티스토리 뷰

카테고리 없음

[nginx] 한서버에 한개이상 ssl 인증서 확장하여 사용하기.

rocksea 2013. 7. 24. 01:40

한서버에 한개이상의 ssl 인증서 확장하여 사용하기.

Nginx enabling TLS SNI(Server Name Indication) support enabled 를 하기위헤 아래의 절차가 필요합니다.


설치환경

OS : centos 5.8

nginx : 1.2.8


step1. 환경설정

$ cd /usr/src

$ mkdir -p  /usr/src/redhat/SPECS

$ wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz

$ tar xvfztar xvfz openssl-0.9.8l.tar.gz 

$ yum install rpm-build

$ cd /usr/src/redhat/SPECS

$ wget 'http://nginx.org/packages/centos/5/SRPMS/nginx-1.2.8-1.el5.ngx.src.rpm'

rpm -Uvh nginx-1.2.8-1.el5.ngx.src.rpm


vim /usr/src/redhat/SPECS/nginx.spec
#make %{?_smp_mflags}
make

./configure \
        --prefix=%{_sysconfdir}/nginx \
        --sbin-path=%{_sbindir}/nginx \
        --conf-path=%{_sysconfdir}/nginx/nginx.conf \
        --error-log-path=%{_localstatedir}/log/nginx/error.log \
        --http-log-path=%{_localstatedir}/log/nginx/access.log \
        --pid-path=%{_localstatedir}/run/nginx.pid \
        --lock-path=%{_localstatedir}/run/nginx.lock \
        --http-client-body-temp-path=%{_localstatedir}/cache/nginx/client_temp \
        --http-proxy-temp-path=%{_localstatedir}/cache/nginx/proxy_temp \
        --http-fastcgi-temp-path=%{_localstatedir}/cache/nginx/fastcgi_temp \
        --http-uwsgi-temp-path=%{_localstatedir}/cache/nginx/uwsgi_temp \
        --http-scgi-temp-path=%{_localstatedir}/cache/nginx/scgi_temp \
        --user=%{nginx_user} \
        --group=%{nginx_group} \
        --with-http_ssl_module \
        --with-http_realip_module \
        --with-http_addition_module \
        --with-http_sub_module \
        --with-http_dav_module \
        --with-http_flv_module \
        --with-http_mp4_module \
        --with-http_gzip_static_module \
        --with-http_random_index_module \
        --with-http_secure_link_module \
        --with-http_stub_status_module \
        --with-mail \
        --with-mail_ssl_module \
        --with-file-aio \
        --with-ipv6 \
        --with-openssl=/usr/src/openssl-0.9.8l/ \
        --with-openssl-opt=enable-tlsext \
        --with-cc-opt="%{optflags} $(pcre-config --cflags)" \

step2. rpm build
$ rpmbuild -ba nginx.spec
오류: Failed build dependencies:
        zlib-devel is needed by nginx-1.2.8-1.ngx.x86_64
        pcre-devel is needed by nginx-1.2.8-1.ngx.x86_64
        openssl-devel is needed by nginx-1.2.8-1.ngx.x86_64

$ yum install zlib-devel pcre-devel openssl-devel -y

$ rpmbuild -ba nginx.spec

compile 완료 후 

$ cd /usr/src/redhat/RPMS/x86_64

$ rpm -ivh nginx-1.2.8-1.ngx.x86_64.rpm
준비 중...               ########################################### [100%]
   1:nginx                  ########################################### [100%]
----------------------------------------------------------------------

Thanks for using NGINX!

Check out our community web site:
* http://nginx.org/en/support.html

If you have questions about commercial support for NGINX please visit:
* http://www.nginx.com/support.html

----------------------------------------------------------------------

$ nginx -V
nginx version: nginx/1.2.8
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-54)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-openssl=/usr/src/openssl-0.9.8l/ --with-openssl-opt=enable-tlsext --with-cc-opt='-O2 -g -m64 -mtune=generic'

위 메세지가 뜨면 성공.

이제 아래와 같이 두개의 인증서 사용가능 WOW!!

nginx.conf
server {
    listen 443;
    server_name domain.com;

    access_log  /var/log/nginx/log  main;

    root /home/public/;
    index index.html index.htm;

    ssl on;
   ssl_certificate /etc/nginx/ssl/com.cert.pem;
   ssl_certificate_key /etc/nginx/ssl/com.cert.pem;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;

    location / {
.....
    }
}

server {
    listen 443;
    server_name domain.org;

    access_log  /var/log/nginx/log  main;

    root /home/public/;
    index index.html index.htm;

    ssl on;
   ssl_certificate /etc/nginx/ssl/org.cert.pem;
   ssl_certificate_key /etc/nginx/ssl/org.cert.pem;

    ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
    ssl_prefer_server_ciphers on;

    location / {
.....
    }
}


[ 출처 : http://www.kutukupret.com/2010/08/30/nginx-enabling-tls-sni-support-on-centos-5/ ]


.by rocksea

댓글