1. 下载:
2. 安装相关依赖包
yum install -y gcc pcre-devel openssl-devel zlib-devel
3. 创建nginx用户,解压源码包,开始编译安装
解压:
tar -xvf nginx-1.19.2.tar.gz
重命名:
mv nginx-1.19.2 nginx
cd nginx
编译的时候用来指定程序存放路径:
./configure --prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module
安装:
make && make install
4. 启动nginx
#直接启动
/usr/local/nginx/sbin/nginx
#或创建软链接启动(1)
ln -s /usr/local/nginx/sbin/nginx /usr/sbin/
#或创建软链接启动(2)
nginx
5. 浏览器验证
http://ip
==================================配置https===============================
6. 替换原来的配置文件,修改文件中对应的IP
cd conf
# HTTPS server
#
server {
listen 127.0.0.1:443 ssl;
server_name 127.0.0.1;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate server.crt;
ssl_certificate_key server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5:!DES:!3DES;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
#前端工程-vue的端口暴露方式
location / {
proxy_pass http://127.0.0.1:前台端口;
}
# 后台工程-做的接口正则匹配
location /api {
rewrite ^/api/(.*)$ /$1 break;
proxy_pass http://127.0.0.1:后台端口;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /websocket {
proxy_pass http://127.0.0.1:后台端口;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
location ~ ^(.*)\/\.svn\/ {
return 404;
}
}
7. 生成证书并加载到nginx/conf目录下
建议用openssl生成
8. opensslconfig.cnf 文件放到/etc/pki/tls/opensslconfig.cnf,opensslconfig.cnf内容:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = GuangDong
localityName = Locality Name (eg, city)
localityName_default = ShenZhen
organizationName = Organization Name (eg, company)
organizationName_default = llll Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = llll
commonName = Common Name (e.g. server FQDN or YOUR name)
#commonName_default = 127.0.0.1
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.baidu.com
IP.1 = 127.0.0.1
9. ca证书和ca的key放在private目录下
10. shell脚本放到/root/workspace/bin/目录下,脚本内容如下:
#!/bin/sh
echo "替换IP: Instead of new IP..."
sed -i 's/127.0.0.1/'$1'/' /etc/pki/tls/opensslconfig.cnf
mkdir /etc/pki/tls/crl
mkdir /etc/pki/tls/newcerts
echo "01" > /etc/pki/tls/serial
touch /etc/pki/tls/index.txt
touch /etc/pki/tls/crlnumber
cd /etc/pki/tls
#修改openssl.conf相关配置,建立ca的相关配置及目录
#mv -f opensslconfig.cnf opensslconfig.cnf_bak
# create self-signed server certificate:
echo "创建私钥: Create server key..."
openssl genrsa -out private/server.key 2048
echo "生成签发请求: Create server certificate signing request..."
SUBJECT="/C=CN/ST=GuangDong/L=ShenZhen/O=Zkxa_Ltd/OU=zkxa/CN=$1"
openssl req -new -subj $SUBJECT -key private/server.key -passin pass:zkxa1234 -out crl/server.csr -config opensslconfig.cnf
# echo "移除密码Remove password..."
# mv private/server.key private/server.origin.key
# openssl rsa -in private/server.origin.key -out private/server.key
echo "移动CA证书到newcerts文件夹下..."
mv private/ca.crt newcerts/ca.crt
echo "使用CA证书进行签发: Sign SSL certificate..."
openssl x509 -req -sha256 -in crl/server.csr -CA newcerts/ca.crt -CAkey private/ca.key -CAcreateserial -days 730 -out newcerts/server.crt -extensions v3_req -extfile opensslconfig.cnf
echo "验证签发证书是否正确: Verify SSL certificate..."
openssl verify -CAfile newcerts/ca.crt newcerts/server.crt
echo "制作可导入浏览器的p12证书: Create server certificate as pkcs12..."
openssl pkcs12 -export -clcerts -in newcerts/server.crt -inkey private/server.key -out newcerts/server.p12
echo "TODO:"
echo "Copy /newcerts/server.crt to /usr/local/nginx/conf/server.crt"
cp -r newcerts/server.crt /usr/local/nginx/conf/server.crt
echo "Copy /private/server.key to /usr/local/nginx/conf/server.key"
cp -r private/server.key /usr/local/nginx/conf/server.key
备注:
1. 若编译出错,可能拷贝windows到linux时,空格问题
处理方式:
新建该文件
touch createssl.sh
打开该文件,将createssl内容.txt的内容拷贝进去
vi createssl.sh
增加执行x的权利
chmod +x createssl.sh
2. 使用 date 查看当前时间是否准确
校准时间命令
ntpdate cn.pool.ntp.org
3. 编译shell脚本(入参是IP)
./ createssl.sh 127.0.0.1
另外,生成p12文件是需要密码的,统一输入“nnnn1234”。
4. 安装nginx用户
useradd -s /sbin/nologin -M nginx
id nginx
5. 重启nginx
nginx -s reload
备注:
6. 校验nginx的配置:
nginx –t
7. 如果启动nginx的时候,报错,“找不到nginx/logs/error.log或者access.log”文件,则自己在nginx目录下
mkdir logs
cd logs
touch error.log
touch access.log
8. 浏览器登录页面报nginx的502错误
查看error.log,检查是否是ip或者端口连接问题
connect() failed (111: Connection refused) while connecting to upstream,
lsof -i tcp:端口
9. 没有安装nginx用户导致的无法启动:nginx: [emerg] getpwnam("nginx") failed
useradd -s /sbin/nologin -M nginx
id nginx