NaviServer: 設定 HTTPS (self-signed certificate)

nsssl module 是 NaviServer 用來處理 SSL 部份的 module。我目前使用的 NaviServer 4.99.15 已經整合 nsssl 的功能進入核心。

下面是參考 nsssl 文件上如何產生  self-signed certificate 與我之前其它 server 的設定，綜合之後的筆記。

Creating self-signed certificate，首先是建立 localhost.conf 設定檔案：

[req]
default_bits       = 2048
default_keyfile    = localhost.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
countryName                 = Country Name (2 letter code)
countryName_default         = US
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName                = Locality Name (eg, city)
localityName_default        = Rochester
organizationName            = Organization Name (eg, company)
organizationName_default    = localhost
organizationalUnitName      = organizationalunit
organizationalUnitName_default = Development
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = localhost
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names

[alt_names]
DNS.1   = localhost
DNS.2   = 127.0.0.1

Run the following commands using OpenSSL to create a self-signed certificate in Linux or Mac OSX with OpenSSL :

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf -passin pass:YourSecurePassword

cat localhost.crt localhost.key > server.pem
rm -rf localhost.crt localhost.key
openssl dhparam 2048 >> server.pem

然後將 server.pem 複製到 /var/lib/naviserver/modules/nsssl 目錄下。
接下來設定 NaviServer 的部份（修改 conf 目錄下的 nsd-config.tcl，或者是你的設定檔）：

#
# NSSSL
#

ns_section    ns/server/default/modules
ns_param      nsssl                nsssl.so

ns_section    ns/server/default/module/nsssl
ns_param      certificate      $home/modules/nsssl/server.pem
ns_param      address          127.0.0.1
ns_param      port             8081
ns_param      ciphers              "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!RC4"
ns_param      protocols            "!SSLv2:!SSLv3"
ns_param      verify                0

ns_param      extraheaders {
   Strict-Transport-Security "max-age=31536000; includeSubDomains"
   X-Frame-Options SAMEORIGIN
   X-Content-Type-Options nosniff
}

原本範例 port 是設定為 443，不過因為 1024 以下的 port 需要 root 權限，所以我改成 8081 來進行測試。

注意：default 要視你的設定而定，因為我是使用一開始的 nsd-config.tcl 來測試，所以 server name 是 default。