Nginx默认不支持https,支持的是http的80端口
在nginx编译的时候需要编译 --with-http\_ssl\_module 模块来支持https,而且需要安装依赖包 openssl openssl-devel 来支持ssl
https需要证书和私钥,获得证书和私钥的途径可以分为两类,在域名注册商备案后进行申请证书和私钥,而本章要讲解的是使用openssl来生成证书和私钥
自签名https证书实战
1.创建带密码的私钥

mkdir /usr/local/nginx/ssl
cd /usr/local/nginx/ssl/
openssl genrsa -des3 -out server.key 4096 #4096为私钥长度
Generating RSA private key, 4096 bit long modulus
........................................................................................................++
.................++
e is 65537 (0x10001)
Enter pass phrase for server.key: #输入自定义密码(随意)
Verifying - Enter pass phrase for server.key: #确认输入的密码
2.私钥去除密码
带密码的私钥在https上不能使用,所以需要移除密码

cp -rf server.key server.key.org #复制一份密钥
openssl rsa -in server.key.org -out server.key #将复制过的密钥覆盖掉原来的密钥并且去除密码
Enter pass phrase for server.key.org: #输入刚才私钥的密码
writing RSA key
3.创建证书请求文件
使用私钥创建出证书请求文件

openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [XX]:CN #输入国家简称
State or Province Name (full name) []:shanghai #输入地区省份
Locality Name (eg, city) [Default City]:shanghai #输入所在城市
Organization Name (eg, company) [Default Company Ltd]:kgc #输入组织名称
Organizational Unit Name (eg, section) []:kgc #输入组织单元名称
Common Name (eg, your name or your server's hostname) []:kgc #输入主机名
Email Address []: #邮箱忽略


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #密码忽略
An optional company name []: #公司名称忽略
4.生成证书

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt #3650为有效期
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=k8sops/OU=k8sops/CN=k8sops
Getting Private key
5.文件介绍

server.crt #证书
server.csr
server.key #私钥
server.key.org
配置Https
server {
listen 80;
server\_name kgc.com;
return 301 https://\(server\_name\)request\_uri; #跳转ssl
}
server {
listen 443 ssl; #这里要加ssl,不然不是加密传输
server\_name kgc.com;
ssl\_certificate /usr/local/nginx/ssl/server.crt;
ssl\_certificate\_key /usr/local/nginx/ssl/server.key;
ssl\_session\_cache shared:SSL:1m;
ssl\_session\_timeout 5m;
ssl\_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl\_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl\_prefer\_server\_ciphers on;
access\_log /usr/local/nginx/logs/access.log main;
location / {
root html;
index index.html;
}
}
测试访问
Nginx 自签名Https证书配置教程

标签: server, Nginx, ssl, 私钥, 证书, key, openssl, Https

相关文章推荐

添加新评论,含*的栏目为必填