Nginx unidirectional configuration ssl
Nginx configuration SSL
Nginx configuration example (one-way)
cp /etc/pki/ca_test/server/server.* /usr/local/nginx/conf/ { listen 443 ssl; server_name www.aminglinux.com; index index.html index.php; root /data/wwwroot/aminglinux.com; ssl on; ssl_certificate server.crt; ssl_certificate_key server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL; ssl_prefer_server_ciphers on; ... }
Configuration instructions
1. 443端口为ssl监听端口。
2. ssl on表示打开ssl支持。
3. ssl_certificate指定crt文件所在路径,如果写相对路径,必须把该文件和nginx.conf文件放到一个目录下。
4. ssl_certificate_key指定key文件所在路径。 5. ssl_protocols指定SSL协议。 6. ssl_ciphers配置ssl加密算法,多个算法用:分隔,ALL表示全部算法,!表示不启用该算法,+表示将该算法排到最后面去。 7. ssl_prefer_server_ciphers 如果不指定默认为off,当为on时,在使用SSLv3和TLS协议时,服务器加密算法将优于客户端加密算法。
Nginx configuration mutual authentication
cp /etc/pki/ca_test/root/ca.crt /usr/local/nginx/conf/ 配置示例: { listen 443 ssl; server_name www.aminglinux.com; index index.html index.php; root /data/wwwroot/aminglinux.com; ssl on; ssl_certificate server.crt; ssl_certificate_key server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL; ssl_prefer_server_ciphers on; ssl_client_certificate ca.crt; //这里的ca.crt是根证书公钥文件 ssl_verify_client on; ... }
The client (browser) operation
如果不进行以下操作,浏览器会出现400错误。400 Bad Request(No required SSL certificate was sent)
首先需要将client.key转换为pfx(p12)格式
# cd /etc/pki/ca_test/client
# openssl pkcs12 -export -inkey client.key -in client.crt -out client.pfx //这一步需要输入一个自定义密码,一会在windows上安装的时候要用到,需要记一下。 然后将client.pfx拷贝到windows下,双击即可安装。 也可以直接curl测试: curl -k --cert /etc/pki/ca_test/client/client.crt --key /etc/pki/ca_test/client/client.key https
ngxin error log
Nginx error log
Nginx错误日志平时不用太关注,但是一旦出了问题,就需要借助错误日志来判断问题所在。
配置参数格式:error_log /path/to/log level;
Nginx error log level
常见的错误日志级别有debug | info | notice | warn | error | crit | alert | emerg 级别越高记录的信息越少,如果不定义,默认级别为error. 它可以配置在main、http、server、location段里。 如果在配置文件中定义了两个error_log,在同一个配置段里的话会产生冲突,所以同一个段里只允许配置一个error_log。 但是,在不同的配置段中出现是没问题的。
Nginx error log example
error_log /var/log/nginx/error.log crit;
如果要想彻底关闭error_log,需要这样配置
error_log /dev/null;
nginx access log and the log format
Nginx access log format
Nginx访问日志可以设置自定义的格式,来满足特定的需求。
Examples of access log format
示例1
log_format combined_realip '$remote_addr $http_x_forwarded_for [$time_local]'
'$host "$request_uri" $status' '"$http_referer" "$http_user_agent"'; 示例2 log_format main '$remote_addr [$time_local] ' '$host "$request_uri" $status "$request"' '"$http_referer" "$http_user_agent" "$request_time"'; 若不配置log_format或者不在access_log配置中指定log_format,则默认格式为: '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent";
Common variable
variable | Explanation |
---|---|
$time_local | Universal local time in log format; (server time) |
$remote_addr | The client (user) IP address |
$status | Request status code, such as 200,404,301,302, etc. |
$body_bytes_sent | The number of bytes sent to the client, not including the header size of the response |
$bytes_sent | Total number of bytes sent to the client |
$request_length | The length of the request (including the request line, request headers and the request body) |
$request_time | Request processing time, in seconds, in the form of decimal |
$upstream_addr | Cluster polling address |
$upstream_response_time | Means to establish a connection start receiving the data completely and then closes the connection to the rear from the time Nginx (php-cgi) |
$remote_user | Used to record the client user name |
$request | Mode request (GET or POST, etc.) + URL (comprising $ request_method, $ host, $ request_uri) |
$http_user_agent | Identifies the user's browser |
$http_host | url requested address (target address url) of host |
$host | Equivalent to $ http_host |
$http_referer | Sources page, from which page to page, if you enter the URL directly into your browser to access the referer is empty |
$ s | The current request URI (without request parameters parameters are in the $ args), different from the value passed $ REQUEST_URI browser, which can be internal redirect, modify or use the index instruction. |
$ document_uri | Equivalent to $ uri |
$request_uri | More parameters than $ uri, that is, $ uri + $ args |
$http_x_forwarded_for | If you use a proxy, this parameter will record ip proxy server and client ip |