前言
为了提高web应用的安全性,现在基本上都需要支持https访问。在此记录一下自己在nginx下的配置过程。
一、安装nginx
补充:若已安装nginx但没有安装ssl模块,按一下步骤安装
(1)切换到源码包:(nginx下载路径)
cd /usr/local/nginx/nginx-1.13.6
2)配置信息:
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
(3)配置完成后,运行make进行编译,千万不要进行make install,否则就是覆盖安装
make
4)然后备份原有已经安装好的nginx(可有可无)
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
(5)重启Nginx
/usr/local/nginx/sbin/nginx -s reload
二、配置https
1.安装证书
nginx支持https协议需要服务器证书,此证书使用openssl命令生成(确保openssl命令可用)
证书生成步骤如下:
1.进入到/usr/local/nginx/conf/下,新建目录crt(mkdir crt)
2.进入到crt(cd crt)
3.开始生成证书,使用命令:openssl genrsa -des3 -out server.key 1024 生成key,会出现以下提示
Generating RSA private key, 1024 bit long modulus
......................................................++++++
.................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:(此处随意输入证书密码开心就行,比如123456)
Verifying - Enter pass phrase for server.key: (重复输入一次)
4.使用命令openssl req -new -key server.key -out server.csr 生成csr,(注:此步骤生成证书,需要输入国家/地区/公司/个人相关信息,不需要真实,内容差不多就行,可参考下面的加粗部分)
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Shandong
Locality Name (eg, city) [Newbury]:liangshang
Organization Name (eg, company) [My Company Ltd]:hahah
Organizational Unit Name (eg, section) []:biubiu
Common Name (eg, your name or your server's hostname) []:nanxiaoliu
Email Address []:nanxiaoliu@channelsoft.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []: (敲回车)
5.cp server.key server.key.org
6.openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org: 123456
writing RSA key
7.openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
成功则出现Signature ok
到此,证书创建完毕
2. 修改nginx配置https
1.进入到/usr/local/nginx/conf
cp nginx.conf nginx_lzaf.conf
2.修改conf
vim nginx.conf
新增server节点,配置如下:
server {
server_name localhost;
listen 443 ssl;
ssl on;
# 这个是证书的绝对地址
ssl_certificate /usr/local/nginx/conf/crt/server.crt;
# 这个是证书key的绝对地址
ssl_certificate_key /usr/local/nginx/conf/crt/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#其它的一些配置
location / {
# 这个是你要访问的前端地址 (dist1 是我打包的vue前端)
root /usr/local/javavue/dist1;
index index.html index.htm;
}
}
重启nginx验证:/usr/local/nginx/sbin/nginx -s reload
打开浏览器验证
在验证原有的http是否支持:http://81.70.170.21:8080/#/login
配置好后http的能访问 https不能访问
查看443端口是否开放
查看端口号
netstat -ntlp //查看当前所有tcp端口·
1、开启防火墙
systemctl start firewalld
2、开放指定端口
firewall-cmd --zone=public --add-port=443/tcp --permanent
命令含义:
--zone #作用域
--add-port=1935/tcp #添加端口,格式为:端口/通讯协议
--permanent #永久生效,没有此参数重启后失效
3、重启防火墙
firewall-cmd --reload
总结
以上配置nginx 配置好了就 ,出现其他问题请联系我O(∩_∩)O哈哈~
对了我会借鉴了https://blog.csdn.net/nanruitao10/article/details/83338901