nginx-ssl-配置

 

1、生成证书

#需要安装openssl
openssl version

#开始
mkdir /root/cert 
cd /root/cert 
openssl genrsa -des3 -out server.key 1024    //设置server.key 密码

#这个需要填写东西，所以记录下过程
[root@localhost opt]# openssl req -new -key server.key -out server.csr 
Enter pass phrase for server.key:   //server.key 密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   //国家
State or Province Name (full name) []:henan   //省份
Locality Name (eg, city) [Default City]:yanqi  //市名
Organization Name (eg, company) [Default Company Ltd]:system   //公司名称
Organizational Unit Name (eg, section) []:yanqi   //部门吧
Common Name (eg, your name or your server's hostname) []:www.123.com   //填写网址比较好
Email Address []:5731437@qq.com    //邮件地址，可以不填

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:qwe132qwe       //设置密码，可以不填
An optional company name []:qwe123qwe   //设置密码，可以不填
[root@localhost opt]# 


cp server.key server.key.org 
openssl rsa -in server.key.org -out server.key    //server.key 密码
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

　

2、把生成的文件拷贝到指定位置

mkdir /etc/nginx/ssl
cp server.crt server.key /etc/nginx/ssl/　

3、nginx配置

[root@localhost conf.d]# vim ssl.conf 

server {
        listen  443 ssl;
        server_name www.123.com;

        ssl_certificate /etc/nginx/ssl/server.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;

        ssl_session_cache shared:SSL:5m;  #共享session内存空间为5M,1M的会话为4千；这个是2万
        ssl_session_timeout 10m;    //过期时间10分钟

        ssl_ciphers HIGH:!aNULL:!MD5;
		#ssl_protocols sslv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        location / {
                root /usr/share/nginx/html;
                index index.html index.htm;
                }
}

[root@localhost conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@nginx conf.d]# service nginx restart
Redirecting to /bin/systemctl restart nginx.service

[root@nginx conf.d]# netstat -luntp|grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4256/nginx: mas 

 

4、访问80端口跳转443

server {
    listen       80;
    server_name  www.abc.com;
    root   /usr/share/nginx/html;

    location / {
       # index  index.html index.htm;
        rewrite ^(.*)$  https://www.123.com$1 permanent;   //就这一条
        }

    location ~ \.(html|js|css|jpg)$ {
        expires 1000;
        add_header Cache-control no-store;
   }
}