nginx平滑升级添加ssl实现站内https
nginx version: nginx/1.4.4
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
configure arguments: --prefix=/usr/local/nginx --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre
然后在新版本nginx下 执行
./configure --prefix=/usr/local/nginx --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre --with-http_ssl_module
2.编译安装
make
注意:编译,不要不要不要makeinstall,否则这里就变成了覆盖安装。
nginx version: nginx/1.4.4
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre --with-http_ssl_module
3.备份并替换老版本的文件
备份
# cp ./objs/nginx /usr/local/nginx/sbin/nginx
[root@iZwz966hn1pkophvqb3obgZ nginx-1.4.4]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.4.4
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre --with-http_ssl_module
{
listen 443;
server_name ceshi.guiren123.com;
ssl on;
root /data/wordpress;
index index.html index.htm index.php;
ssl_certificate /usr/local/nginx/cert/ceshi_guiren123_com_ssl/214186100710218.pem;
ssl_certificate_key /usr/local/nginx/cert/ceshi_guiren123_com_ssl/214186100710218.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
access_log /tmp/guiren123-access.log xingcheng;
error_log /tmp/guiren123-error.log;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
access_log /tmp/wordpress_access.log xingcheng;
fastcgi_param SCRIPT_FILENAME /data/wordpress$fastcgi_script_name;
一、nginx动态增加编译模块
1.使用参数重新配置
nginx -V 查看目前nginx编译选项
nginx version: nginx/1.4.4
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
configure arguments: --prefix=/usr/local/nginx --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre
然后在新版本nginx下 执行
./configure --prefix=/usr/local/nginx --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre --with-http_ssl_module
2.编译安装
make
注意:编译,不要不要不要makeinstall,否则这里就变成了覆盖安装。
之后会看在当前目录生成objs文件,执行可以看到新nginx的编译参数。
#./objs/nginx -Vnginx version: nginx/1.4.4
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre --with-http_ssl_module
3.备份并替换老版本的文件
备份
# mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
# cp ./objs/nginx /usr/local/nginx/sbin/nginx
检查
/usr/local/nginx/sbin/nginx -t[root@iZwz966hn1pkophvqb3obgZ nginx-1.4.4]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.4.4
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre --with-http_ssl_module
二、搭建https
1.贴一段服务器配置
vim ssl.conf
server{
listen 443;
server_name ceshi.guiren123.com;
ssl on;
root /data/wordpress;
index index.html index.htm index.php;
ssl_certificate /usr/local/nginx/cert/ceshi_guiren123_com_ssl/214186100710218.pem;
ssl_certificate_key /usr/local/nginx/cert/ceshi_guiren123_com_ssl/214186100710218.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
access_log /tmp/guiren123-access.log xingcheng;
error_log /tmp/guiren123-error.log;
location ~ \.php$ {
include fastcgi_params;
fastcgi_pass unix:/tmp/php-fcgi.sock;
#fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
access_log /tmp/wordpress_access.log xingcheng;
fastcgi_param SCRIPT_FILENAME /data/wordpress$fastcgi_script_name;
注意:当配置多个ssl虚拟主机的时候,可以通过监听多个端口来实现。
如果出现无法访问需要注意下iptables和安全组。
参考:
https://segmentfault.com/a/1190000004232801
http://blog.chinaunix.net/uid-24625974-id-2894092.html