SSL基础：26:nginx配置https服务

最新推荐文章于 2023-04-09 12:50:22 发布

99学商

最新推荐文章于 2023-04-09 12:50:22 发布

阅读量760

点赞数

原文链接：https://blog.csdn.net/liumiaocn/article/details/103567317

版权

使用nginx可以快速搭建http的服务，结合自签名证书则能很容易地提供https服务，这篇文章以容器方式介绍如何快速搭建nginx的https服务。

服务器端设定
步骤1: 启动nginx容器
启动nginx服务，在8443端口映射443的https服务，启动容器提供服务。

liumiaocn:nginx liumiao$ docker run -d -p 8443:443 --name=nginx nginx:latest
db67c95583d6b4e889680d08d9e4473bb3b961a1a01cdde5fb39f5967a27b808
liumiaocn:nginx liumiao$ docker ps |grep nginx
db67c95583d6 nginx:latest “nginx -g 'daemon of…” 9 seconds ago Up 8 seconds 80/tcp, 0.0.0.0:8443->443/tcp nginx
liumiaocn:nginx liumiao$
1
2
3
4
5
步骤2: 配置nginx
进入到镜像之中，进行如下nginx配置

配置操作1: 修改default.conf文件
nginx缺省配置文件路径：/etc/nginx/conf.d/default.conf

liumiaocn:nginx liumiao$ docker exec -it nginx sh

cd /etc/nginx/conf.d

ls

default.conf

1
2
3
4
5
执行命令
cat >>default.conf <<EOF
server {
listen 443 ssl http2;
server_name localhost;

ssl_certificate          /etc/nginx/ssl/server.crt;
ssl_certificate_key      /etc/nginx/ssl/server.key;

ssl_session_timeout  5m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers   on;

location / {
    root   /usr/share/nginx/html;
    index  index.html index.htm;
}

}
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
执行日志如下所示：

cat >>default.conf <<EOF

server {
listen 443 ssl http2;
server_name localhost;

ssl_certificate          /etc/nginx/ssl/server.crt;
ssl_certificate_key      /etc/nginx/ssl/server.key;

ssl_session_timeout  5m;

ssl_> ciphers HIGH:!aNULL:!MD5;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers   on;

location / {
    root   /usr/share/nginx/html;

    index  index.html index.htm;

}
EOF> > > > > > > > > > > > > > > > >

cat default.conf

server {
listen 80;
server_name localhost;

#charset koi8-r;
#access_log  /var/log/nginx/host.access.log  main;

location / {
    root   /usr/share/nginx/html;
    index  index.html index.htm;
}

#error_page  404              /404.html;

# redirect server error pages to the static page /50x.html
#
error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
#    proxy_pass   http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
#    root           html;
#    fastcgi_pass   127.0.0.1:9000;
#    fastcgi_index  index.php;
#    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
#    include        fastcgi_params;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
#    deny  all;
#}

}

server {
listen 443 ssl http2;
server_name localhost;

ssl_certificate          /etc/nginx/ssl/server.crt;
ssl_certificate_key      /etc/nginx/ssl/server.key;

ssl_session_timeout  5m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers   on;

location / {
    root   /usr/share/nginx/html;
    index  index.html index.htm;
}

}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
配置操作2: 创建ssl目录

pwd

/etc/nginx/conf.d

cd …

mkdir ssl

1
2
3
4
5
其实非常简单，就是在nginx中添加ssl的配置，然后创建配置内容中指定的目录/etc/nginx/ssl

步骤3: 生成证书
使用easypack上提供的一键证书生成，只需要提供CN即可生成所需要的服务器端私钥（server.key）和服务器端证书文件(server.crt)。使用如下脚本即可

https://github.com/liumiaocn/easypack/blob/master/containers/alpine/nginx/create_https_certs.sh
这里假设CN为www.hellohttps.com为例进行生成

liumiaocn:nginx liumiao$ export ENV_NAME_DN_CN=www.hellohttps.com
liumiaocn:nginx liumiao$ ls
create_https_certs.sh
liumiaocn:nginx liumiao$ sh create_https_certs.sh

Prepare for DN and v3 extension setting files

Create CA private key with name : ca.key

Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)

Create CA certificate with name : ca.crt

Create server private key with name : server.key

Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)

Create server CSR file with name : server.csr

Create server certificate with name : server.crt

Signature ok
subject=/C=CN/ST=LiaoNing/L=DaLian/O=devops/OU=unicorn/CN=www.hellohttps.com
Getting CA Private Key
liumiaocn:nginx liumiao$ ls
ca.crt ca.srl server.crt server.key
ca.key create_https_certs.sh server.csr v3_extfile.conf
liumiaocn:nginx liumiao$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
步骤4: 设置证书
设置指定名称的证书与私钥拷贝至配置文件中指定的目录/etc/nginx/ssl下

liumiaocn:nginx liumiao$ docker cp server.key nginx:/etc/nginx/ssl
liumiaocn:nginx liumiao$ docker cp server.crt nginx:/etc/nginx/ssl
liumiaocn:nginx liumiao$ docker exec nginx ls /etc/nginx/ssl
server.crt
server.key
liumiaocn:nginx liumiao$
1
2
3
4
5
6
步骤5: 重启nginx服务
liumiaocn:nginx liumiao$ docker restart nginx
nginx
liumiaocn:nginx liumiao$ docker ps |grep nginx
db67c95583d6 nginx:latest “nginx -g 'daemon of…” 20 minutes ago Up 4 seconds 80/tcp, 0.0.0.0:8443->443/tcp nginx
liumiaocn:nginx liumiao$
1
2
3
4
5
客户端设定
步骤1: /etc/hosts设定
本文使用容器进行示例，直接在本机验证，此处设定/etc/hosts即可，添加如下内容

liumiaocn:nginx liumiao$ sudo vi /etc/hosts
Password:
liumiaocn:nginx liumiao$ grep hello /etc/hosts
127.0.0.1 www.hellohttps.com
liumiaocn:nginx liumiao$
1
2
3
4
5
步骤2: 添加证书至KeyChain Access
添加证书之后并设定Trust

保存之后即可显示正常

结果确认
使用https://www.hellohttps.com:8443/访问，可以看到如下页面信息，说明nginx的https服务已经正常可用。

99学商

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
SSL基础：26:nginx配置https服务

使用nginx可以快速搭建http的服务，结合自签名证书则能很容易地提供https服务，这篇文章以容器方式介绍如何快速搭建nginx的https服务。服务器端设定步骤1: 启动nginx容器启动nginx服务，在8443端口映射443的https服务，启动容器提供服务。liumiaocn:nginx liumiao$ docker run -d -p 8443:443 --name=ngi...
复制链接

扫一扫