nginx自签名证书配置https
添加nginx官方yum源
cat > /etc/yum.repos.d/nginx.repo << 'EOF'
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOF
yum安装最新版本nginx
yum install -y yum-utils
yum-config-manager --enable nginx-mainline
yum install –y nginx
创建证书保存目录
mkdir -p /etc/ssl/nginx/
创建证书配置文件
cat > /etc/ssl/nginx/nginx.mydemo.com.conf <<EOF
[req]
default_bits = 2048
default_keyfile = nginx.mydemo.com.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
x509_extensions = v3_ca
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = guangdong
localityName = Locality Name (eg, city)
localityName_default = shenzhen
organizationName = Organization Name (eg, company)
organizationName_default = IT
organizationalUnitName = organizationalunit
organizationalUnitName_default = Development
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = nginx.mydemo.com
commonName_max = 64
[req_ext]
subjectAltName = @alt_names
[v3_ca]
subjectAltName = @alt_names
[alt_names]
DNS.1 = nginx.mydemo.com
DNS.2 = 127.0.0.1
EOF
使用OpenSSL创建证书
cd /etc/ssl/nginx
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx.mydemo.com.key -out nginx.mydemo.com.crt -config nginx.mydemo.com.conf
查看生成的证书
[root@localhost nginx]# ll /etc/ssl/nginx/
total 16
-rw-r--r-- 1 root root 424 Jul 29 22:35 dhparam.pem
-rw-r--r-- 1 root root 970 Jul 29 23:12 nginx.mydemo.com.conf
-rw-r--r-- 1 root root 1298 Jul 29 23:13 nginx.mydemo.com.crt
-rw-r--r-- 1 root root 1704 Jul 29 23:13 nginx.mydemo.com.key
生成dhparam.pem
openssl dhparam -out /etc/ssl/nginx/dhparam.pem 2048
修改nginx配置文件
cat > /etc/nginx/conf.d/default.conf <<EOF
server {
listen 80;
server_name nginx.mydemo.com;
return 301 https://$server_name$request_uri;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl http2;
server_name nginx.mydemo.com;
keepalive_timeout 70;
index index.php index.html index.htm;
root /usr/share/nginx/html/;
ssl_certificate /etc/ssl/nginx/nginx.mydemo.com.crt;
ssl_certificate_key /etc/ssl/nginx/nginx.mydemo.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
}
EOF
重启nginx服务
nginx -t
systemctl restart nginx
本地配置hosts解析
C:\Windows\System32\drivers\etc
#添加以下行
192.168.93.63 nginx.mydemo.com
导入nginx.mydemo.com.crt证书到chrome,地址栏输入以下内容,选择管理证书,受信任的证书颁发机构导入:
chrome://settings/security
配置chrome信任本地证书,地址栏输入以下内容
chrome://flags/#allow-insecure-localhost
浏览器访问验证: