openssl自签证书
1、自签证书测试
安装nginx
yum -y install nginx
检查nginx的ssl模块
[root@ docker ~]# nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-
--with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module
2、准备私钥和证书
创建私钥
[root@ docker ~]# cd /etc/nginx/
[root@ docker nginx]# mkdir -p ssl
[root@ docker nginx]# cd ssl/
[root@ docker ssl]# openssl genrsa -des3 -out server.key 1024
Enter pass phrase for server.key:123456
Verifying - Enter pass phrase for server.key:123456
[root@ docker ssl]# ll
total 4
-rw-r--r-- 1 root root 963 2020-02-26 02:43 server.key
签发证书
[root@ docker ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: 123456
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:SDU
Organizational Unit Name (eg, section) []:BJ
Common Name (eg, your name or your server's hostname) []:wjj
Email Address []:602616568@qq.com
A challenge password []:回车
An optional company name []:回车
删除私钥扣令
[root@ docker ssl]# cd /etc/nginx/ssl
[root@ docker ssl]# cp server.key server.key.ori
[root@ docker ssl]# openssl rsa -in server.key.ori -out server.key
Enter pass phrase for server.key.ori:123456
生成使用签名请求证书和私钥生成自签证书
[root@ docker ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=SDU/OU=BJ/CN=wjj/emailAddress=602616568@qq.com
Getting Private key
Enter pass phrase for server.key:密码
3、开启nginx ssl
#创建虚拟主机
[root@ docker conf.d]# mkdir -p /etc/nginx/html
[root@ docker conf.d]# vim hack.conf
server {
listen 443 ssl;
server_name www.hack.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
#定义站点目录
root /etc/nginx/html;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
[root@ docker conf.d]# nginx -t
[root@ docker conf.d]# nginx -s reload
绑定window的hosts,然后用浏览器访问https://www.hack.com/hack.html
10.0.0.41 www.hack.com
此时,你会发现,http://www.hack.com/hack.html,浏览器访问不了了(注意浏览器缓存),这时就需要将80端口重定向到443端口。
4、rewrite跳转
以上配置有个不好的地方,如果用户忘了使用https或者443端口,那么网站将无法访问,因此需要将80端口的访问转到443端口并使用ssl加密访问。只需要增加一个server段,使用301永久重定向。
[root@ docker conf.d]# vim hack.conf
server {
listen 80;
server_name www.hack.com;
rewrite ^(.*) https://$server_name$1 permanent;
}
server {
listen 443 ssl;
server_name www.hack.com;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
#定义站点目录
root /etc/nginx/html;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
[root@ docker conf.d]# nginx -t
[root@ docker conf.d]# nginx -s reload
这时,浏览器访问http://www.hack.com/hack.html,nginx会将请求跳转到https://www.hack.com/hack.html,详细可以查看nginx日志。
4913
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
