https之Nginx自签证书

最新推荐文章于 2024-06-05 10:01:50 发布

研究司马懿

最新推荐文章于 2024-06-05 10:01:50 发布

阅读量489

点赞数 5

文章标签： https nginx 网络协议

本文链接：https://blog.csdn.net/weixin_73059729/article/details/138904504

版权

Nginx配置https

文章目录

Nginx配置https

一、源码安装Nginx服务

不管是源码安装或是Yum安装Nginx都是一样的，只是访问路径上有所区别

yum -y install pcre-devel zlib-devel gcc-c++ gcc openssl openssl-devel make zlib zlib-devel gcc gcc-c++ libtool pcre pcre-devel
useradd -M -s /sbin/nologin nginx
tar -zxvf nginx-1.12.0.tar.gz -C /usr/src/
cd /usr/src/nginx-1.12.0/
# 添加--with-http_ssl_module配置项，支持https
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module
make && make install
ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/

vim /etc/init.d/nginx 
#!/bin/bash
# chkconfig: - 99 20
# description: Nginx Server Control Script
PROG="/usr/local/nginx/sbin/nginx"
PIDF="/usr/local/nginx/logs/nginx.pid"
case "$1" in
start)
   $PROG
  ;;
stop)
  kill -s QUIT $(cat $PIDF)
  ;;
restart)
  $0 stop
  $0 start
  ;;
reload)
  kill -s HUP $(cat $PIDF)
  ;;
status)
  [ -f $PID ] &> /dev/null
       if [ $? -eq 0 ]
          then 
          netstat  -anpt | grep nginx
       else
          echo "Nginx is not running."
        fi   
  ;;
*)
  echo "Usage: $0 {start|stop|restart|reload|status}"
esac
exit 0
chmod +x /etc/init.d/nginx
chkconfig --add nginx

二、使用openssl生成证书

openssl是目前最流行的SSL密码库工具，其提供了一个通用、健壮、功能完备的工具套件，用以支持SSL/TLS协议的实现

# 创建证书存放路径
mkdir /usr/local/ssl

openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /usr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt
Generating a 2048 bit RSA private key
...........................+++
............................+++
writing new private key to '/usr/local/ssl/nginx.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:Zheng Zhou
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:
# openssl req生成证书
# -x509 输出 x509 结构而不是证书。
# -nodes 不加密输出密钥
# -days -x509 生成的证书的有效天数。
# -newkey rsa:2048 生成大小为"位"的新 RSA 密钥
# -keyout 要将密钥发送到的文件
# -out 输出文件

三、Nginx配置

443配置

vi /usr/local/nginx/conf/nginx.conf
server {
    listen 443 ssl;
    server_name www.test.com;
    ssl_certificate /usr/local/ssl/nginx.crt;
    ssl_certificate_key /usr/local/ssl/nginx.key;
    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    #禁止在header中出现服务器版本，防止黑客利用版本漏洞攻击
    server_tokens off;
    #如果是全站 HTTPS 并且不考虑 HTTP 的话，可以加入 HSTS 告诉你的浏览器本网站>全站加密，并且强制用 HTTPS 访问
    fastcgi_param   HTTPS               on;
    fastcgi_param   HTTP_SCHEME         https;
    location / {
        root   /usr/local/nginx/html/;
        index  index.html index.htm;
    }
}

80配置

# 默认的80配置段中进行修改即可
server {
        listen       80;
        server_name  www.test.com;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;
rewrite ^/(.*)$ https://www.test.com/$1 permanent;
        location / {
            root   /usr/local/nginx/html/;
            index  index.html index.htm;
        }

四、启动Nginx服务，并访问443

systemctl start nginx
[root@localhost ~]# netstat -anpt | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4053/nginx: master