步骤4：部署Nginx服务_基于加密服务的SSL安全卸载_最佳实践

请您将配合使用TASSL引擎的Nginx服务包nginx-1.16.0_tassl_hsm.tgz上传至ECS2上并解压，例如解压到/root/ nginx-1.16.0_tassl目录下。

在/root/ nginx-1.16.0_tassl目录下安装Nginx服务。

./configure --with-http_ssl_module --with-stream
--with-stream_ssl_module --with-openssl=/root/tasshsm_engine/tassl
--prefix=/root/nginx
make
make install

配置不同加密算法服务端证书的Nginx服务。

您可以参考下表中的示例编辑/root/nginx/conf/nginx.conf配置文件中的证书部分。

算法代码示例

RSA

算法	代码示例
RSA	user root; worker_processes 1; … … # HTTPS server server { listen 443 ssl; server_name localhost; #use tasshsm engine by key index ssl_certificate /root/tasshsm_engine/cert/server/rsa/S_RSA_HSM.crt; #配置RSA证书文件。 ssl_certificate_key engine:tasshsm_rsa:15; #配置存储RSA私钥的索引号。 ssl_verify_client off; # for one-way https #表示不验证客户端。 ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } } …
SM2	user root; worker_processes 1; … … # HTTPS server server { listen 444 ssl; server_name localhost; #use tasshsm engine by key index ssl_certificate /root/tasshsm_engine/cert/server/sm2/SS_SM2_HSM.crt; #配置签名证书文件。 ssl_certificate_key engine:tasshsm_sm2:15; #配置存储签名私钥的索引号。 ssl_enc_certificate /root/tasshsm_engine/cert/server/sm2/SE_SM2_HSM.crt; #配置加密证书文件。 ssl_enc_certificate_key engine:tasshsm_sm2:16; #配置存储加密私钥的索引号。 ssl_verify_client off; # for #表示不验证客户端。 one-way https … location / { root html; index index.html index.htm; } } …
ECC	user root; worker_processes 1; … … # HTTPS server server { listen 445 ssl; server_name localhost; #use tasshsm engine by key index ssl_certificate /root/tasshsm_engine/cert/server/ecc/S_ECC_HSM.crt; #配置RSA证书文件。 ssl_certificate_key engine:tasshsm_ecc:15; #配置存储RSA私钥的索引号。 ssl_verify_client off; # for #表示不验证客户端。 one-way https ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } } …


user root;
worker_processes  1;
…
…
    # HTTPS server
    server {
        listen       443 ssl;
        server_name  localhost;

        #use tasshsm engine by key index
        ssl_certificate  /root/tasshsm_engine/cert/server/rsa/S_RSA_HSM.crt;  #配置RSA证书文件。
        ssl_certificate_key  engine:tasshsm_rsa:15; #配置存储RSA私钥的索引号。

        ssl_verify_client off; # for one-way https #表示不验证客户端。

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
}
…

SM2


user
  root;
worker_processes  1;
…
…
    # HTTPS server
    server {
        listen       444 ssl;
        server_name  localhost;

        #use tasshsm engine by key index
        ssl_certificate   /root/tasshsm_engine/cert/server/sm2/SS_SM2_HSM.crt; #配置签名证书文件。
        ssl_certificate_key   engine:tasshsm_sm2:15; #配置存储签名私钥的索引号。
        ssl_enc_certificate   /root/tasshsm_engine/cert/server/sm2/SE_SM2_HSM.crt; #配置加密证书文件。
        ssl_enc_certificate_key  engine:tasshsm_sm2:16; #配置存储加密私钥的索引号。

        ssl_verify_client off; # for #表示不验证客户端。
  one-way https
        …
        location / {
            root   html;
            index  index.html index.htm;
        }
}
…

ECC

user
  root;
worker_processes  1;
…
…
    # HTTPS server
    server {
        listen       445 ssl;
        server_name  localhost;

        #use tasshsm engine by key index
        ssl_certificate  /root/tasshsm_engine/cert/server/ecc/S_ECC_HSM.crt; #配置RSA证书文件。
        ssl_certificate_key  engine:tasshsm_ecc:15; #配置存储RSA私钥的索引号。

        ssl_verify_client off; # for #表示不验证客户端。
  one-way https

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
}
…

执行以下命令启动Nginx代理。

cd /root/nginx/sbin
source ./setting  #设置Nginx调用ssl的动态库为tassl引擎目录。
./nginx

步骤4：部署Nginx服务

操作步骤