nginx 自签证书支持https
假设 可自定义
- nginx 版本: nginx-1.19.10
- nginx 安装目录: /root/php/bin/nginx1.19
- nginx 超链接目录路径 : /usr/bin
- 源码目录 : /root/php/packages
- crt 证书生成目录 : /root/php/crt
进入源码目录
cd /root/php/packages
安装依赖 openssl
yum install -y openssl-devel.x86_64 openssl-static.x86_64 openssl.x86_64 openssl-libs.x86_64
openssl ciphers -v
- openssl 源码编译安装 请参考 《openssl 源码编译》
重新编译nginx
cd /root/php/packages/nginx-1.19.10
./configure --prefix=/root/php/bin/nginx1.19 --with-http_ssl_module
make && make install
nginx -V
安装证书(自签发)
mkdir -p /root/php/crt
cd /root/php/crt
openssl genrsa -out root.key && openssl req -new -key root.key -out root.csr
openssl x509 -req -days 3650 -in root.csr -signkey root.key -out root.crt
openssl genrsa -out server.key && openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
openssl genrsa -out client.key && openssl req -new -key client.key -out client.csr
touch /etc/pki/CA/index.txt && echo 01 | tee /etc/pki/CA/serial
openssl ca -in client.csr -cert root.crt -keyfile root.key -out client.crt
openssl pkcs12 -export -inkey client.key -in client.crt -out client.pfx
配置nginx.conf
ssl_certificate /root/php/crt/server.crt;
ssl_certificate_key /root/php/crt/server.key;
ssl_client_certificate /root/php/crt/ca.crt;
ssl_verify_client on;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
开启 443 端口
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload
安装测试
nginx -s reload
- 打开浏览器访问 : https://192.168.174.128 >> 查看 curl 是否加载好
BASH汇总
cd /root/php/packages
yum install -y openssl-devel.x86_64 openssl-static.x86_64 openssl.x86_64 openssl-libs.x86_64
openssl ciphers -v
cd /root/php/packages/nginx-1.19.10
./configure --prefix=/root/php/bin/nginx1.19 --with-http_ssl_module
make && make install
nginx -V
mkdir -p /root/php/crt
cd /root/php/crt
openssl genrsa -out root.key && openssl req -new -key root.key -out root.csr
openssl x509 -req -days 3650 -in root.csr -signkey root.key -out root.crt
openssl genrsa -out server.key && openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
openssl genrsa -out client.key && openssl req -new -key client.key -out client.csr
touch /etc/pki/CA/index.txt && echo 01 | tee /etc/pki/CA/serial
openssl ca -in client.csr -cert root.crt -keyfile root.key -out client.crt
openssl pkcs12 -export -inkey client.key -in client.crt -out client.pfx
nginx -s reload
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload
PHP测试源码
视频学习地址
上一节:openssl 扩展安装与使用 - https数据加解密相关
下一节:redis 扩展安装与使用 - 内存nosql数据库