Nginx Https搭建环境:
1、生成证书
[[email protected] CA]# openssl genrsa -des3 -out jroa.key 1024 \\创建一个RSA秘钥 Generating RSA private key, 1024 bit long modulus ...............++++++ ..................................++++++ e is 65537 (0x10001) Enter pass phrase for jroa.key: \\提示输入密码 Verifying - Enter pass phrase for jroa.key: \\再次输入 [[email protected] CA]# openssl rsa -in jroa.key -out jroa_nopass.key \\生成一个不不要输入密码的密码 Enter pass phrase for jroa.key: \\输入之前的密码 writing RSA key \\生成RSA成功 [[email protected] CA]# openssl req -new -key jroa_nopass.key -out jroa.csr \\生成一个需要待签的证书 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN \\提示输入国家代码 State or Province Name (full name) []:FJ \\省份 Locality Name (eg, city) [Default City]:XM \\市区 Organization Name (eg, company) [Default Company Ltd]:jroa \\公司名字 Organizational Unit Name (eg, section) []:Tech \\部门 Common Name (eg, your name or your server‘s hostname) []:www.jroa.com \\这个最重要,就是我们网站的主机名 Email Address []:[email protected] \\邮件 Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: \\直接按回车 An optional company name []: \\直接按回车 [[email protected] CA]# openssl x509 -req -days 365 -in jroa.csr -signkey jroa.key -out jroa.crt \\签署证书 Signature ok subject=/C=CN/ST=FJ/L=XM/O=jroa/OU=Tech/CN=www.jroa.com/[email protected] Getting Private key Enter pass phrase for jroa.key: \\输入之前创建RSA秘钥的密码
2、Nginx开启--with-http_ssl_module
[[email protected] vhost]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.8.0 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_ssl_module [[email protected] vhost]#
3、配置Nginx:
[[email protected] conf]# cat nginx.conf user www www; #user nobody; worker_processes 1; pid logs/nginx.pid; error_log logs/error.log notice; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main ‘$remote_addr - $remote_user [$time_local] "$request" ‘ # ‘$status $body_bytes_sent "$http_referer" ‘ # ‘"$http_user_agent" "$http_x_forwarded_for"‘; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; include /usr/local/nginx/conf/vhost/*.conf; \\一般我们都是在vhost下定义Server } [[email protected] conf]# cd vhost/ [[email protected] vhost]# cat www.jroa.com.conf server { listen 80; server_name www.jroa.com; access_log /data/site/www.jroa.com/www.jroa.com.access.log; index index.php index.html index.html; root /data/site/www.jroa.com; location ~ .*\.(php)?$ { include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass 127.0.0.1:9000; } location / { index index.html index.htm index.php; if ( !-e $request_filename){ rewrite ^/(.*)$ /index.php?s=$1 last; break; } } } server { listen 443; server_name www.jroa.com; access_log /data/site/www.jroa.com/www.jroa.com1.access.log; index index.php index.html index.html; root /data/site/www.jroa.com; if ($host != ‘www.jroa.com‘ ) { rewrite ^/(.*)$ http://www.jroa.com/$1 permanent; } ssl on; ssl_certificate ssl/jroa.crt; \\在conf建一个ssl目录 ssl_certificate_key ssl/jroa.key; \\在conf建一个ssl目录,如果换成jroa_nopass.key则启动就不需要输入密码 ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1; #ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_ciphers HIGH:!aNULL:!MD5:!EXPORT56:!EXP; ssl_prefer_server_ciphers on; location ~ .*\.(php)?$ { include fastcgi_params; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass 127.0.0.1:9000; } location / { index index.html index.htm index.php; if ( !-e $request_filename){ rewrite ^/(.*)$ /index.php?s=$1 last; break; } } } [[email protected] vhost]# /usr/local/nginx/sbin/nginx -t Enter PEM pass phrase: nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [[email protected] vhost]# /usr/local/nginx/sbin/nginx Enter PEM pass phrase: [[email protected] vhost]# netstat -tunlp| grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 8837/nginx tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 8837/nginx
我们访问下:自签证书浏览器是不会认识的,有些还会提示风险!注意设置浏览器不然访问不了的。
时间: 2024-08-07 12:22:43