{"id":48,"date":"2016-06-15T18:07:39","date_gmt":"2016-06-15T10:07:39","guid":{"rendered":"http:\/\/www.wistep.cn\/?p=48"},"modified":"2016-06-16T11:19:32","modified_gmt":"2016-06-16T03:19:32","slug":"nginx%e5%8f%8d%e5%90%91%e4%bb%a3%e7%90%86ssl%e8%bf%9e%e6%8e%a5","status":"publish","type":"post","link":"http:\/\/www.wistep.cn\/?p=48","title":{"rendered":"nginx\u53cd\u5411\u4ee3\u7406-SSL\u8fde\u63a5"},"content":{"rendered":"

\u4f7f\u7528nginx\u7684stream\u6a21\u5757\u5bf9\u5185\u90e8socket\u670d\u52a1\u8fdb\u884c\u53cd\u5411\u4ee3\u7406\uff0cnginx\u4f5c\u4e3a\u63a5\u5165\u670d\u52a1\u5668\u5bf9\u5916\u63d0\u4f9bSSL\u5b89\u5168\u8fde\u63a5\uff08\u5355\u5411\u8ba4\u8bc1\uff09\uff0c\u7f51\u7edc\u62d3\u6251\u5982\u56fe1-1\u6240\u793a\u3002\u5176\u4e2d\u670d\u52a1\u5668A\u4e0e\u670d\u52a1\u5668B\u63d0\u4f9b\u76f8\u540c\u670d\u52a1\uff0c\u53ef\u914d\u7f6e\u6210\u4e3b\u5907\u6216\u8d1f\u8f7d\u5747\u8861\u6a21\u5f0f\u3002<\/p>\n

\"\u7f51\u7edc\u62d3\u6251\u7ed3\u6784\"<\/a>\u56fe1-1 \u7f51\u7edc\u62d3\u6251\u7ed3\u6784<\/p>\n

\u603b\u4f53\u914d\u7f6e\u8fc7\u7a0b\u5206\u4e3a\uff1anginx\u5b89\u88c5\u3001ssl\u8bc1\u4e66\u751f\u6210\u3001nginx\u914d\u7f6e\u53ca\u6700\u540e\u7684\u670d\u52a1\u6d4b\u8bd5\u3002\u5176\u4e2dnginx\u5b89\u88c5\u8fc7\u7a0b\u53ef\u53c2\u7167\u7f51\u7edc\u4e0a\u7684\u4ecb\u7ecd\uff0c\u4e3a\u5b9e\u73b0socket\u53cd\u5411\u4ee3\u7406\u5e76\u542f\u7528SSL\u7684\u529f\u80fd\uff0c\u5728\u5b89\u88c5nginx\u65f6\u9700\u8981\u6dfb\u52a0\u00a0–with-stream\u00a0 –with-stream_ssl_module \u53c2\u6570\u3002<\/p>\n

\u672c\u5b9e\u9a8c\u57fa\u4e8eCentOS 6\uff0c\u9700\u8981\u5b89\u88c5OpenSSL\u3001pcre\u3002<\/p>\n

1. \u8bc1\u4e66\u751f\u6210<\/h4>\n

\u8bc1\u4e66\u751f\u6210\u8fc7\u7a0b\u4e2d\u4f1a\u9700\u8981\u8f93\u5165\u8bc1\u4e66\u76f8\u5173\u4fe1\u606f\u3002<\/p>\n

\r\nopenssl genrsa -des3 -out ssl.key 1024\r\nmv ssl.key server.key\r\nopenssl rsa -in server.key -out ssl.key \r\nrm server.key \r\nopenssl req -new -key ssl.key -out ssl.csr \r\nopenssl x509 -req -days 3650 -in ssl.csr -signkey ssl.key -out ssl.crt \r\n\r\n<\/pre>\n
2. nginx\u914d\u7f6e<\/h4>\n
\u4fee\u6539nginx\u914d\u7f6e\u6587\u4ef6\uff0c\u6dfb\u52a0stream\u6a21\u5757\u914d\u7f6e\uff0c\u5e76\u4e14\u914d\u7f6e\u540e\u7aef\u670d\u52a1\u5668\u4fe1\u606f\uff08\u5bf9\u5e94\u6837\u4f8b\u4e2d\u7684backend\uff09\uff0c\u914d\u7f6e\u76f8\u5e94\u7684server\uff0cserver\u4e2d\u6307\u5b9anginx\u5bf9\u5916\u76d1\u542c\u7684\u7aef\u53e3\u3001\u5b9e\u9645\u4ee3\u7406\u7684\u670d\u52a1\u5668\u3001SSL\u8bc1\u4e66\u53ca\u4ee3\u7406\u76f8\u5173\u7684\u914d\u7f6e\uff0c\u5177\u4f53\u53ef\u53c2\u7167nginx\u5b98\u65b9\u6587\u6863<\/a>ngx_stream_*\u90e8\u5206\uff08\u5728\u6700\u5e95\u90e8\uff09\u3002\u914d\u7f6e\u5b8c\u6210\u540e\u4f7f\u7528 nginx -s reload\u547d\u4ee4\u91cd\u65b0\u52a0\u8f7d\u914d\u7f6e\u6587\u4ef6\u3002\u4ee5\u4e0b\u914d\u7f6e\u4f9b\u53c2\u8003\u3002<\/p>\n
\r\nstream {\r\n    upstream backend {\r\n        hash $remote_addr consistent;\r\n\r\n        server 127.0.0.1:12345  max_fails=3 fail_timeout=30s;\r\n        server 127.0.0.1:12346  max_fails=3 fail_timeout=30s;\r\n    }\r\n\r\n    # \u975eSSL\u8fde\u63a5\r\n    server {\r\n        listen 3333;\r\n        proxy_connect_timeout 5s;\r\n        proxy_timeout 120s;\r\n        proxy_pass backend;\r\n    }\r\n\r\n    # SSL \u8fde\u63a5\r\n    server {\r\n        listen              18443 ssl;\r\n\r\n        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;\r\n        ssl_ciphers    AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;\r\n        ssl_certificate     \/data\/server\/nginx\/cert\/ssl.crt;\r\n        ssl_certificate_key \/data\/server\/nginx\/cert\/ssl.key;\r\n\r\n        ssl_session_cache   shared:SSL:10m;\r\n        ssl_session_timeout 10m;\r\n\r\n        proxy_connect_timeout 5s;\r\n        proxy_timeout 120s;\r\n        proxy_pass backend;\r\n    }\r\n}\r\n\r\n<\/pre>\n
3. \u8fde\u63a5\u6d4b\u8bd5<\/h4>\n
\u6d4b\u8bd5\u4e2d\uff0c\u540e\u7aef\u670d\u52a1\u5668\u4f7f\u7528python\u505a\u4e86\u4e00\u4e2a\u7b80\u5355\u7684\u56de\u663e\u670d\u52a1\u5668\uff0c\u5206\u522b\u76d1\u542c12345\u300112346\u7aef\u53e3\uff0cpython\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n
\r\n#!\/usr\/bin\/python\r\n#coding=utf-8\r\n\r\nimport socket\r\nimport commands\r\n\r\nHOST = '127.0.0.1'\r\nPORT = 12345\r\ns    = socket.socket(socket.AF_INET,socket.SOCK_STREAM)   #\u5b9a\u4e49socket\u7c7b\u578b\uff0c\u7f51\u7edc\u901a\u4fe1\uff0cTCP\r\n\r\ns.bind((HOST,PORT))   #\u5957\u63a5\u5b57\u7ed1\u5b9a\u7684IP\u4e0e\u7aef\u53e3\r\ns.listen(1)           #\u5f00\u59cbTCP\u76d1\u542c\r\nwhile 1:\r\n        conn, addr = s.accept()\r\n        print ('Connected by', addr)\r\n\r\n        while 1:\r\n                data = conn.recv(1024)\r\n\r\n                if len(data) == 0 :\r\n                        print ("Connection closed : ", addr)\r\n                        break\r\n                else:\r\n                        conn.sendall(data)\r\n                        print ("recv: ", data)\r\n        conn.close()\r\n\r\n<\/pre>\n
 <\/p>\n
\u4f7f\u7528OpenSSL\u4f5c\u4e3aSSL\u5ba2\u6237\u7aef\u8fde\u63a5\u670d\u52a1\u8fdb\u884c\u6d4b\u8bd5\u7684\u547d\u4ee4\u4e3a\u683c\u5f0f\u5982\u4e0b\uff1a<\/p>\n
openssl s_client -connect localhost:18443<\/pre>\n","protected":false},"excerpt":{"rendered":"
\u4f7f\u7528nginx\u7684stream\u6a21\u5757\u5bf9\u5185\u90e8socket\u670d\u52a1\u8fdb\u884c\u53cd\u5411\u4ee3\u7406\uff0cnginx\u4f5c … \u7ee7\u7eed\u9605\u8bfb →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"http:\/\/www.wistep.cn\/index.php?rest_route=\/wp\/v2\/posts\/48"}],"collection":[{"href":"http:\/\/www.wistep.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.wistep.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.wistep.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.wistep.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=48"}],"version-history":[{"count":20,"href":"http:\/\/www.wistep.cn\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions"}],"predecessor-version":[{"id":69,"href":"http:\/\/www.wistep.cn\/index.php?rest_route=\/wp\/v2\/posts\/48\/revisions\/69"}],"wp:attachment":[{"href":"http:\/\/www.wistep.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=48"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.wistep.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=48"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.wistep.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=48"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}