注:生成的免费证书在浏览器是不被信任的
针对centos系统:
首页要检查安装程序: nginx, pcre, zlib, openssl(生成证书)
//1. 最好切换到nginx/conf 目录下执行,
openssl req -new -x509 -nodes -out server.crt -keyout server.key
//2. 修改nginx配置文件:
vi nginx/conf/nginx.conf
//内容如下:
修改nginx配置文件(在http模块里加):
server{
listen 443 ssl;
server_name www.abc.com;
ssl_certificate /usr/local/conf/server.crt;
ssl_certificate_key /usr/local/conf/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
server_tokens off; // 关闭(显示)Nginx 版本号。
keepalive_timeout 70; // 设置客户端连接保持活动的超时时间。
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
针对Ubuntu系统(在麒麟系统测试过):
1.生成ECC证书:
openssl ecparam -genkey -name secp256r1 | openssl ec -out server.key
openssl req -new -x509 -nodes -key server.key -out server.crt
PS:如果是泛域名证书,则应该填写*.example.com
你可以在系统的任何地方运行这个命令,会自动在当前目录生成example_com.csr和example_com.key这两个文件(最好切换到nginx/conf 目录下执行,)
2.在nginx.conf修改其配置,
server {
listen 80;
listen [::]:80 ssl ipv6only=on;
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
server_name example.com;
ssl on;
ssl_certificate /etc/ssl/private/server.crt;
ssl_certificate_key /etc/ssl/private/ server.key;
}