nginx配置https(亲测可用)

配置https前需要先创建证书，这里使用自签名ca证书：

1、创建ca自签名证书，使用sha256 算法签名，rsa2048位公钥算法。

openssl req -sha256 -x509  -new -newkey rsa:2048 -nodes -keyout ca.key  -out ca.pem -config ca-openssl.cnf -days 730 -extensions v3_req

ca-openssl.cnf配置示例如下： 

[req]

distinguished_name  = req_distinguished_name

req_extensions = v3_req

[req_distinguished_name]

countryName           = CN (2 letter code)

countryName_default = AU

stateOrProvinceName   = ZheJiang (full name)

stateOrProvinceName_default = Some-State

organizationName          = companyName (eg, company)

organizationName_default = Internet Widgits Pty Ltd

commonName            = api.companyName.com (eg, YOUR name)

commonName_default = ca

[v3_req]

basicConstraints = CA:true

keyUsage = critical, keyCertSign

2、根据ca证书创建server证书，同样使用sha256 算法签名，rsa2048位公钥算法。

$ openssl genrsa -out server.key.rsa 2048

$ openssl pkcs8 -topk8 -in server.key.rsa -out server.key -nocrypt

$ rm server.key.rsa

$ openssl req -new -sha256 -key server.key -out server.csr -config server-openssl.cnf

-sha256将会被server-openssl.cnf中的default_md配置项代替

另外在当前目录下还要创建index.txt,创建并初始化serial文件。

touch index.txt

touch serial

echo 00 > serial

server-openssl.cnf配置示例如下：

[req]

distinguished_name  = req_distinguished_name

req_extensions     = v3_req

[req_distinguished_name]

countryName           = CN (2 letter code)

countryName_default   =CN 

stateOrProvinceName   = ZheJiang (full name)

stateOrProvinceName_default =ZheJiang 

localityName          = HangZhou (eg, city)

localityName_default  = HangZhou

organizationName          = companyName (eg, company)

organizationName_default  = companyName

commonName            = api.companyName.com (eg, YOUR name)

commonName_max        = 64

####################################################################

[ ca ]

default_ca = CA_default # The default ca p

####################################################################

[ CA_default ]

dir = . # Where everything is kept

certs = $dir # Where the issued certs are kept

crl_dir = $dir # Where the issued crl are kept

database = $dir/index.txt # database index file.

#unique_subject = no # Set to 'no' to allow creation of

# several ctificates with same subject.

new_certs_dir = $dir # default place for new certs.

certificate = $dir/ca.pem # The CA certificate

serial = $dir/serial

crlnumber = $dir/crlnumber # the current crl number

# must be commented out to leave a V1 CRL

crl = $dir/crl.pem # The current CRL

private_key = $dir/private/cakey.pem# The private key

RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extentions to add to the cert

# Comment out the following two lines for the "traditional"

# (and highly broken) format.

name_opt = ca_default # Subject Name options

cert_opt = ca_default # Certificate field options

# Extension copying option: use with caution.

# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

# so this is commented out by default to leave a V1 CRL.

# crlnumber must also be commented out to leave a V1 CRL.

# crl_extensions = crl_ext

default_days = 730 # how long to certify for

default_crl_days= 30 # how long before next CRL

default_md = sha256 # use public key default MD

preserve = no # keep passed DN ordering

# A few difference way of specifying how similar the request should look

# For type CA, the listed attributes must be the same, and the optional

# and supplied fields are just that :-)

policy = policy_anything

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[v3_req]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names

[alt_names]

DNS.1 = *.companyName.com

DNS.2 = localhost

IP.1 = "125.36.75.163"

IP.2 = "125.46.72.154"

IP.2 = "127.0.0.1"

查看csr信息

openssl req -noout -text -in server.csr

生成server证书

openssl ca -in server.csr -out server.pem -keyfile ca.key -cert ca.pem -verbose -config server-openssl.cnf -days 730 -extensions v3_req -updatedb

转换 

openssl x509 -in server.pem -out server.pem -outform PEM

查看证书 

openssl x509 -in server.pem -inform pem -noout -text

验证证书

openssl verify -CAfile ca.pem server.pem

3、nginx配置https

自建ca，需要将ca证书添加到浏览器，这样在访问站点时才不会显示不安全连接

nginx.conf配置：

#user  nobody;

worker_processes  1;

#error_log  logs/error.log;

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info;

pid        logs/nginx.pid;

events {

    worker_connections  1024;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

    #                  '$status $body_bytes_sent "$http_referer" '

    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;

    #tcp_nopush     on;

    #keepalive_timeout  0;

    keepalive_timeout  65;

    gzip  on;

server {

        listen 80;

        server_name  m.domain.com;

     

      location / {

        rewrite ^ https://$host:443$request_uri? permanent;

     }

}

server{

       listen       443 ssl;

       server_name  m.domain.com;

        access_log   /home/logs/access.log;

        error_log    /home/logs/error.log;

        if ($host = "m.domain.com") {

                rewrite ^/$ /appname/index.shtml;

        }

       location ^~ /assets/ {

                root /home/apps/appname/;

        }

        location ~*  ^.+\.(gif|jpg|png|jpeg|js|ico|css|svg)$ {

         root /home/apps/appname/assets/;

        }

        location / {

                proxy_buffering off;

                client_max_body_size    20m;

                proxy_set_header   X-Real-IP $remote_addr;

                proxy_set_header   X-Scheme $scheme;

                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

                proxy_set_header   Host $http_host;

                proxy_pass http://127.0.0.1:8080;

         } 

          ssl_certificate     ~/sshsert/server.pem;

          ssl_certificate_key  ~/sshsert/server.key;

          ssl_session_cache    shared:SSL:10m;

         ssl_session_timeout  50m;

         ssl_prefer_server_ciphers  on;

         ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

         ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

      }

}

补充说明：

配置nginx参考链接：

https://segmentfault.com/a/1190000002866627

签名算法列表：

-md4            to use the md4 message digest algorithm            //摘要算法使用md4

-md5            to use the md5 message digest algorithm            //摘要算法使用md5

-ripemd160      to use the ripemd160 message digest algorithm      //摘要算法使用ripemd160

-sha            to use the sha message digest algorithm            //摘要算法使用sha

-sha1           to use the sha1 message digest algorithm           //摘要算法使用sha1

-sha224         to use the sha224 message digest algorithm         //摘要算法使用sha223

-sha256         to use the sha256 message digest algorithm         //摘要算法使用sha256

-sha384         to use the sha384 message digest algorithm         //摘要算法使用sha384

-sha512         to use the sha512 message digest algorithm         //摘要算法使用sha512

-whirlpool      to use the whirlpool message digest algorithm      //摘要算法使用whirlpool

关于tls版本：

https://www.openssl.org/

Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:

• Support TLS v1.2 and TLS v1.1.

java达人

ID：java_daren