TLS termineerimine nginx abil: Difference between revisions

From ICO wiki
Jump to navigationJump to search
Kkarlson (talk | contribs)
Mernits (talk | contribs)
 
(One intermediate revision by the same user not shown)
Line 13: Line 13:




= Apache seadistamine =
Kui kasutate Nginx serverit TLS terminaatorina apache serveri ees, siis keelake ssl virtuaalsed hostid ja ssl moodul apache serveril.
<pre>
a2dissite sinu-virtualhosti-konfifail
a2dismod ssl
</pre>
= Nginx seadistamine =
= Nginx seadistamine =


Line 75: Line 84:


     ssl_session_cache shared:SSL:10m;
     ssl_session_cache shared:SSL:10m;
    ssl_protocols      SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers        HIGH:!aNULL:!MD5;





Latest revision as of 09:50, 24 April 2014

Ülesehitus

Lahenduse mõtteks on kasutada nginx veebiserverit proxyna teenindamaks https päringuid pordi 443 pihta. Antud näite puhul ei saa suunata https päringuid otse Apache veebiserveri pihta, kuna veebilehtede cachimiseks kasutatakse varnishit. Nginxi ülesandeks jääb võtta vastu https päringud pordi 443 poole, muuta need http päringuteks ja suunata edasi varnishi pihta.


Eeldused


Apache seadistamine

Kui kasutate Nginx serverit TLS terminaatorina apache serveri ees, siis keelake ssl virtuaalsed hostid ja ssl moodul apache serveril.

a2dissite sinu-virtualhosti-konfifail
a2dismod ssl

Nginx seadistamine

Paigaldamine

sudo -s
nginx=stable # use nginx=development for latest development version
add-apt-repository ppa:nginx/$nginx
apt-get update 
apt-get install nginx

Sertifikaat

Looge sertifikaat, privaatvõti ja eraldi kaust:

sudo mkdir /usr/local/nginx  
sudo mkdir /usr/local/nginx/conf  
cd /usr/local/nginx/conf  
openssl req -nodes -new -keyout server.key -newkey rsa:1024 > server.csr 

Tuleb vastata küsimustele:

Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:Tallinn
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mesilane
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:www.mesilane.mm
Email Address []:
A challenge password []:
An optional company name []:

Loome ja allkirjastame sertifikaadi:

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Konfiguratsioon

Looge kausta /etc/nginx/sites-enabled/ oma saidi nimeline tekstifail ning muutke seda vastavalt:

nano /etc/nginx/sites-enabled/www.mesilane.mm

Näide, mis kasutab saidina www.mesilane.mm:

server {

    listen 443 default_server;

    server_name www.mesilane.mm;


    ssl on;

    ssl_certificate /usr/local/nginx/conf/server.pem;

    ssl_certificate_key /usr/local/nginx/conf/server.key;

    ssl_session_cache shared:SSL:10m;
    ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;

    ssl_prefer_server_ciphers on;
    ssl_ciphers         HIGH:!aNULL:!MD5;


    location / {


       proxy_pass http://localhost:80; # varnish

       proxy_set_header Host $host;


       # re-write redirects to http as to https, example: /home

       proxy_redirect http:// https://;

    }

}

Kasutatud kirjandus

https://wiki.itcollege.ee/index.php/Nginx

http://chase-seibert.github.com/blog/2011/12/21/nginx-ssl-reverse-proxy-tutorial.html

https://wiki.itcollege.ee/index.php/Veebiserver_labor_2#SSL_keskkonna_loomine


Autorid

Sander Arnus

Sander Saveli