起初是在部署系统时, 用扫描漏洞工具扫描系统, 发现网站访问不安全, 要求使用 https 安全认证访问 web, 而 nginx 支持 https 技术, 所以取巧就在 nginx 配置了个 https; 在踩了一大堆的教程坑后, 终于配置成功, 然后记录下来, 按照以下的教程, 可以配置出 https 需要的网站证书认证.
本教程是在 Centos7 上配置, 其他版本的 Linux 改一下对应的命令即可. 供参考
配置完成访问浏览器后, 网站前面会出现红色的叉, 这是因为在网络服务器上找不到对应的证书厂商, 不妨碍使用.
Nginx 开启 SSL 配置证书和私钥, 需要安装 openssl
这里以 nginx1.16.1 为例
获取安装包
[[email protected]~]curl -O http://nginx.org/download/nginx-1.16.1.tar.gz https://nginx.org/download/nginx-1.16.1.tar.gz
或者 wget http://nginx.org/download/nginx-1.16.1.tar.gz https://nginx.org/download/nginx-1.16.1.tar.gz
解压
[[email protected]~] tar -zxvf nginx-1.16.1.tar.gz
编译模块
- [[email protected]~] cd nginx-1.16.1
- ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-https_ssl_module
如果之前已经安装 nginx 的, 这里就不再 make install, 否则会覆盖掉之前的安装和配置
[[email protected] nginx-1.16.1]make
备份原先的启动文件
[[email protected]~]cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
查看模块是否加载
- [[email protected]~]/usr/local/nginx/sbin/nginx -V
- nginx version: nginx/1.16.1
- built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
- built with OpenSSL 1.0.2k-fips 26 Jan 2017
- TLS SNI support enabled
- configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module # 模块已加载
加载 ssl 模块后, 会在 nginx.conf 加上配置文件 HTTPS SERVER 后面的 ssl 信息,
注意: 一般生成的目录, 应该放在 nginx/conf/ssl 目录, 可以自定义
生成证书和密钥 -des3: CBC 模式的 DES 加密 以下示例生成一个 1024 位的 RSA 私钥
[[email protected]~]openssl genrsa -des3 -out server.key 1024
输入密码, 2 次
- [email protected]
- Generating RSA private key, 1024 bit long modulus
- ....++++++
- .......................++++++
- e is 65537 (0x10001)
- Enter pass phrase for server.key:
- Verifying - Enter pass phrase for server.key:
创建服务器证书的申请文件 server.csr
- [[email protected]~]openssl req -new -key server.key -out server.csr
- Enter pass phrase for server.key: # 输入上面的密码
- You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
填写下面的信息
- Country Name (2 letter code) [XX]:CN # 国家缩写
- State or Province Name (full name) []:GuangDong #省份
- Locality Name (eg, city) [Default City]:GuangZhou # 市
- Organization Name (eg, company) [Default Company Ltd]:lw666.cn # 公司名
- Organizational Unit Name (eg, section) []: # 组织名, 可以不填
- Common Name (eg, your name or your server's hostname) []: #公共名, 可以不填
- Email Address []:[email protected] # 邮箱地址, 可以不填
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []: # 加强的密码, 可以不填
- An optional company name []: # 可以不填
备份文件, 跳过证书验证密码, 生成 server.crt 文件
- [[email protected]~]cp server.key server.key.org
- [[email protected]~]openssl rsa -in server.key.org -out server.key
- Enter pass phrase for server.key.org: # 输入上面的密码
- writing RSA key
生成证书, 证书有效天数 (如果输入 9999 表示永久) 签名, 开启双向认证
- [[email protected]~]openssl x509 -req -days 180 -in server.csr -signkey server.key -out server.crt
- Signature okbr/>subject=/C=CN/ST=GuangDong/L=GuangZhou/O=lwops.cn/[email protected]
- Getting Private key
vi nginx.conf, 注释掉 HTTPS SERVER, 单个 server, 直接把 listen 到最后一行 ssl 替换原来的 listen 80, 然后测试配置文件
参考官方配置资料:
http://nginx.org/en/docs/http/configuring_https_servers.html#single_http_https_server
单个 server 可以 80 和 433 共存, 但 80 的还是 http
- # HTTPS server
- #
- server {
- listen 443 ssl;
- server_name localhost;
- # ssl on; nginx1.15 版本之前需要加, 之后的不用加
- # 证书路径和密钥路径
来源: http://www.bubuko.com/infodetail-3459464.html