检查环境
首先确保机器上安装了openssl和openssl-devel
rpm -qa | grep openssl#yum install openssl#yum install openssl-devel
确认nginx是否安装了SSL模块,如下的命令:
/opt/nginx/sbin/nginx -V
看是否输出--with-http_ssl_module,如果没有需要重新配置并安装下。
创建证书
#cd /opt/nginx/conf#openssl genrsa -des3 -out cert.key 2048 //创建服务器私钥
#openssl req -new -key cert.key -out cert.csr //签名请求的证书
会给出如下的提示:
Enter pass phraseforcert.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter'.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN
State or Province Name (full name) [Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:demo
Organizational Unit Name (eg, section) []:localhost
Common Name (eg, your name or your server'shostname) []:localhost
Email Address []:demo@abc.com
Please enter the following'extra'attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
冒号后面是需要我们填写的,最后两个我都没有填。带空的中括号似乎可以选填。
制作解密后的私钥
先将cert.key文件复制一份为cert.key.org
cp cert.key cert.key.org
#openssl rsa -in cert.key.org -out cert.key
接下来,最后一步,用cert.csr和cert.key生成cert.crt文件
#openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out server.crt
配置nginx
必须在server配置块中打开SSL协议,还需要指定服务器端证书和密钥文件的位置,打开conf/nginx.conf:在http server配置下面添加https服务器配置:
server
{
listen 443;
server_name localhost;
index index.html index.htm index.php;
root /home/wwwroot/default;
include enable-php.conf;
ssl on;
ssl_certificate /usr/local/nginx/conf/server.crt;
ssl_certificate_key /usr/local/nginx/conf/server_nopwd.key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
此时重启nginx,即可使用https访问整个网站的页面。
为了实现只有登录页logging.php使用https访问,在https server配置中添加如下代码:
if ($uri !~* "/logging.php$")
{
rewrite ^/(.*)$ http://$host/$1 redirect;
}
在http server配置块中添加如下配置:
if ($uri ~* "/logging.php$")
{
rewrite ^/(.*)$ https://$host/$1 redirect;
}
然后重启nginx,既可使用https访问登录页面。