Nginx Https搭建环境:
1、生成证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| [iyunv@jroa CA]# openssl genrsa -des3 -out jroa.key 1024 \\创建一个RSA秘钥
Generating RSA private key, 1024 bit long modulus
...............++++++
..................................++++++
e is 65537 (0x10001)
Enter pass phrase for jroa.key: \\提示输入密码
Verifying - Enter pass phrase for jroa.key: \\再次输入
[iyunv@jroa CA]# openssl rsa -in jroa.key -out jroa_nopass.key \\生成一个不不要输入密码的密码
Enter pass phrase for jroa.key: \\输入之前的密码
writing RSA key \\生成RSA成功
[iyunv@jroa CA]# openssl req -new -key jroa_nopass.key -out jroa.csr \\生成一个需要待签的证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN \\提示输入国家代码
State or Province Name (full name) []:FJ \\省份
Locality Name (eg, city) [Default City]:XM \\市区
Organization Name (eg, company) [Default Company Ltd]:jroa \\公司名字
Organizational Unit Name (eg, section) []:Tech \\部门
Common Name (eg, your name or your server's hostname) []:www.jroa.com \\这个最重要,就是我们网站的主机名
Email Address []:admin@jroa.com \\邮件
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: \\直接按回车
An optional company name []: \\直接按回车
[iyunv@jroa CA]# openssl x509 -req -days 365 -in jroa.csr -signkey jroa.key -out jroa.crt \\签署证书
Signature ok
subject=/C=CN/ST=FJ/L=XM/O=jroa/OU=Tech/CN=www.jroa.com/emailAddress=admin@jroa.com
Getting Private key
Enter pass phrase for jroa.key: \\输入之前创建RSA秘钥的密码
|
2、Nginx开启--with-http_ssl_module 1
2
3
4
5
6
7
| [iyunv@jroa vhost]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.8.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=www --group=www --with-http_stub_status_module --with-http_ssl_module
[iyunv@jroa vhost]#
|
3、配置Nginx:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
| [iyunv@jroa conf]# cat nginx.conf
user www www;
#user nobody;
worker_processes 1;
pid logs/nginx.pid;
error_log logs/error.log notice;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
include /usr/local/nginx/conf/vhost/*.conf; \\一般我们都是在vhost下定义Server
}
[iyunv@jroa conf]# cd vhost/
[iyunv@jroa vhost]# cat www.jroa.com.conf
server {
listen 80;
server_name www.jroa.com;
access_log /data/site/www.jroa.com/www.jroa.com.access.log;
index index.php index.html index.html;
root /data/site/www.jroa.com;
location ~ .*\.(php)?$ {
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
location / {
index index.html index.htm index.php;
if ( !-e $request_filename){
rewrite ^/(.*)$ /index.php?s=$1 last;
break;
}
}
}
server {
listen 443;
server_name www.jroa.com;
access_log /data/site/www.jroa.com/www.jroa.com1.access.log;
index index.php index.html index.html;
root /data/site/www.jroa.com;
if ($host != 'www.jroa.com' )
{
rewrite ^/(.*)$ http://www.jroa.com/$1 permanent;
}
ssl on;
ssl_certificate ssl/jroa.crt; \\在conf建一个ssl目录
ssl_certificate_key ssl/jroa.key; \\在conf建一个ssl目录,如果换成jroa_nopass.key则启动就不需要输入密码
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
#ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_ciphers HIGH:!aNULL:!MD5:!EXPORT56:!EXP;
ssl_prefer_server_ciphers on;
location ~ .*\.(php)?$ {
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
}
location / {
index index.html index.htm index.php;
if ( !-e $request_filename){
rewrite ^/(.*)$ /index.php?s=$1 last;
break;
}
}
}
[iyunv@jroa vhost]# /usr/local/nginx/sbin/nginx -t
Enter PEM pass phrase:
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[iyunv@jroa vhost]# /usr/local/nginx/sbin/nginx
Enter PEM pass phrase:
[iyunv@jroa vhost]# netstat -tunlp| grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 8837/nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 8837/nginx
|
我们访问下:自签证书浏览器是不会认识的,有些还会提示风险!注意设置浏览器不然访问不了的。
|