#安装依赖库
yum -y install openssl openssl-devel pcre pcre-devel gcc zlib zlib-devel
tar zxvf /usr/local/nginx/nginx-1.18.0.tar.gz
#方法一:删除原先的覆盖安装
#进入nginx目录
cd /usr/local/nginx/nginx-1.18.0
#执行命令
groupadd nginx
useradd -g nginx -s /sbin/nologin nginx
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
make
make install
#方法二:不删除进行增量安装
# 关闭 Nginx
/usr/local/nginx/sbin/nginx -s stop
# 查看 Nginx 安装时的配置参数,复制备用
/usr/local/nginx/sbin/nginx -V
# configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_gzip_static_module ...
# 进入 nginx-1.16.1 目录
cd /usr/local/nginx-1.16.1
# 重新执行 cofigure 命令,增加 ssl 模块的配置
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
# 编译(不安装)
make
# 备份原来的 nginx 命令
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx-bak
# 替换原来的 nginx 命令
cp /usr/local/nginx-1.16.1/objs/nginx /usr/local/nginx/sbin/nginx
# 创建存放证书的目录
mkdir /usr/local/nginx/ssl_key
cd /usr/local/nginx/ssl_key
# 创建服务器私钥,命令会让你输入一个口令。
openssl genrsa -des3 -out server.key 1024
# 再生成一个不带密码的(非必须)
# openssl rsa -in server.key -out server-nopassword.key
# 创建签名请求的证书(CSR)
openssl req -new -key server.key -out server.csr
# 标记证书使用上述私钥和 CSR
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# 再生成一个不带密码的(非必须)
# openssl x509 -req -days 365 -in server.csr -signkey server-nopassword.key -out server-nopassword.crt
配置 Nginx
#修改配置文件,开启 ssl ,并指定标记的证书和私钥。(如果配置了keepalived,需要将下面80转443里的本机IP改为VIP)
server {
listen 80;
server_name localhost;
rewrite ^/(.*)$ https://192.168.31.220:443/$1 permanent;
}
server {
#listen 80;
server_name localhost;
listen 443 ssl;
ssl_certificate /usr/local/nginx/ssl_key/server-nopassword.crt;
ssl_certificate_key /usr/local/nginx/ssl_key/server-nopassword.key;
#rewrite ^(.*)$ https://$host$1 permanent;
#...}
#开启防火墙443端口
firewall-cmd --zone=public --add-port=443/tcp --permanent //开启端口
firewall-cmd --reload //重启防火墙
#访问https://ip出现以下为成功