oma saidi nimeline tekstifail ning muutke seda vastavalt:
nano /etc/nginx/sites-enabled/www.mesilane.mm
Näide, mis kasutab saidina www.mesilane.mm:
server { listen 443 default_server; server_name www.mesilane.mm; ssl on; ssl_certificate /usr/local/nginx/conf/server.pem; ssl_certificate_key /usr/local/nginx/conf/server.key; ssl_session_cache shared:SSL:10m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers HIGH:!aNULL:!MD5; location / { proxy_pass http://localhost:80; # varnish proxy_set_header Host $host; # re-write redirects to http as to https, example: /home proxy_redirect http:// https://; } }
Kasutatud kirjandus
https://wiki.itcollege.ee/index.php/Nginx
http://chase-seibert.github.com/blog/2011/12/21/nginx-ssl-reverse-proxy-tutorial.html
https://wiki.itcollege.ee/index.php/Veebiserver_labor_2#SSL_keskkonna_loomine
Autorid
Sander Arnus
Sander Saveli