Windows 安裝 nginx, GCA 憑證處理紀錄, SNI

windows-install-nginx-gca-sni.md

1. Windows 安裝 nginx

   a. 下載

   b. 用 NSSM 做成服務

2. GCA 憑證處理紀錄

   a. GRCA1 自簽憑證 GRCA 自發憑證(GRCA1 簽 GRCA1.5) GRCA 自發憑證(GRCA1.5 簽 GRCA2) GCA2 自簽憑證

   b. 轉成 crt openssl x509 -inform DER -in orig.cer -out dest.crt

   c. 將已經成為 pfx 檔的 GCA 憑證的 Private Key 與 Certification 分別匯出

   Private Key: openssl pkcs12 -in orig.pfx -nocerts -out dest.key.pem -nodes

   Certification: openssl pkcs12 -in orig.pfx -nokeys -out dest.cert.pem

   d. 加入 GRCA/GCA 自簽憑證

   cat grca1.crt .... >> dest.cert.pem

3. SNI

   a. worker_processes auto

   b. http 下 server_names_hash_bucket_size 64;

   c. http 下 多個 server 描述 SNI，接到 443 轉給原來的 80

   server {
        listen       443 ssl;
        server_name  abc.local;
   
        ssl_certificate      'C:/Program Files/nginx-1.12.2/conf/abc.local.cert.pem';
        ssl_certificate_key  'C:/Program Files/nginx-1.12.2/conf/abc.local.key.pem';
   
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
   
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
   
        location / {
            proxy_pass http://localhost/abc/;
        }
    }
   
   server {
        listen       443 ssl;
        server_name  def.local;
   
        ssl_certificate      'C:/Program Files/nginx-1.12.2/conf/def.local.cert.pem';
        ssl_certificate_key  'C:/Program Files/nginx-1.12.2/conf/def.local.key.pem';
   
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
   
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
   
        location / {
            proxy_pass http://localhost/def;
        }
    }
   
   ...